Malware Analysis Report

2025-01-19 07:22

Sample ID 231112-pzp5csfd4y
Target NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe
SHA256 f4951af3a8a40e695932a7e0fe4ecc68ccb4b4e9648388c65f28e61643e4f7ac
Tags
tinba banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4951af3a8a40e695932a7e0fe4ecc68ccb4b4e9648388c65f28e61643e4f7ac

Threat Level: Known bad

The file NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe was found to be: Known bad.

Malicious Activity Summary

tinba banker persistence trojan

Tinba / TinyBanker

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-12 12:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-12 12:46

Reported

2023-11-12 12:51

Platform

win7-20231020-en

Max time kernel

146s

Max time network

151s

Command Line

"taskhost.exe"

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\8C142DFD = "C:\\Users\\Admin\\AppData\\Roaming\\8C142DFD\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe"

C:\Windows\SysWOW64\winver.exe

winver

Network

Country Destination Domain Proto
US 8.8.8.8:53 brureservtestot.cc udp
US 8.8.8.8:53 qytufpscigbb.com udp
US 216.218.185.162:80 qytufpscigbb.com tcp
US 8.8.8.8:53 qytufpscigbb.net udp
US 216.218.185.162:80 qytufpscigbb.net tcp

Files

memory/1916-0-0x0000000002750000-0x0000000002752000-memory.dmp

memory/1916-2-0x0000000002860000-0x0000000003260000-memory.dmp

memory/1228-1-0x0000000002A00000-0x0000000002A06000-memory.dmp

memory/2072-4-0x0000000000140000-0x0000000000146000-memory.dmp

memory/2072-5-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1228-6-0x0000000002A00000-0x0000000002A06000-memory.dmp

memory/1228-3-0x0000000002A00000-0x0000000002A06000-memory.dmp

memory/2072-7-0x0000000000B00000-0x0000000000B16000-memory.dmp

memory/2072-8-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1228-9-0x00000000774E1000-0x00000000774E2000-memory.dmp

memory/2072-12-0x0000000077690000-0x0000000077691000-memory.dmp

memory/2072-11-0x000000007768F000-0x0000000077691000-memory.dmp

memory/2072-10-0x000000007768F000-0x0000000077690000-memory.dmp

memory/1916-13-0x0000000000400000-0x0000000000DC7000-memory.dmp

memory/1916-14-0x0000000002860000-0x0000000003260000-memory.dmp

memory/1104-16-0x0000000000250000-0x0000000000256000-memory.dmp

memory/1104-18-0x0000000000250000-0x0000000000256000-memory.dmp

memory/1188-21-0x0000000000120000-0x0000000000126000-memory.dmp

memory/1104-20-0x00000000774E1000-0x00000000774E2000-memory.dmp

memory/1188-22-0x0000000000120000-0x0000000000126000-memory.dmp

memory/2072-24-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2072-25-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1228-28-0x0000000077670000-0x0000000077671000-memory.dmp

memory/2072-30-0x0000000000140000-0x0000000000146000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-12 12:46

