Analysis Overview
SHA256
5b240a73720678e7114918f138070381845429af3c96f94b43f0475bb4d803bd
Threat Level: Known bad
The file NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-01 08:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-01 08:39
Reported
2023-11-01 09:30
Platform
win7-20231023-en
Max time kernel
239s
Max time network
267s
Command Line
Signatures
Tinba / TinyBanker
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\432C9E0C = "C:\\Users\\Admin\\AppData\\Roaming\\432C9E0C\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1868 set thread context of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | recdataoneveter.cc | udp |
| US | 216.218.185.162:80 | recdataoneveter.cc | tcp |
Files
memory/2132-2-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1196-3-0x0000000002AF0000-0x0000000002AF6000-memory.dmp
memory/2132-4-0x0000000000410000-0x0000000000E10000-memory.dmp
memory/1196-5-0x0000000002AF0000-0x0000000002AF6000-memory.dmp
memory/2656-6-0x0000000000110000-0x0000000000116000-memory.dmp
memory/1196-9-0x0000000002AF0000-0x0000000002AF6000-memory.dmp
memory/2656-8-0x00000000776DF000-0x00000000776E0000-memory.dmp
memory/2656-7-0x0000000000110000-0x0000000000116000-memory.dmp
memory/2656-12-0x00000000776E0000-0x00000000776E1000-memory.dmp
memory/1196-13-0x0000000077531000-0x0000000077532000-memory.dmp
memory/2656-14-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2656-11-0x00000000776DF000-0x00000000776E1000-memory.dmp
memory/2656-15-0x0000000000EF0000-0x0000000000F06000-memory.dmp
memory/2132-18-0x0000000000410000-0x0000000000E10000-memory.dmp
memory/1108-20-0x0000000000510000-0x0000000000516000-memory.dmp
memory/1108-22-0x0000000000510000-0x0000000000516000-memory.dmp
memory/1172-24-0x00000000019C0000-0x00000000019C6000-memory.dmp
memory/1108-23-0x0000000077531000-0x0000000077532000-memory.dmp
memory/1172-26-0x00000000019C0000-0x00000000019C6000-memory.dmp
memory/1196-28-0x0000000002B10000-0x0000000002B16000-memory.dmp
memory/1196-29-0x0000000002B10000-0x0000000002B16000-memory.dmp
memory/2656-30-0x0000000000110000-0x0000000000116000-memory.dmp
memory/2656-35-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1196-36-0x00000000776C0000-0x00000000776C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-01 08:39
Reported
2023-11-01 09:27
Platform
win10v2004-20231023-en
Max time kernel
168s
Max time network
179s
Command Line
Signatures
Tinba / TinyBanker
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6A383DE2 = "C:\\Users\\Admin\\AppData\\Roaming\\6A383DE2\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4012 set thread context of 4108 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\881365edbe9f75d003f42391d50e8f98b4819dd11efc1eb42871afbc3d48e222" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = d425dc7aa50cda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\df7b9a9b90cc7bd3fccaa40603c5013f4ecadf4fc27d681759cddf22b90771da" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ac81df7ba50cda01ac81df7ba50cda01ac81df7ba50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000061574d4b2000646637623961396239306363376264336663636161343036303363353031336634656361646634666332376436383137353963646466323262393037373164610000b20009000400efbe61574d4b61574d4b2e00000000000000000000000000000000000000000000000000548bb300640066003700620039006100390062003900300063006300370062006400330066006300630061006100340030003600300033006300350030003100330066003400650063006100640066003400660063003200370064003600380031003700350039006300640064006600320032006200390030003700370031006400610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008b0a70081000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64663762396139623930636337626433666363616134303630336335303133663465636164663466633237643638313735396364646632326239303737316461000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dc760fc4ca671ee1192aaea2e5edba62daa66e0c271c14945b47c5aad1972038dc760fc4ca671ee1192aaea2e5edba62dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b377b1d-0918-4f1b- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a0cfcfb04dd1245ca8dd75093f5fc7d2bd8b8e020bd9a6242678d912261f40e2" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = 