Malware Analysis Report

2025-01-19 07:24

Sample ID 231213-q2zbgsdeck
Target 0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d
SHA256 0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d
Tags
tinba banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d

Threat Level: Known bad

The file 0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d was found to be: Known bad.

Malicious Activity Summary

tinba banker persistence trojan

Tinba / TinyBanker

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-13 13:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-13 13:46

Reported

2023-12-13 13:48

Platform

win7-20231130-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe"

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\A0A5228C = "C:\\Users\\Admin\\AppData\\Roaming\\A0A5228C\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Explorer.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Explorer.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "661" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "672" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1454" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\TV_TopViewVersion = "0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1201" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2172 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 2960 wrote to memory of 1376 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 2960 wrote to memory of 1272 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhost.exe
PID 2960 wrote to memory of 1340 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\Dwm.exe
PID 2960 wrote to memory of 1376 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 2960 wrote to memory of 2020 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 1376 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1376 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1376 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1376 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 2960 wrote to memory of 2940 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2960 wrote to memory of 2552 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe

"C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe

C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Network

Country Destination Domain Proto
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 elitiorecfreetoo.cc udp

Files

memory/2884-0-0x00000000001B0000-0x00000000002AA000-memory.dmp

memory/2172-2-0x0000000000390000-0x0000000000394000-memory.dmp

memory/2884-3-0x0000000000400000-0x000000000149A000-memory.dmp

memory/2884-5-0x0000000000400000-0x000000000149A000-memory.dmp

memory/2884-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2884-9-0x0000000000400000-0x000000000149A000-memory.dmp

memory/2884-11-0x00000000018B0000-0x00000000022B0000-memory.dmp

memory/1376-10-0x00000000025C0000-0x00000000025C6000-memory.dmp

memory/2960-13-0x00000000000B0000-0x00000000000B6000-memory.dmp

memory/1376-14-0x00000000025C0000-0x00000000025C6000-memory.dmp

memory/1376-12-0x00000000025C0000-0x00000000025C6000-memory.dmp

memory/2960-21-0x0000000077E30000-0x0000000077E31000-memory.dmp

memory/2960-20-0x0000000077E2F000-0x0000000077E31000-memory.dmp

memory/2960-19-0x0000000077E2F000-0x0000000077E30000-memory.dmp

memory/1376-18-0x0000000077C81000-0x0000000077C82000-memory.dmp

memory/2960-17-0x00000000000B0000-0x00000000000B6000-memory.dmp

memory/2960-15-0x00000000000C0000-0x00000000000D6000-memory.dmp

memory/2884-23-0x0000000000400000-0x0000000000404400-memory.dmp

memory/1272-26-0x0000000000410000-0x0000000000416000-memory.dmp

memory/2020-34-0x0000000000340000-0x0000000000346000-memory.dmp

memory/2960-45-0x0000000000620000-0x0000000000626000-memory.dmp

memory/2020-44-0x0000000077C81000-0x0000000077C82000-memory.dmp

memory/2020-43-0x0000000000340000-0x0000000000346000-memory.dmp

memory/1376-42-0x00000000025D0000-0x00000000025D6000-memory.dmp

memory/2960-41-0x0000000000210000-0x0000000000211000-memory.dmp

memory/1340-40-0x0000000001EA0000-0x0000000001EA6000-memory.dmp

memory/1272-39-0x0000000077C81000-0x0000000077C82000-memory.dmp

memory/1272-38-0x0000000000410000-0x0000000000416000-memory.dmp

memory/2960-37-0x0000000000620000-0x0000000000626000-memory.dmp

memory/1376-32-0x00000000025D0000-0x00000000025D6000-memory.dmp

memory/1340-29-0x0000000001EA0000-0x0000000001EA6000-memory.dmp

memory/1376-51-0x0000000077E10000-0x0000000077E11000-memory.dmp

memory/1376-53-0x0000000077E20000-0x0000000077E21000-memory.dmp

memory/1376-54-0x0000000077DF0000-0x0000000077DF1000-memory.dmp

memory/1376-56-0x0000000077DE0000-0x0000000077DE1000-memory.dmp

memory/2500-59-0x0000000000060000-0x0000000000066000-memory.dmp

memory/2500-60-0x0000000077C30000-0x0000000077DD9000-memory.dmp

memory/2500-61-0x0000000077C30000-0x0000000077DD9000-memory.dmp

memory/2500-62-0x0000000077DF0000-0x0000000077DF1000-memory.dmp

memory/2500-63-0x0000000077E00000-0x0000000077E01000-memory.dmp

memory/2500-65-0x0000000077C30000-0x0000000077DD9000-memory.dmp

memory/2940-69-0x0000000077C81000-0x0000000077C82000-memory.dmp

memory/2940-68-0x00000000006B0000-0x00000000006B6000-memory.dmp

memory/2552-73-0x0000000000200000-0x0000000000206000-memory.dmp

memory/2552-74-0x0000000000200000-0x0000000000206000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-13 13:46

