Malware Analysis Report

2025-01-19 07:36

Sample ID 231101-kkk5msga42
Target NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
SHA256 5b240a73720678e7114918f138070381845429af3c96f94b43f0475bb4d803bd
Tags
tinba banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b240a73720678e7114918f138070381845429af3c96f94b43f0475bb4d803bd

Threat Level: Known bad

The file NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe was found to be: Known bad.

Malicious Activity Summary

tinba banker persistence trojan

Tinba / TinyBanker

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 08:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 08:39

Reported

2023-11-01 09:30

Platform

win7-20231023-en

Max time kernel

239s

Max time network

267s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\432C9E0C = "C:\\Users\\Admin\\AppData\\Roaming\\432C9E0C\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1868 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 1868 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 1868 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 1868 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 1868 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 1868 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 1868 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 2132 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 2132 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 2132 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 2132 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 2132 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 2656 wrote to memory of 1196 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 2656 wrote to memory of 1108 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhost.exe
PID 2656 wrote to memory of 1172 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\Dwm.exe
PID 2656 wrote to memory of 1196 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"

C:\Windows\SysWOW64\winver.exe

winver

Network

Country Destination Domain Proto
US 8.8.8.8:53 recdataoneveter.cc udp
US 216.218.185.162:80 recdataoneveter.cc tcp

Files

memory/2132-2-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1196-3-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

memory/2132-4-0x0000000000410000-0x0000000000E10000-memory.dmp

memory/1196-5-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

memory/2656-6-0x0000000000110000-0x0000000000116000-memory.dmp

memory/1196-9-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

memory/2656-8-0x00000000776DF000-0x00000000776E0000-memory.dmp

memory/2656-7-0x0000000000110000-0x0000000000116000-memory.dmp

memory/2656-12-0x00000000776E0000-0x00000000776E1000-memory.dmp

memory/1196-13-0x0000000077531000-0x0000000077532000-memory.dmp

memory/2656-14-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2656-11-0x00000000776DF000-0x00000000776E1000-memory.dmp

memory/2656-15-0x0000000000EF0000-0x0000000000F06000-memory.dmp

memory/2132-18-0x0000000000410000-0x0000000000E10000-memory.dmp

memory/1108-20-0x0000000000510000-0x0000000000516000-memory.dmp

memory/1108-22-0x0000000000510000-0x0000000000516000-memory.dmp

memory/1172-24-0x00000000019C0000-0x00000000019C6000-memory.dmp

memory/1108-23-0x0000000077531000-0x0000000077532000-memory.dmp

memory/1172-26-0x00000000019C0000-0x00000000019C6000-memory.dmp

memory/1196-28-0x0000000002B10000-0x0000000002B16000-memory.dmp

memory/1196-29-0x0000000002B10000-0x0000000002B16000-memory.dmp

memory/2656-30-0x0000000000110000-0x0000000000116000-memory.dmp

memory/2656-35-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1196-36-0x00000000776C0000-0x00000000776C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-01 08:39