10eac37aa50cda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = de84fb7ba50cda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000014ddb77aa50cda0114ddb77aa50cda0114ddb77aa50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000061574c4b2000383831333635656462653966373564303033663432333931643530653866393862343831396464313165666331656234323837316166626333643438653232320000b20009000400efbe61574c4b61574c4b2e00000000000000000000000000000000000000000000000000ec02aa00380038003100330036003500650064006200650039006600370035006400300030003300660034003200330039003100640035003000650038006600390038006200340038003100390064006400310031006500660063003100650062003400320038003700310061006600620063003300640034003800650032003200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008b0a70081000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38383133363565646265396637356430303366343233393164353065386639386234383139646431316566633165623432383731616662633364343865323232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dc160fc4ca671ee1192aaea2e5edba62daa66e0c271c14945b47c5aad1972038dc160fc4ca671ee1192aaea2e5edba62dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007878d47aa50cda017878d47aa50cda017878d47aa50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000061574c4b2000613063666366623034646431323435636138646437353039336635666337643262643862386530323062643961363234323637386439313232363166343065320000b20009000400efbe61574c4b61574c4b2e0000000000000000000000000000000000000000000000000088678d00610030006300660063006600620030003400640064003100320034003500630061003800640064003700350030003900330066003500660063003700640032006200640038006200380065003000320030006200640039006100360032003400320036003700380064003900310032003200360031006600340030006500320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008b0a70081000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61306366636662303464643132343563613864643735303933663566633764326264386238653032306264396136323432363738643931323236316634306532000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dc260fc4ca671ee1192aaea2e5edba62daa66e0c271c14945b47c5aad1972038dc260fc4ca671ee1192aaea2e5edba62dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\DllHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3700 -s 868
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4220 -s 964
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2052 -s 784
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | recdataoneveter.cc | udp |
| US | 216.218.185.162:80 | recdataoneveter.cc | tcp |
| US | 8.8.8.8:53 | diiqngijkpop.com | udp |
| US | 8.8.8.8:53 | 162.185.218.216.in-addr.arpa | udp |
| US | 216.218.185.162:80 | diiqngijkpop.com | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
memory/4108-2-0x0000000000400000-0x0000000000405000-memory.dmp
memory/4108-3-0x0000000000770000-0x0000000001170000-memory.dmp
memory/5112-5-0x0000000000950000-0x0000000000962000-memory.dmp
memory/3156-4-0x00000000007A0000-0x00000000007A6000-memory.dmp
memory/5112-8-0x0000000077352000-0x0000000077353000-memory.dmp
memory/3156-7-0x00000000007A0000-0x00000000007A6000-memory.dmp
memory/5112-6-0x00000000027A0000-0x00000000027A6000-memory.dmp
memory/3156-10-0x00007FFA2618D000-0x00007FFA2618E000-memory.dmp
memory/5112-9-0x00000000027A0000-0x00000000027A6000-memory.dmp
memory/4108-13-0x0000000000770000-0x0000000001170000-memory.dmp
memory/2336-14-0x00000000009B0000-0x00000000009B6000-memory.dmp
memory/2348-15-0x0000000000360000-0x0000000000366000-memory.dmp
memory/2424-17-0x0000000000200000-0x0000000000206000-memory.dmp
memory/2336-16-0x00000000009B0000-0x00000000009B6000-memory.dmp
