Analysis
-
max time kernel
168s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 08:57
Behavioral task
behavioral1
Sample
NEAS.accc17f3d435ca7f42ef85350778ef10.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.accc17f3d435ca7f42ef85350778ef10.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.accc17f3d435ca7f42ef85350778ef10.exe
-
Size
45KB
-
MD5
accc17f3d435ca7f42ef85350778ef10
-
SHA1
1fc2ed1d5bf657c512a5fdc5451870ca8d7056ca
-
SHA256
a9ff6094d450c265a3d3cc5e31f03209650a57edd809636300ea482a31652987
-
SHA512
915663e041ef188c358ebcdaef3cff62d520d869e49a193a9f1025a6c006fc4c2ce7426c9213bc9422b39de1218015deeddb11fa08d47a45dc96c032a9352c86
-
SSDEEP
768:BhP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:7sWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3916-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D669E8BA = "C:\\Users\\Admin\\AppData\\Roaming\\D669E8BA\\bin.exe" winver.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix backgroundTaskHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" backgroundTaskHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache backgroundTaskHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 4384 WerFault.exe 4384 WerFault.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe 3764 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3232 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeDebugPrivilege 4976 backgroundTaskHost.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeDebugPrivilege 4976 backgroundTaskHost.exe Token: SeDebugPrivilege 4976 backgroundTaskHost.exe Token: SeDebugPrivilege 4976 backgroundTaskHost.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 1712 DllHost.exe Token: SeCreatePagefilePrivilege 1712 DllHost.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 1944 DllHost.exe Token: SeCreatePagefilePrivilege 1944 DllHost.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 1768 DllHost.exe Token: SeCreatePagefilePrivilege 1768 DllHost.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE Token: SeShutdownPrivilege 3928 RuntimeBroker.exe Token: SeShutdownPrivilege 3928 RuntimeBroker.exe Token: SeDebugPrivilege 1104 backgroundTaskHost.exe Token: SeDebugPrivilege 1104 backgroundTaskHost.exe Token: SeDebugPrivilege 1104 backgroundTaskHost.exe Token: SeShutdownPrivilege 3232 Explorer.EXE Token: SeCreatePagefilePrivilege 3232 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3764 winver.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3232 Explorer.EXE 4184 TextInputHost.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3916 wrote to memory of 3764 3916 NEAS.accc17f3d435ca7f42ef85350778ef10.exe 92 PID 3916 wrote to memory of 3764 3916 NEAS.accc17f3d435ca7f42ef85350778ef10.exe 92 PID 3916 wrote to memory of 3764 3916 NEAS.accc17f3d435ca7f42ef85350778ef10.exe 92 PID 3916 wrote to memory of 3764 3916 NEAS.accc17f3d435ca7f42ef85350778ef10.exe 92 PID 3764 wrote to memory of 3232 3764 winver.exe 56 PID 3764 wrote to memory of 2336 3764 winver.exe 67 PID 3764 wrote to memory of 2352 3764 winver.exe 23 PID 3764 wrote to memory of 2484 3764 winver.exe 64 PID 3764 wrote to memory of 3232 3764 winver.exe 56 PID 3764 wrote to memory of 3436 3764 winver.exe 55 PID 3764 wrote to memory of 3652 3764 winver.exe 54 PID 3764 wrote to memory of 3868 3764 winver.exe 53 PID 3764 wrote to memory of 3928 3764 winver.exe 27 PID 3764 wrote to memory of 4020 3764 winver.exe 52 PID 3764 wrote to memory of 2116 3764 winver.exe 51 PID 3764 wrote to memory of 5048 3764 winver.exe 49 PID 3764 wrote to memory of 4184 3764 winver.exe 29 PID 3764 wrote to memory of 1300 3764 winver.exe 37 PID 3764 wrote to memory of 3772 3764 winver.exe 36 PID 3764 wrote to memory of 4960 3764 winver.exe 87 PID 3764 wrote to memory of 1528 3764 winver.exe 89 PID 3764 wrote to memory of 4384 3764 winver.exe 96 PID 3764 wrote to memory of 4976 3764 winver.exe 97 PID 3764 wrote to memory of 3704 3764 winver.exe 100 PID 3764 wrote to memory of 3684 3764 winver.exe 102 PID 3764 wrote to memory of 5032 3764 winver.exe 106 PID 3764 wrote to memory of 4936 3764 winver.exe 107 PID 3764 wrote to memory of 1712 3764 winver.exe 108 