Reported

2023-11-12 12:51

Platform

win10v2004-20231023-en

Max time kernel

162s

Max time network

180s

Command Line

sihost.exe

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5D03D106 = "C:\\Users\\Admin\\AppData\\Roaming\\5D03D106\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = 05b6a6b96615da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1c6f353f583621cb2fa46f61353945e0efe1a316010059f3d6fb664ad0a3f383" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = 1451b3b96615da01 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1657d5fb-29d0-4d5b- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = 647187b96615da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\24aef059f8fa6c725cf54f8d1838c8604e9c232f433a731fb5d44ddd775fba30" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\782583e955e6fc240556a90133d464a58cf3474021294458118301378a30f1a8" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\090b9c510358f3c6268e3d870310e41a834bf51f03d0ade7c8e5b19e232dd816" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a9e9552-c81b-4b32- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c50c66a9-420d-4ddb- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = 7688c1b96615da01 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\381b6451-9f35-41d6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c7a279b96615da01c7a279b96615da01c7a279b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000303930623963353130333538663363363236386533643837303331306534316138333462663531663033643061646537633865356231396532333264643831360000b20009000400efbe6c573a666c573a662e000000000000000000000000000000000000000000000000003975fc00300039003000620039006300350031003000330035003800660033006300360032003600380065003300640038003700300033003100300065003400310061003800330034006200660035003100660030003300640030006100640065003700630038006500350062003100390065003200330032006400640038003100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30393062396335313033353866336336323638653364383730333130653431613833346266353166303364306164653763386535623139653233326464383136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d3ec7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d3ec7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4111bde53dd41ee17abf72377c4a0e7112293fd0b06e8216de61e408f05d2591" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\cfc7d9ad22adbba8ffee5551330292bd003d3696cd1de6105ea9797a21b6c064" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000243cb5b96615da01243cb5b96615da01243cb5b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000636663376439616432326164626261386666656535353531333330323932626430303364333639366364316465363130356561393739376132316236633036340000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000dcdbc000630066006300370064003900610064003200320061006400620062006100380066006600650065003500350035003100330033003000320039003200620064003000300033006400330036003900360063006400310064006500360031003000350065006100390037003900370061003200310062003600630030003600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63666337643961643232616462626138666665653535353133333032393262643030336433363936636431646536313035656139373937613231623663303634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d42c7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d42c7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006acb61b96615da016acb61b96615da016acb61b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000323461656630353966386661366337323563663534663864313833386338363034653963323332663433336137333166623564343464646437373566626133300000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000964c1401320034006100650066003000350039006600380066006100360063003700320035006300660035003400660038006400310038003300380063003800360030003400650039006300320033003200660034003300330061003700330031006600620035006400340034006400640064003700370035006600620061003300300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32346165663035396638666136633732356366353466386431383338633836303465396332333266343333613733316662356434346464643737356662613330000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d3dc7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d3dc7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e7c880b96615da01e7c880b96615da01e7c880b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000373832353833653935356536666332343035353661393031333364343634613538636633343734303231323934343538313138333031333738613330663161380000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000194ff500370038003200350038003300650039003500350065003600660063003200340030003500350036006100390030003100330033006400340036003400610035003800630066003300340037003400300032003100320039003400340035003800310031003800330030003100330037003800610033003000660031006100380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37383235383365393535653666633234303535366139303133336434363461353863663334373430323132393434353831313833303133373861333066316138000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d3fc7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d3fc7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d150a9b96615da01d150a9b96615da01d150a9b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000343131316264653533646434316565313761626637323337376334613065373131323239336664306230366538323136646536316534303866303564323539310000b20009000400efbe6c573a666c573a662e000000000000000000000000000000000000000000000000002fc7cc00340031003100310062006400650035003300640064003400310065006500310037006100620066003700320033003700370063003400610030006500370031003100320032003900330066006400300062003000360065003800320031003600640065003600310065003400300038006600300035006400320035003900310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34313131626465353364643431656531376162663732333737633461306537313132323933666430623036653832313664653631653430386630356432353931000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d41c7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d41c7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001b039bb96615da011b039bb96615da011b039bb96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000316336663335336635383336323163623266613436663631333533393435653065666531613331363031303035396633643666623636346164306133663338330000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000e514db00310063003600660033003500330066003500380033003600320031006300620032006600610034003600660036003100330035003300390034003500650030006500660065003100610033003100360030003100300030003500390066003300640036006600620036003600340061006400300061003300660033003800330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31633666333533663538333632316362326661343666363133353339343565306566653161333136303130303539663364366662363634616430613366333833000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d40c7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d40c7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6c740e7c-068f-44f3- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\558bb83e-4a38-442e- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = 69e569b96615da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = 83bb81b96615da01 C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe C:\Windows\SysWOW64\winver.exe
PID 1928 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe C:\Windows\SysWOW64\winver.exe
PID 1928 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe C:\Windows\SysWOW64\winver.exe
PID 1928 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe C:\Windows\SysWOW64\winver.exe
PID 1076 wrote to memory of 3100 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 1076 wrote to memory of 2448 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\sihost.exe
PID 1076 wrote to memory of 2480 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 1076 wrote to memory of 2768 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhostw.exe
PID 1076 wrote to memory of 3100 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 1076 wrote to memory of 3408 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 1076 wrote to memory of 3676 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 3816 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1076 wrote to memory of 3884 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 1076 wrote to memory of 4028 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1076 wrote to memory of 3500 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 1076 wrote to memory of 4256 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 1076 wrote to memory of 4856 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1076 wrote to memory of 3912 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1076 wrote to memory of 3172 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1076 wrote to memory of 4432 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 1076 wrote to memory of 1928 N/A C:\Windows\SysWOW64\winver.exe C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe
PID 1076 wrote to memory of 5008 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 1076 wrote to memory of 3776 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1076 wrote to memory of 3244 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 4416 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 3696 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 1076 wrote to memory of 1120 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 4824 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 4244 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 1076 wrote to memory of 1552 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 2176 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 1648 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 1076 wrote to memory of 2524 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 1036 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1076 wrote to memory of 2816 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe"