memory/2348-18-0x0000000000360000-0x0000000000366000-memory.dmp
memory/2424-19-0x0000000000200000-0x0000000000206000-memory.dmp
memory/3156-20-0x0000000002B20000-0x0000000002B26000-memory.dmp
memory/3448-21-0x0000000000F00000-0x0000000000F06000-memory.dmp
memory/3448-25-0x0000000000F00000-0x0000000000F06000-memory.dmp
memory/3796-24-0x00000000003B0000-0x00000000003B6000-memory.dmp
memory/3156-23-0x0000000002B20000-0x0000000002B26000-memory.dmp
memory/3700-22-0x0000000000DD0000-0x0000000000DD6000-memory.dmp
memory/3796-27-0x00000000003B0000-0x00000000003B6000-memory.dmp
memory/3860-26-0x0000000000700000-0x0000000000706000-memory.dmp
memory/5112-28-0x00000000027A0000-0x00000000027A6000-memory.dmp
memory/3860-29-0x0000000000700000-0x0000000000706000-memory.dmp
memory/3524-31-0x0000000000170000-0x0000000000176000-memory.dmp
memory/3524-33-0x0000000000170000-0x0000000000176000-memory.dmp
memory/4532-34-0x0000000000B10000-0x0000000000B16000-memory.dmp
memory/4376-32-0x0000000000510000-0x0000000000516000-memory.dmp
memory/4376-35-0x0000000000510000-0x0000000000516000-memory.dmp
memory/4532-36-0x0000000000B10000-0x0000000000B16000-memory.dmp
memory/2800-37-0x00000000005A0000-0x00000000005A6000-memory.dmp
memory/3648-38-0x00000000006B0000-0x00000000006B6000-memory.dmp
memory/2148-39-0x0000000000D50000-0x0000000000D56000-memory.dmp
memory/2148-40-0x0000000000D50000-0x0000000000D56000-memory.dmp
memory/448-41-0x0000000000C10000-0x0000000000C16000-memory.dmp
memory/448-42-0x0000000000C10000-0x0000000000C16000-memory.dmp
memory/4532-47-0x0000000000B10000-0x0000000000B16000-memory.dmp
memory/2148-56-0x0000000000D50000-0x0000000000D56000-memory.dmp
memory/2148-57-0x00007FFA26300000-0x00007FFA26301000-memory.dmp
memory/2148-58-0x00007FFA26320000-0x00007FFA26321000-memory.dmp
memory/2148-59-0x00007FFA26310000-0x00007FFA26311000-memory.dmp
memory/3156-61-0x00007FFA26320000-0x00007FFA26321000-memory.dmp
memory/4628-62-0x0000000000BB0000-0x0000000000BB6000-memory.dmp
memory/4628-63-0x0000000000BB0000-0x0000000000BB6000-memory.dmp
memory/3796-64-0x00007FFA26300000-0x00007FFA26301000-memory.dmp
memory/4628-65-0x00007FFA26320000-0x00007FFA26321000-memory.dmp
memory/448-66-0x00007FFA26300000-0x00007FFA26301000-memory.dmp
memory/448-71-0x00007FFA26310000-0x00007FFA26311000-memory.dmp
memory/4220-78-0x00000000005F0000-0x00000000005F6000-memory.dmp
memory/3732-79-0x0000000000970000-0x0000000000976000-memory.dmp
memory/4628-81-0x0000000000BB0000-0x0000000000BB6000-memory.dmp
memory/4628-86-0x00007FFA26310000-0x00007FFA26311000-memory.dmp
memory/3860-88-0x00007FFA26300000-0x00007FFA26301000-memory.dmp
memory/3860-89-0x00007FFA26320000-0x00007FFA26321000-memory.dmp
memory/3860-90-0x00007FFA26310000-0x00007FFA26311000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\53f1199986854c8980d09275b13375bf_1
| MD5 | 5460e34a0f46e756d370e03f65e6b271 |
| SHA1 | 261484da979386ef5ff3e64ab206970120c04478 |
| SHA256 | e5a3a54c0ea4a3bc1c960db2d22d4554091d703a6e12492268b57a43ec0d759e |
| SHA512 | f5b1c6c87b19b998c279951814ebcb383d585d3bb298201e31784f18278c5c99600a8e1eedc6605dac329c9ec35a04cb9d679d650a9f53ab514bed1743086a8b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | b24e8001274ecf4fe51846dc53cb0e33 |
| SHA1 | fe95581ccfc7e7905440b118721c8cb58f87d476 |
| SHA256 | 3f085196f5e79abad2a6740f4a00a55532b000ee538626b24f516ee41e084568 |
| SHA512 | dd8c75e14da9ff78e1ff5b36e888b168427e4a4dcc20038def06f87be67e480922e6ed49bc6c937fe19c3247322b8ce4309d13e52612ecd8bed7beeaeb5febf6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | b52450783d5c5e9ea7d634151b1b0dc8 |
| SHA1 | d864785c63f676aeb84051581bdb46b02da4081c |
| SHA256 | 993a5f94685aa3cf9ee23c43e7ddd89e2c86fda5dfa44d210721080374f97573 |
| SHA512 | 5948b380210d27f5113261dee51fb5c1747e907ed9f7633097d4fc52df15b712adee8cac4826f4a8b9ace81891eeaa6480036fb216096ad83ea4b4a01840659f |
memory/3968-107-0x0000000000360000-0x0000000000366000-memory.dmp