Reported

2023-11-01 09:27

Platform

win10v2004-20231023-en

Max time kernel

168s

Max time network

179s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6A383DE2 = "C:\\Users\\Admin\\AppData\\Roaming\\6A383DE2\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4012 set thread context of 4108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\881365edbe9f75d003f42391d50e8f98b4819dd11efc1eb42871afbc3d48e222" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = d425dc7aa50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\df7b9a9b90cc7bd3fccaa40603c5013f4ecadf4fc27d681759cddf22b90771da" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ac81df7ba50cda01ac81df7ba50cda01ac81df7ba50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000061574d4b2000646637623961396239306363376264336663636161343036303363353031336634656361646634666332376436383137353963646466323262393037373164610000b20009000400efbe61574d4b61574d4b2e00000000000000000000000000000000000000000000000000548bb300640066003700620039006100390062003900300063006300370062006400330066006300630061006100340030003600300033006300350030003100330066003400650063006100640066003400660063003200370064003600380031003700350039006300640064006600320032006200390030003700370031006400610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008b0a70081000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64663762396139623930636337626433666363616134303630336335303133663465636164663466633237643638313735396364646632326239303737316461000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dc760fc4ca671ee1192aaea2e5edba62daa66e0c271c14945b47c5aad1972038dc760fc4ca671ee1192aaea2e5edba62dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\backgroundTaskHost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7b377b1d-0918-4f1b- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a0cfcfb04dd1245ca8dd75093f5fc7d2bd8b8e020bd9a6242678d912261f40e2" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = 10eac37aa50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- = de84fb7ba50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\796952e9-601e-4d0a- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000014ddb77aa50cda0114ddb77aa50cda0114ddb77aa50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000061574c4b2000383831333635656462653966373564303033663432333931643530653866393862343831396464313165666331656234323837316166626333643438653232320000b20009000400efbe61574c4b61574c4b2e00000000000000000000000000000000000000000000000000ec02aa00380038003100330036003500650064006200650039006600370035006400300030003300660034003200330039003100640035003000650038006600390038006200340038003100390064006400310031006500660063003100650062003400320038003700310061006600620063003300640034003800650032003200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008b0a70081000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38383133363565646265396637356430303366343233393164353065386639386234383139646431316566633165623432383731616662633364343865323232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dc160fc4ca671ee1192aaea2e5edba62daa66e0c271c14945b47c5aad1972038dc160fc4ca671ee1192aaea2e5edba62dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5d79676a-c558-452a- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007878d47aa50cda017878d47aa50cda017878d47aa50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000061574c4b2000613063666366623034646431323435636138646437353039336635666337643262643862386530323062643961363234323637386439313232363166343065320000b20009000400efbe61574c4b61574c4b2e0000000000000000000000000000000000000000000000000088678d00610030006300660063006600620030003400640064003100320034003500630061003800640064003700350030003900330066003500660063003700640032006200640038006200380065003000320030006200640039006100360032003400320036003700380064003900310032003200360031006600340030006500320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000008b0a70081000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61306366636662303464643132343563613864643735303933663566633764326264386238653032306264396136323432363738643931323236316634306532000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dc260fc4ca671ee1192aaea2e5edba62daa66e0c271c14945b47c5aad1972038dc260fc4ca671ee1192aaea2e5edba62dce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72939f28-7ab1-4d79- C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 4012 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 4012 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 4012 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 4012 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 4012 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe
PID 4108 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 4108 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 4108 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 4108 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe C:\Windows\SysWOW64\winver.exe
PID 5112 wrote to memory of 3156 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 5112 wrote to memory of 2336 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 5112 wrote to memory of 2348 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\sihost.exe
PID 5112 wrote to memory of 2424 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhostw.exe
PID 5112 wrote to memory of 3156 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 5112 wrote to memory of 3448 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 5112 wrote to memory of 3700 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 3796 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5112 wrote to memory of 3860 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 5112 wrote to memory of 3980 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5112 wrote to memory of 3524 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 5112 wrote to memory of 4376 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 5112 wrote to memory of 4532 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5112 wrote to memory of 2800 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5112 wrote to memory of 3648 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5112 wrote to memory of 2148 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 5112 wrote to memory of 448 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 5112 wrote to memory of 4628 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5112 wrote to memory of 4220 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 3732 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 3968 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 5112 wrote to memory of 1152 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 1520 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 1316 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 3484 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 2356 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 4948 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 3052 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 5112 wrote to memory of 1720 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 4620 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 2812 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 3032 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 4564 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 2052 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 5112 wrote to memory of 1884 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 5112 wrote to memory of 1900 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"

C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.c88b41f40268edb39b277ed5cb0fcb90_JC.exe"