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3676 -s 1000

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3244 -s 960

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 brureservtestot.cc udp
US 8.8.8.8:53 qytufpscigbb.com udp
US 216.218.185.162:80 qytufpscigbb.com tcp
US 8.8.8.8:53 qytufpscigbb.net udp
US 8.8.8.8:53 162.185.218.216.in-addr.arpa udp
US 216.218.185.162:80 qytufpscigbb.net tcp
US 8.8.8.8:53 qytufpscigbb.in udp
US 216.218.185.162:80 qytufpscigbb.in tcp
US 8.8.8.8:53 qytufpscigbb.ru udp
US 162.249.66.125:80 qytufpscigbb.ru tcp
US 8.8.8.8:53 ghoyvkjbnldc.com udp
US 216.218.185.162:80 ghoyvkjbnldc.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/1928-0-0x0000000001440000-0x0000000001442000-memory.dmp

memory/1928-1-0x0000000002DF0000-0x00000000037F0000-memory.dmp

memory/1076-3-0x00000000027D0000-0x00000000027D6000-memory.dmp

memory/1076-2-0x00000000004D0000-0x00000000004E2000-memory.dmp

memory/1076-5-0x00000000027D0000-0x00000000027D6000-memory.dmp

memory/1076-7-0x00000000027D0000-0x00000000027D6000-memory.dmp

memory/3100-6-0x00000000030A0000-0x00000000030A6000-memory.dmp

memory/3100-8-0x00007FF914B4D000-0x00007FF914B4E000-memory.dmp

memory/1076-9-0x0000000077592000-0x0000000077593000-memory.dmp

memory/2448-10-0x0000000000230000-0x0000000000236000-memory.dmp

memory/2480-11-0x0000000000290000-0x0000000000296000-memory.dmp

memory/2768-12-0x0000000000850000-0x0000000000856000-memory.dmp

memory/2448-13-0x0000000000230000-0x0000000000236000-memory.dmp

memory/3100-14-0x0000000003090000-0x0000000003096000-memory.dmp

memory/2480-15-0x0000000000290000-0x0000000000296000-memory.dmp

memory/3676-18-0x0000000000530000-0x0000000000536000-memory.dmp

memory/3408-16-0x0000000000C20000-0x0000000000C26000-memory.dmp

memory/2768-17-0x0000000000850000-0x0000000000856000-memory.dmp

memory/3100-19-0x0000000003090000-0x0000000003096000-memory.dmp

memory/3816-20-0x0000000000680000-0x0000000000686000-memory.dmp

memory/3408-22-0x0000000000C20000-0x0000000000C26000-memory.dmp

memory/3884-21-0x0000000000B40000-0x0000000000B46000-memory.dmp

memory/3816-24-0x0000000000680000-0x0000000000686000-memory.dmp

memory/3500-25-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/4028-23-0x0000000000D20000-0x0000000000D26000-memory.dmp