Reported

2023-12-13 13:48

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4202DCA9 = "C:\\Users\\Admin\\AppData\\Roaming\\4202DCA9\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\backgroundTaskHost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b982540-3e51-4d43 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d2bf7ccbca2dda01d2bf7ccbca2dda01d2bf7ccbca2dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000008d57d46d2000323765366633323132626538613462653834623763643335373530653038326462656663643932643963383766313536646164326666343238613465323761330000b20009000400efbe8d57d46d8d57d46d2e000000000000000000000000000000000000000000000000002e201b01320037006500360066003300320031003200620065003800610034006200650038003400620037006300640033003500370035003000650030003800320064006200650066006300640039003200640039006300380037006600310035003600640061006400320066006600340032003800610034006500320037006100330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c6ea60231000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32376536663332313262653861346265383462376364333537353065303832646265666364393264396338376631353664616432666634323861346532376133000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006471706c667077620000000000000000c8cadbe1339136499e2c1e6b391cd52e68384ee3568dee11a817ca66ce596f9dc8cadbe1339136499e2c1e6b391cd52e68384ee3568dee11a817ca66ce596f9dd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003600330035003000340033003000380032002d0032003900370032003800310031003400360035002d0033003100370036003100340032003100330035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001f27edca000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87b2fa6d-0118-4e40 = 72408acbca2dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3421f51b-9cff-4074 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87b2fa6d-0118-4e40 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000099e583cbca2dda0199e583cbca2dda0199e583cbca2dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000008d57d46d2000343366613936663435383933383630366131313738663764663361616333323335383133376261663566333030353462623765336662373365643732663530360000b20009000400efbe8d57d46d8d57d46d2e0000000000000000000000000000000000000000000000000067fa1301340033006600610039003600660034003500380039003300380036003000360061003100310037003800660037006400660033006100610063003300320033003500380031003300370062006100660035006600330030003000350034006200620037006500330066006200370033006500640037003200660035003000360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000c6ea60231000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34336661393666343538393338363036613131373866376466336161633332333538313337626166356633303035346262376533666237336564373266353036000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006471706c667077620000000000000000c8cadbe1339136499e2c1e6b391cd52e69384ee3568dee11a817ca66ce596f9dc8cadbe1339136499e2c1e6b391cd52e69384ee3568dee11a817ca66ce596f9dd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003600330035003000340033003000380032002d0032003900370032003800310031003400360035002d0033003100370036003100340032003100330035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001f27edca000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b982540-3e51-4d43 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2816404-ef5b-47d1 = 83c36acbca2dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b982540-3e51-4d43 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b982540-3e51-4d43 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b982540-3e51-4d43 = "\\\\?\\Volume{CAED271F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\27e6f3212be8a4be84b7cd35750e082dbefcd92d9c87f156dad2ff428a4e27a3" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87b2fa6d-0118-4e40 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\87b2fa6d-0118-4e40 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3421f51b-9cff-4074 = "\\\\?\\Volume{CAED271F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1c39350f5b83d85cf0fa31118982c42db4252426c3c0dc16d6679b0c0ed2bb17" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\52799b3b-4b8a-41d3 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\52799b3b-4b8a-41d3 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3421f51b-9cff-4074 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03f1ad68-b97b-4286 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\03f1ad68-b97b-4286 = "\\\\?\\Volume{CAED271F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\960a12ac869fa5e529756ddcf41e10482fd7592755f9558b8e5cd419d88974a7" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b982540-3e51-4d43 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b982540-3e51-4d43 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2816404-ef5b-47d1 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2252 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2252 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2252 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2252 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2252 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 2252 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe C:\Windows\SysWOW64\winver.exe
PID 2984 wrote to memory of 3292 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 2984 wrote to memory of 2768 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\sihost.exe
PID 2984 wrote to memory of 2792 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 2984 wrote to memory of 2940 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhostw.exe
PID 2984 wrote to memory of 3292 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 2984 wrote to memory of 3520 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 2984 wrote to memory of 3708 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 3820 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2984 wrote to memory of 3944 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 2984 wrote to memory of 2212 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2984 wrote to memory of 4176 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 2984 wrote to memory of 4884 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2984 wrote to memory of 2580 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 2984 wrote to memory of 2508 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2984 wrote to memory of 3960 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2984 wrote to memory of 4080 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2984 wrote to memory of 4040 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 2984 wrote to memory of 3068 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 2984 wrote to memory of 3848 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 3100 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\wuapihost.exe
PID 2984 wrote to memory of 4708 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 1524 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 212 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 4912 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 3776 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 956 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 4788 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2984 wrote to memory of 4372 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 1972 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 5116 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2984 wrote to memory of 4252 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 1620 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 3616 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 1056 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 3108 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 4548 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2984 wrote to memory of 2660 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 2984 wrote to memory of 1488 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe