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3700 -s 868

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4220 -s 964

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2052 -s 784

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 recdataoneveter.cc udp
US 216.218.185.162:80 recdataoneveter.cc tcp
US 8.8.8.8:53 diiqngijkpop.com udp
US 8.8.8.8:53 162.185.218.216.in-addr.arpa udp
US 216.218.185.162:80 diiqngijkpop.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

memory/4108-2-0x0000000000400000-0x0000000000405000-memory.dmp

memory/4108-3-0x0000000000770000-0x0000000001170000-memory.dmp

memory/5112-5-0x0000000000950000-0x0000000000962000-memory.dmp

memory/3156-4-0x00000000007A0000-0x00000000007A6000-memory.dmp

memory/5112-8-0x0000000077352000-0x0000000077353000-memory.dmp

memory/3156-7-0x00000000007A0000-0x00000000007A6000-memory.dmp

memory/5112-6-0x00000000027A0000-0x00000000027A6000-memory.dmp

memory/3156-10-0x00007FFA2618D000-0x00007FFA2618E000-memory.dmp

memory/5112-9-0x00000000027A0000-0x00000000027A6000-memory.dmp

memory/4108-13-0x0000000000770000-0x0000000001170000-memory.dmp

memory/2336-14-0x00000000009B0000-0x00000000009B6000-memory.dmp

memory/2348-15-0x0000000000360000-0x0000000000366000-memory.dmp

memory/2424-17-0x0000000000200000-0x0000000000206000-memory.dmp

memory/2336-16-0x00000000009B0000-0x00000000009B6000-memory.dmp

memory/2348-18-0x0000000000360000-0x0000000000366000-memory.dmp

memory/2424-19-0x0000000000200000-0x0000000000206000-memory.dmp

memory/3156-20-0x0000000002B20000-0x0000000002B26000-memory.dmp

memory/3448-21-0x0000000000F00000-0x0000000000F06000-memory.dmp

memory/3448-25-0x0000000000F00000-0x0000000000F06000-memory.dmp

memory/3796-24-0x00000000003B0000-0x00000000003B6000-memory.dmp

memory/3156-23-0x0000000002B20000-0x0000000002B26000-memory.dmp

memory/3700-22-0x0000000000DD0000-0x0000000000DD6000-memory.dmp

memory/3796-27-0x00000000003B0000-0x00000000003B6000-memory.dmp

memory/3860-26-0x0000000000700000-0x0000000000706000-memory.dmp

memory/5112-28-0x00000000027A0000-0x00000000027A6000-memory.dmp

memory/3860-29-0x0000000000700000-0x0000000000706000-memory.dmp

memory/3524-31-0x0000000000170000-0x0000000000176000-memory.dmp

memory/3524-33-0x0000000000170000-0x0000000000176000-memory.dmp

memory/4532-34-0x0000000000B10000-0x0000000000B16000-memory.dmp

memory/4376-32-0x0000000000510000-0x0000000000516000-memory.dmp

memory/4376-35-0x0000000000510000-0x0000000000516000-memory.dmp

memory/4532-36-0x0000000000B10000-0x0000000000B16000-memory.dmp

memory/2800-37-0x00000000005A0000-0x00000000005A6000-memory.dmp

memory/3648-38-0x00000000006B0000-0x00000000006B6000-memory.dmp

memory/2148-39-0x0000000000D50000-0x0000000000D56000-memory.dmp

memory/2148-40-0x0000000000D50000-0x0000000000D56000-memory.dmp

memory/448-41-0x0000000000C10000-0x0000000000C16000-memory.dmp

memory/448-42-0x0000000000C10000-0x0000000000C16000-memory.dmp

memory/4532-47-0x0000000000B10000-0x0000000000B16000-memory.dmp