memory/3884-26-0x0000000000B40000-0x0000000000B46000-memory.dmp

memory/4256-27-0x0000000000010000-0x0000000000016000-memory.dmp

memory/4856-28-0x0000000000910000-0x0000000000916000-memory.dmp

memory/1928-29-0x0000000002DF0000-0x00000000037F0000-memory.dmp

memory/4256-30-0x0000000000010000-0x0000000000016000-memory.dmp

memory/4856-32-0x0000000000910000-0x0000000000916000-memory.dmp

memory/3912-33-0x0000000000960000-0x0000000000966000-memory.dmp

memory/3500-31-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/3172-34-0x0000000000750000-0x0000000000756000-memory.dmp

memory/4432-35-0x00000000007D0000-0x00000000007D6000-memory.dmp

memory/4432-36-0x00000000007D0000-0x00000000007D6000-memory.dmp

memory/1076-37-0x0000000002C90000-0x0000000002C96000-memory.dmp

memory/1076-38-0x0000000002C90000-0x0000000002C96000-memory.dmp

memory/1928-39-0x0000000000400000-0x0000000000DC7000-memory.dmp

memory/3100-40-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp

memory/5008-42-0x00000000006D0000-0x00000000006D6000-memory.dmp

memory/4432-55-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp

memory/5008-56-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp

memory/3776-57-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

memory/3776-58-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

memory/3776-59-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp

memory/5008-62-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

memory/4432-69-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

memory/4432-71-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp

memory/3816-72-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp

memory/3776-73-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 8a500f668ffcf72023c003373e14905d
SHA1 a437c4ec7ae467ff15f387e207de8a5f108ee84f
SHA256 41475a965928bf6d532e643c4a07b55099f042887766f638f69c062e902c8580
SHA512 0a5e8038c0995d822a7c87ed7dfd4a370f53a98346185e5b4f05ecbc7da6bbd0f5989471d85a65ea61e8a3700d63b46799c1dcc234ba15d8e5b04d57cfca795a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 74ee52a00f03d79c9c0ff6306e81e9a7
SHA1 8d5300c915739fe5dc428949acd10b461e6c5581
SHA256 7eef6ad2bca45c94e14d1875cecd7b9cfb38f34797fd87117f9618993ddc24a7
SHA512 4316dc203ec28f469c047236aaab64f562de753e03468c22cc97aa11f14ccc0575ce73611658fe6e0b19d6c7d0681a26c0161b6ce091be7e343fe6e796761a9c

memory/4416-90-0x0000000000190000-0x0000000000196000-memory.dmp

memory/3244-89-0x00000000000A0000-0x00000000000A6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1699793380

MD5 e4ef64225f1cebb14817a18fad1d1fac
SHA1 92ee2bb6f1541b069124c9035b49f1931031a566
SHA256 9601b59a5f0f5d99fa341b79d6e5ceba554f1dbe6d070f9384cfd5c0304d4638
SHA512 632fdbfea24a5d6084f1bd352487e98696b28404bec9817c23d7506ba4c45d41b70307d03744923260ff5bd5187dbbd55756ca9b039e9e3ae8d1c004c526642e

memory/3696-112-0x0000000000E70000-0x0000000000E76000-memory.dmp

memory/3696-113-0x0000000000E70000-0x0000000000E76000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1699793380