"C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe

C:\Users\Admin\AppData\Local\Temp\0016ab01b0d44098f96709018d5a9e75641bf622aae9ff108e285d9656a35b8d.exe

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\wuapihost.exe

C:\Windows\System32\wuapihost.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 elitiorecfreetoo.cc udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 216.218.185.162:80 elitiorecfreetoo.cc tcp
US 8.8.8.8:53 162.185.218.216.in-addr.arpa udp
US 8.8.8.8:53 ljjskttqximu.com udp
US 8.8.8.8:53 ljjskttqximu.net udp
US 8.8.8.8:53 ljjskttqximu.in udp
US 216.218.185.162:80 ljjskttqximu.in tcp
US 8.8.8.8:53 ljjskttqximu.ru udp
US 162.249.66.138:80 ljjskttqximu.ru tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 fovcpylsiqvv.com udp
US 216.218.185.162:80 fovcpylsiqvv.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/2252-0-0x0000000002390000-0x0000000002394000-memory.dmp

memory/1632-1-0x0000000000400000-0x000000000149A000-memory.dmp

memory/3292-2-0x0000000002380000-0x0000000002386000-memory.dmp

memory/2984-4-0x0000000001300000-0x0000000001306000-memory.dmp

memory/3292-3-0x0000000002380000-0x0000000002386000-memory.dmp

memory/1632-6-0x0000000001730000-0x0000000002130000-memory.dmp

memory/2984-8-0x0000000077A42000-0x0000000077A43000-memory.dmp

memory/3292-7-0x00007FF83BB6D000-0x00007FF83BB6E000-memory.dmp

memory/2984-10-0x0000000001300000-0x0000000001306000-memory.dmp

memory/2984-9-0x0000000000D80000-0x0000000000D92000-memory.dmp

memory/3292-11-0x00007FF83BD00000-0x00007FF83BD01000-memory.dmp

memory/1632-13-0x0000000000400000-0x0000000000404400-memory.dmp

memory/2792-15-0x0000000000280000-0x0000000000286000-memory.dmp

memory/2768-16-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/2792-18-0x0000000000280000-0x0000000000286000-memory.dmp