memory/2148-56-0x0000000000D50000-0x0000000000D56000-memory.dmp

memory/2148-57-0x00007FFA26300000-0x00007FFA26301000-memory.dmp

memory/2148-58-0x00007FFA26320000-0x00007FFA26321000-memory.dmp

memory/2148-59-0x00007FFA26310000-0x00007FFA26311000-memory.dmp

memory/3156-61-0x00007FFA26320000-0x00007FFA26321000-memory.dmp

memory/4628-62-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

memory/4628-63-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

memory/3796-64-0x00007FFA26300000-0x00007FFA26301000-memory.dmp

memory/4628-65-0x00007FFA26320000-0x00007FFA26321000-memory.dmp

memory/448-66-0x00007FFA26300000-0x00007FFA26301000-memory.dmp

memory/448-71-0x00007FFA26310000-0x00007FFA26311000-memory.dmp

memory/4220-78-0x00000000005F0000-0x00000000005F6000-memory.dmp

memory/3732-79-0x0000000000970000-0x0000000000976000-memory.dmp

memory/4628-81-0x0000000000BB0000-0x0000000000BB6000-memory.dmp

memory/4628-86-0x00007FFA26310000-0x00007FFA26311000-memory.dmp

memory/3860-88-0x00007FFA26300000-0x00007FFA26301000-memory.dmp

memory/3860-89-0x00007FFA26320000-0x00007FFA26321000-memory.dmp

memory/3860-90-0x00007FFA26310000-0x00007FFA26311000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\53f1199986854c8980d09275b13375bf_1

MD5 5460e34a0f46e756d370e03f65e6b271
SHA1 261484da979386ef5ff3e64ab206970120c04478
SHA256 e5a3a54c0ea4a3bc1c960db2d22d4554091d703a6e12492268b57a43ec0d759e
SHA512 f5b1c6c87b19b998c279951814ebcb383d585d3bb298201e31784f18278c5c99600a8e1eedc6605dac329c9ec35a04cb9d679d650a9f53ab514bed1743086a8b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 b24e8001274ecf4fe51846dc53cb0e33
SHA1 fe95581ccfc7e7905440b118721c8cb58f87d476
SHA256 3f085196f5e79abad2a6740f4a00a55532b000ee538626b24f516ee41e084568
SHA512 dd8c75e14da9ff78e1ff5b36e888b168427e4a4dcc20038def06f87be67e480922e6ed49bc6c937fe19c3247322b8ce4309d13e52612ecd8bed7beeaeb5febf6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 b52450783d5c5e9ea7d634151b1b0dc8
SHA1 d864785c63f676aeb84051581bdb46b02da4081c
SHA256 993a5f94685aa3cf9ee23c43e7ddd89e2c86fda5dfa44d210721080374f97573
SHA512 5948b380210d27f5113261dee51fb5c1747e907ed9f7633097d4fc52df15b712adee8cac4826f4a8b9ace81891eeaa6480036fb216096ad83ea4b4a01840659f

memory/3968-107-0x0000000000360000-0x0000000000366000-memory.dmp

memory/3968-108-0x0000000000360000-0x0000000000366000-memory.dmp

memory/3968-109-0x00007FFA26300000-0x00007FFA26301000-memory.dmp

memory/3968-112-0x00007FFA26310000-0x00007FFA26311000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 202e0720ab43a23f57d23259c995f09b
SHA1 3ec372c4f28605321c99ea2ec92a39080a4b59bc
SHA256 0d165d2031272df137a19d12968a78e033bcc268befdc0e63f72964bcae12e45
SHA512 4a6cbd41d9764a5c1e7d6b93fcccd585d7db1f987774d88462c23093d7f3fbd4aa799ee603081b2bb5006a6b46a35e7b63d6dc43f55e49d6a5e3d47a62a640c7

memory/1152-129-0x0000000000E90000-0x0000000000E96000-memory.dmp

memory/1520-130-0x00000000007F0000-0x00000000007F6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698830770