memory/3968-108-0x0000000000360000-0x0000000000366000-memory.dmp
memory/3968-109-0x00007FFA26300000-0x00007FFA26301000-memory.dmp
memory/3968-112-0x00007FFA26310000-0x00007FFA26311000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 202e0720ab43a23f57d23259c995f09b |
| SHA1 | 3ec372c4f28605321c99ea2ec92a39080a4b59bc |
| SHA256 | 0d165d2031272df137a19d12968a78e033bcc268befdc0e63f72964bcae12e45 |
| SHA512 | 4a6cbd41d9764a5c1e7d6b93fcccd585d7db1f987774d88462c23093d7f3fbd4aa799ee603081b2bb5006a6b46a35e7b63d6dc43f55e49d6a5e3d47a62a640c7 |
memory/1152-129-0x0000000000E90000-0x0000000000E96000-memory.dmp
memory/1520-130-0x00000000007F0000-0x00000000007F6000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698830770
| MD5 | d2bdac6c9fb252f560083b4043c8c237 |
| SHA1 | 8b0df44254f461271d9d7592e515c802b1345ff4 |
| SHA256 | 6ff4129a06c79a6370c807146e92e039fa166e0e3af0c6a9fe9515a3d8546357 |
| SHA512 | 6cf06112287fa35cdb6818584b3ba12a6194760c78116877269bcb2782b85cc8d587c1fa5b36eef3c2a61fa903e3540011621ba72e5d5e7e11226e72f6945be7 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698830770
| MD5 | 267dd6ca5bae1db5fc907fd8ba60a8bb |
| SHA1 | 7a017f7d01e9443dd88ec4b10af10247207ad6cc |
| SHA256 | a18f69c204992e25202105736e27a06eec969d08cd8eab7903594f411d2ae826 |
| SHA512 | 1fb2c52aaba6b72152405571ea9708fecfd3ac3c6d176edfe05f1ca8a83c0ec38cd3b7f6e2c95b739f443beb2beb5354dd1491d3dd9f37c9a6dccc4f4606ce8f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698830770
| MD5 | 9f46a9fd1003db71840c3f8dabda89b8 |
| SHA1 | 989d99b431eea29ce67d9ab752904ef015a46684 |
| SHA256 | d0eaee1185a70c4c3820ab24d2ca2f5cc01b7405713c0177caa4d435478b3387 |
| SHA512 | 12bd85dff3e3aaf2d8f230c166aa006e377688c476dc7f1352648473ca25fba26cb923ac80a648eeffdcff9488f38d9dfd1f5349f3c5d7672690968baf6a3a57 |
memory/1316-172-0x0000000000ED0000-0x0000000000ED6000-memory.dmp
memory/3484-173-0x0000000000BA0000-0x0000000000BA6000-memory.dmp
memory/3484-174-0x000001D855E20000-0x000001D855E28000-memory.dmp
memory/2356-178-0x0000000000E00000-0x0000000000E06000-memory.dmp
memory/4948-179-0x00000000000B0000-0x00000000000B6000-memory.dmp
memory/3052-182-0x0000000000270000-0x0000000000276000-memory.dmp
memory/3052-183-0x0000000000270000-0x0000000000276000-memory.dmp
memory/1720-187-0x0000000000F60000-0x0000000000F66000-memory.dmp
memory/4620-188-0x0000000000820000-0x0000000000826000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | 92647766e11de217bd235523797e9c39 |
| SHA1 | 47226d112fdd62484a889e9852e2f63e4772c4bd |
| SHA256 | a94044b8f336a18691c82fbb5805b48c59e8e7b783d339f64e3933f3426571ba |
| SHA512 | 222b44d14fea60bac5785f6d707f30a33a0f8e3e9fdfb4ac46b7b58c63a057bb5a662b4cad4b7d3b49aa7f3f54abdb9ec8dc3626f16398ddd6d200f9dd963a2c |
memory/3156-204-0x00007FFA26310000-0x00007FFA26311000-memory.dmp
memory/1900-212-0x00007FFA2618D000-0x00007FFA2618E000-memory.dmp
memory/1900-211-0x00007FFA2618D000-0x00007FFA2618E000-memory.dmp
memory/1900-210-0x0000000000DE0000-0x0000000000DE6000-memory.dmp
memory/1900-213-0x00007FFA26320000-0x00007FFA26321000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698830770
| MD5 | d2bdac6c9fb252f560083b4043c8c237 |
| SHA1 | 8b0df44254f461271d9d7592e515c802b1345ff4 |
| SHA256 | 6ff4129a06c79a6370c807146e92e039fa166e0e3af0c6a9fe9515a3d8546357 |
| SHA512 | 6cf06112287fa35cdb6818584b3ba12a6194760c78116877269bcb2782b85cc8d587c1fa5b36eef3c2a61fa903e3540011621ba72e5d5e7e11226e72f6945be7 |
memory/1900-214-0x00007FFA26310000-0x00007FFA26311000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698830770
| MD5 | 9f46a9fd1003db71840c3f8dabda89b8 |
| SHA1 | 989d99b431eea29ce67d9ab752904ef015a46684 |
| SHA256 | d0eaee1185a70c4c3820ab24d2ca2f5cc01b7405713c0177caa4d435478b3387 |
| SHA512 | 12bd85dff3e3aaf2d8f230c166aa006e377688c476dc7f1352648473ca25fba26cb923ac80a648eeffdcff9488f38d9dfd1f5349f3c5d7672690968baf6a3a57 |
memory/1900-218-0x0000000000DE0000-0x0000000000DE6000-memory.dmp