memory/3708-22-0x0000000000F10000-0x0000000000F16000-memory.dmp

memory/3520-20-0x00000000006B0000-0x00000000006B6000-memory.dmp

memory/3292-23-0x00000000029C0000-0x00000000029C6000-memory.dmp

memory/3820-24-0x0000000000C50000-0x0000000000C56000-memory.dmp

memory/3820-27-0x0000000000C50000-0x0000000000C56000-memory.dmp

memory/3520-26-0x00000000006B0000-0x00000000006B6000-memory.dmp

memory/3944-28-0x0000000000560000-0x0000000000566000-memory.dmp

memory/2212-29-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

memory/3944-25-0x0000000000560000-0x0000000000566000-memory.dmp

memory/2940-21-0x0000000000E20000-0x0000000000E26000-memory.dmp

memory/3292-19-0x00000000029C0000-0x00000000029C6000-memory.dmp

memory/2940-17-0x0000000000E20000-0x0000000000E26000-memory.dmp

memory/4176-30-0x0000000000AD0000-0x0000000000AD6000-memory.dmp

memory/4884-31-0x0000000000770000-0x0000000000776000-memory.dmp

memory/4176-33-0x0000000000AD0000-0x0000000000AD6000-memory.dmp

memory/4884-35-0x0000000000770000-0x0000000000776000-memory.dmp

memory/2580-36-0x0000000000F60000-0x0000000000F66000-memory.dmp

memory/2508-34-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

memory/2580-32-0x0000000000F60000-0x0000000000F66000-memory.dmp

memory/2508-37-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

memory/3960-38-0x0000000000900000-0x0000000000906000-memory.dmp

memory/4080-39-0x0000000000230000-0x0000000000236000-memory.dmp

memory/4040-40-0x00000000009F0000-0x00000000009F6000-memory.dmp

memory/3068-41-0x0000000000B70000-0x0000000000B76000-memory.dmp

memory/3848-43-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/2984-45-0x0000000002D20000-0x0000000002D26000-memory.dmp

memory/4040-44-0x00000000009F0000-0x00000000009F6000-memory.dmp

memory/3848-42-0x0000000000E70000-0x0000000000E76000-memory.dmp

memory/3848-46-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-47-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-48-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-49-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-50-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-53-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-52-0x0000000000E70000-0x0000000000E76000-memory.dmp

memory/2984-54-0x0000000002D20000-0x0000000002D26000-memory.dmp

memory/3068-51-0x0000000000B70000-0x0000000000B76000-memory.dmp

memory/3848-55-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-57-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-58-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-59-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-62-0x000002197F5C0000-0x000002197F5D0000-memory.dmp

memory/3848-61-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-60-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-56-0x000002197F5C0000-0x000002197F5D0000-memory.dmp

memory/3848-63-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-64-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-66-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-67-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-69-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-65-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-71-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-70-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-72-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/4080-74-0x0000000000230000-0x0000000000236000-memory.dmp

memory/2580-75-0x0000000000F60000-0x0000000000F66000-memory.dmp

memory/4080-76-0x00007FF83BCF0000-0x00007FF83BCF1000-memory.dmp

memory/4080-77-0x00007FF83BCE0000-0x00007FF83BCE1000-memory.dmp

memory/3848-79-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-80-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-78-0x00007FF83BCF0000-0x00007FF83BCF1000-memory.dmp

memory/3848-82-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-81-0x000002197C1F0000-0x000002197C200000-memory.dmp

memory/3848-84-0x000002197F5C0000-0x000002197F5D0000-memory.dmp

memory/3848-83-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-85-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-88-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-86-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-90-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-91-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/4080-92-0x0000000000230000-0x0000000000236000-memory.dmp

memory/3848-93-0x000002197C1F0000-0x000002197C200000-memory.dmp

memory/3848-94-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-95-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-99-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-97-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-96-0x000002197C1F0000-0x000002197C200000-memory.dmp

memory/3848-100-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-102-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-105-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-107-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-106-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-104-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-109-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-108-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-110-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-112-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-114-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3848-113-0x000002197C2B0000-0x000002197C2C0000-memory.dmp

memory/3068-115-0x00007FF83BD00000-0x00007FF83BD01000-memory.dmp

memory/3100-119-0x0000000000A40000-0x0000000000A46000-memory.dmp

memory/3100-120-0x0000000000A40000-0x0000000000A46000-memory.dmp

memory/3848-121-0x000002197C1F0000-0x000002197C200000-memory.dmp

memory/3068-122-0x00007FF83BCF0000-0x00007FF83BCF1000-memory.dmp

memory/4080-123-0x00007FF83BD00000-0x00007FF83BD01000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1702475194

MD5 df9a0f3bfd78f1cf146d1b331679f4da
SHA1 98ccae77c8449144f3c87019f50119b15ec1652f
SHA256 1b1e2016af7206099838471a5db837904c29d5733485714eac3ee9f6c3df7544
SHA512 75c0da7f57188a0f7587b3669381f4f8c69ec4830afc46ff5d82d50c6644b29ae5786ee225131e7ee1dad4443997b499647a8c8aa515c2db3382b3ace457e90d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1702475194

MD5 adecbd795d24ce0130503b323fe615b7
SHA1 96a3039cbe4b127bb12a61a9457f963dbefe6edd
SHA256 260f62344e3fb3beaa504be20f1b393d9e646aadbcb8c64ae3802b16a69d82de
SHA512 040d8d94e032bf5d2479aab30ffd88f43c95c967d111d40d40b9d6af752bb51830ff97fd4bc9f2666a48f75f881cbda8593510543d529e05385e4663842a82e5