MD5 d2bdac6c9fb252f560083b4043c8c237
SHA1 8b0df44254f461271d9d7592e515c802b1345ff4
SHA256 6ff4129a06c79a6370c807146e92e039fa166e0e3af0c6a9fe9515a3d8546357
SHA512 6cf06112287fa35cdb6818584b3ba12a6194760c78116877269bcb2782b85cc8d587c1fa5b36eef3c2a61fa903e3540011621ba72e5d5e7e11226e72f6945be7

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698830770

MD5 267dd6ca5bae1db5fc907fd8ba60a8bb
SHA1 7a017f7d01e9443dd88ec4b10af10247207ad6cc
SHA256 a18f69c204992e25202105736e27a06eec969d08cd8eab7903594f411d2ae826
SHA512 1fb2c52aaba6b72152405571ea9708fecfd3ac3c6d176edfe05f1ca8a83c0ec38cd3b7f6e2c95b739f443beb2beb5354dd1491d3dd9f37c9a6dccc4f4606ce8f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698830770

MD5 9f46a9fd1003db71840c3f8dabda89b8
SHA1 989d99b431eea29ce67d9ab752904ef015a46684
SHA256 d0eaee1185a70c4c3820ab24d2ca2f5cc01b7405713c0177caa4d435478b3387
SHA512 12bd85dff3e3aaf2d8f230c166aa006e377688c476dc7f1352648473ca25fba26cb923ac80a648eeffdcff9488f38d9dfd1f5349f3c5d7672690968baf6a3a57

memory/1316-172-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

memory/3484-173-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

memory/3484-174-0x000001D855E20000-0x000001D855E28000-memory.dmp

memory/2356-178-0x0000000000E00000-0x0000000000E06000-memory.dmp

memory/4948-179-0x00000000000B0000-0x00000000000B6000-memory.dmp

memory/3052-182-0x0000000000270000-0x0000000000276000-memory.dmp

memory/3052-183-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1720-187-0x0000000000F60000-0x0000000000F66000-memory.dmp

memory/4620-188-0x0000000000820000-0x0000000000826000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 92647766e11de217bd235523797e9c39
SHA1 47226d112fdd62484a889e9852e2f63e4772c4bd
SHA256 a94044b8f336a18691c82fbb5805b48c59e8e7b783d339f64e3933f3426571ba
SHA512 222b44d14fea60bac5785f6d707f30a33a0f8e3e9fdfb4ac46b7b58c63a057bb5a662b4cad4b7d3b49aa7f3f54abdb9ec8dc3626f16398ddd6d200f9dd963a2c

memory/3156-204-0x00007FFA26310000-0x00007FFA26311000-memory.dmp

memory/1900-212-0x00007FFA2618D000-0x00007FFA2618E000-memory.dmp

memory/1900-211-0x00007FFA2618D000-0x00007FFA2618E000-memory.dmp

memory/1900-210-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

memory/1900-213-0x00007FFA26320000-0x00007FFA26321000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698830770

MD5 d2bdac6c9fb252f560083b4043c8c237
SHA1 8b0df44254f461271d9d7592e515c802b1345ff4
SHA256 6ff4129a06c79a6370c807146e92e039fa166e0e3af0c6a9fe9515a3d8546357
SHA512 6cf06112287fa35cdb6818584b3ba12a6194760c78116877269bcb2782b85cc8d587c1fa5b36eef3c2a61fa903e3540011621ba72e5d5e7e11226e72f6945be7

memory/1900-214-0x00007FFA26310000-0x00007FFA26311000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698830770

MD5 9f46a9fd1003db71840c3f8dabda89b8
SHA1 989d99b431eea29ce67d9ab752904ef015a46684
SHA256 d0eaee1185a70c4c3820ab24d2ca2f5cc01b7405713c0177caa4d435478b3387
SHA512 12bd85dff3e3aaf2d8f230c166aa006e377688c476dc7f1352648473ca25fba26cb923ac80a648eeffdcff9488f38d9dfd1f5349f3c5d7672690968baf6a3a57

memory/1900-218-0x0000000000DE0000-0x0000000000DE6000-memory.dmp