MD5 250a04505ca31df1d7998c202862318e
SHA1 ce96d060d0f42eca05f1e26857211389275d7273
SHA256 c76003040ca8647bfa26d90e9b9284d94a409f1f70b47483a1cb808be0c39d63
SHA512 533221d0f99521b98dfdf60010e66310a07119450d8b69fcaaa04a6f43046f10928d00c368647f27ed5282d2a85f0562f72ec76a31c76238178d80425d587b2a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\b659a045c9bb4c4fa13f1a7687f968b7_1

MD5 b0a070916145e1eb2d59ce9dd68f82f8
SHA1 20efa315bc32e81185786128511e5fb500e03e7b
SHA256 1c2d46c1ff3585a74c48408318b5dd91ccddc9e25377dde4378c34a82ec96651
SHA512 114f99585084d37fdeea018dbc1396a0118089d987115defed15a7098259b815e8dc1beb92c1ab96775c99fd70d36dedc6434599b476ffa39d16c05c5cb7f742

memory/3696-131-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp

memory/3696-134-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 40bf8fd54bf4b33dd5831e97a07fb1c4
SHA1 d9639bb5e182c65e09bbbd88236eeffaead1606b
SHA256 a601d4220f99cf811cc0b61b7861f1466758ca062b69cdb855111419b7e07a2f
SHA512 5164ab75d63ef715f63e9b0e04c6a482ef93ed73566eb520603e69bcd24daea713f5165a265b420c0c7b190227b8b7401a3b25db4b0a8fcd0c6fbb1e9bdd8306

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1699793380

MD5 638512b43d2d91b6e468034c8bc873a5
SHA1 01704fbe3748bc6c437ac45e13cbcd54f02a6575
SHA256 31394914e1f8509d9a831143bbd522669b04bcd757053442180bb744dcbab853
SHA512 cf21a61cc91e5b256b2927870450386abd95ae3de57aa9c2c9ea23a5d679ab23466938c2e68c2bc742e27aa02833a7707f5db263f60494595d53292c1e9d1c42

memory/3884-160-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp

memory/3884-161-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp

memory/3884-162-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

memory/3816-163-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

memory/2448-164-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

memory/1120-165-0x0000000000B10000-0x0000000000B16000-memory.dmp

memory/4824-166-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

memory/4244-169-0x0000000000860000-0x0000000000866000-memory.dmp

memory/4244-170-0x0000000000860000-0x0000000000866000-memory.dmp

memory/1552-186-0x0000000000A00000-0x0000000000A06000-memory.dmp

memory/2176-187-0x0000000000E80000-0x0000000000E86000-memory.dmp

memory/1648-190-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

memory/1648-191-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

memory/2524-193-0x0000000000B00000-0x0000000000B06000-memory.dmp

memory/1036-194-0x00000000008A0000-0x00000000008A6000-memory.dmp

memory/3100-198-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

memory/2816-199-0x0000000000460000-0x0000000000466000-memory.dmp

memory/2816-200-0x0000000000460000-0x0000000000466000-memory.dmp

memory/2816-201-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1699793380

MD5 250a04505ca31df1d7998c202862318e
SHA1 ce96d060d0f42eca05f1e26857211389275d7273
SHA256 c76003040ca8647bfa26d90e9b9284d94a409f1f70b47483a1cb808be0c39d63
SHA512 533221d0f99521b98dfdf60010e66310a07119450d8b69fcaaa04a6f43046f10928d00c368647f27ed5282d2a85f0562f72ec76a31c76238178d80425d587b2a

memory/2816-203-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1699793380

MD5 e4ef64225f1cebb14817a18fad1d1fac
SHA1 92ee2bb6f1541b069124c9035b49f1931031a566
SHA256 9601b59a5f0f5d99fa341b79d6e5ceba554f1dbe6d070f9384cfd5c0304d4638
SHA512 632fdbfea24a5d6084f1bd352487e98696b28404bec9817c23d7506ba4c45d41b70307d03744923260ff5bd5187dbbd55756ca9b039e9e3ae8d1c004c526642e