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1702475194

MD5 49962a468f6f514a0980a8f4baaaf0fe
SHA1 e24442dfe33c8e11d261ca1d3463261a8624f926
SHA256 3437988f3bf09b29af814f5863d51fdd0b20d73c3efa73e0be57745c4790c018
SHA512 8580c6bfa23f08a814897c994357117a2ce4a8f0f73422b80b9363aa189f0a55914f912ed78afa946e0c251dce8e6886d611901f35be5f8037fa96dfd9a4afe2

memory/1524-146-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

memory/4708-145-0x0000000000940000-0x0000000000946000-memory.dmp

memory/2768-179-0x00007FF83BCF0000-0x00007FF83BCF1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\5272045e957d4ccaa0eb8c3a74b7e2fc_1

MD5 1bc4cfa08a6ff13d3a459f5aa060e132
SHA1 9d8826cd0019415ea58eeea40f58d3d9009263e4
SHA256 31cfd4d5024d14df790dccf49d0d7e6a02255a91d82910b4022520e3ac4657bd
SHA512 991d078ef49ed3c88bdf0d53bcd9c294653fd13e7ef4cffd23fdc37530e1136f4164d1a22b85fe990fa48feee0c022ac7064f63dd09012905b11e3a6692ff136

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 3048def6fc171f69a1c1d9c60e4b57a3
SHA1 3ff6a0dcd58c4a3aec857007262b6556856699cb
SHA256 2df49d71a8882cd3c496cb26e9e6ef818c22a76234af9f1074f1c9363520a437
SHA512 555676a9eb8f522232e5eb379391b9babf5a2503888358a4612e7d9a019d3bd87f62fba1d380b3475487f16b406b19bad8e57e1e20a4be20c09085e0e68f0288

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 9a9b5ed40aa8da773d20089b201ef502
SHA1 3c178bcd9a6a5ab4b904fab3f3c8d0980e945501
SHA256 9ea68c5d8ec9680168aa6b931e11bc10d5f50600487534209d4ff753488799a9
SHA512 ce09ada4361c6a8b75e90a26c1169932353bb61be9879a5ceeeefac7212d53e0fe50a43f14c3d69ad253456c523fff01269d6af5843cfabe2908bddd5881f488

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 842b1377cb5175a00bf5d310f76a6923
SHA1 59493b4f7825cf9a5ba2630b38e44032ee9407aa
SHA256 3e76989ff13d272d5f4552df173f8158fc94352b2f6a7912510b50db049b9eb1
SHA512 5d3136c67f04d40d9d373f498d369c9d9965c08c95781f4b0bd786a099848b5621e93b4d229eff253538fee6daa1c93bb4e248b37eda7192846f92c431030044

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 040ad19659ba882b7ff0ab2202bc071f
SHA1 490b0537b269985c48d78c569af30d36c8abeefc
SHA256 31126040a3c8fb94ae633e5efc5b5a1ee0a22c917e03dbbb16b485848389df94
SHA512 d827e21fe75ad69c38dd2f5dac0d4a079ea9f5765160c38e824a68560be8ef0142b6e2a8e32d249fb13d0bbe80e21a1c59adbe6ad28050670511f49178f8c945

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 e084c6748b33ddcaacc1000907e21e57
SHA1 70db608af69214c900bcdf656073d44dd58fda6e
SHA256 7cb85c82589c94bb59a48c1bef71191d80eb834585c62954732fbbf1aea044c6
SHA512 571c0d664a451a900035fa48d6498d58177bf0f21bcb6c9cded6b8c697511decb0a8b122e1c73958507a8d70705fc56238e043090119bc3bf7722a080d3b9d03

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\1702475230

MD5 43b886f964d5686d84a1bf5078f93d8a
SHA1 fcdcfda8b86035d7849befbdf41751088b2931fe
SHA256 f9ad77613415cdf383653a4faf4efc78a828c92fcfea70eca6f11e25c62ad9b6
SHA512 a108288a7621becfd9ab3503af5dbe0f0a18d066f2f597d5e50a43c0d9440da09db3ae0a2b927cd49e5c7a2a7977d976cec95a6883aa5b74054b54f82b211b7d