PID 3764 wrote to memory of 692 3764 winver.exe 110 PID 3764 wrote to memory of 4444 3764 winver.exe 113 PID 3764 wrote to memory of 1944 3764 winver.exe 114 PID 3764 wrote to memory of 3504 3764 winver.exe 119 PID 3764 wrote to memory of 1432 3764 winver.exe 120 PID 3764 wrote to memory of 2428 3764 winver.exe 124 PID 3764 wrote to memory of 592 3764 winver.exe 125 PID 3764 wrote to memory of 2908 3764 winver.exe 127 PID 3764 wrote to memory of 1768 3764 winver.exe 128 PID 3764 wrote to memory of 2372 3764 winver.exe 131 PID 3764 wrote to memory of 1996 3764 winver.exe 132 PID 3764 wrote to memory of 408 3764 winver.exe 133 PID 3764 wrote to memory of 4152 3764 winver.exe 135 PID 3764 wrote to memory of 1104 3764 winver.exe 137
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2352
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
- Suspicious use of UnmapMainImage
PID:4184
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3772
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1300
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2116
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3652
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3652 -s 9762⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4384
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.accc17f3d435ca7f42ef85350778ef10.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3764
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2484
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2336
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1528
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:3704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3684
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3684 -s 7482⤵PID:5032
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:4936
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4936 -s 6802⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:692
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:4444
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:3504
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3504 -s 9642⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2428
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1432
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1432 -s 8402⤵PID:592
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2908
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2908 -s 6802⤵PID:1996
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1768 -s 7842⤵PID:2372
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:408
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 408 -s 4762⤵PID:4152
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ff594c2da440bf503c44e7e65be176b0
SHA136ba4207aec5e8cee88bc1487c1e32ed09577d47
SHA25614d0490e23ea3413f9449426e3939fe35e9fb85b2a05ba72b67268b2eaa60fe8
SHA51248528d71c1981a452146c6f1aa971335df917a86cdcc6dfceee7913d0244cd7c1fce695dff5044cfb93deb87de5d0441a2ec17476217fef2951ac9a63bcdd91f
-
Filesize
512KB
MD5c20599abab693db3162893bd1561c4df
SHA18f4e1d9786391f7bf4fd586184a37be1ff6b28a7
SHA256594f740205677469fedbaae4f8e0d87641cdf1da4c98c2ff346ccc378fe9e938
SHA51216b33f32bff97cbe427d643d9e2c5c78b48c8044b42d48a47c85fcacda305f4e2311b6c258978326888f8ad3159ca679bd02d7203799b983a61a4105c4b3b491
-
Filesize
14.0MB
MD5fa14f5919d13b6f76c0424e8fa2a7ac0
SHA17caf8bc3e02284196666b2223023d52e1464cd97
SHA256844c93007a2e5f8251b3a2faab46614c9c17b801fa6416d014f141e50be3a11f
SHA512a977fc83acc674ef8dccd10b29c3245ed165d04f37e21266b7f2f90f2fa1557e2c2fd71dd44e728260c871f877b2f90760fe25abf843f72d6fd7e260addfc949
-
Filesize
14.0MB
MD526615be593f31b0cdf62227e7a82f42c
SHA16a7b15c301d6cb9bdae3f684111c6124badbcb02
SHA25641a2023ddba6d1fb1ee6cd163f4f0c1cfbe7c12c880c09452b6fb49577f2d974
SHA512b9078fd12bcaf920a25df75f1d3505c358fc9092e11b91c0089866c438dc45009640a4493971ac4a5933e00303eef1a5b277528649ce77d2c99f6a1bf0a6761d
-
Filesize
14.0MB
MD57f58b298af3db6f5aea3e30aa8173c70
SHA19beb02a67b6a482bbc24499852106c0744e39c39
SHA2565022e027871d4732f128ccd7955c7bb302a5d63562bcdbe61136ace5902f90d9
SHA512a9bb56533f508637cd6ab9b424a3da6303d8a942e3f65e5c8dead053f936d43d0c030b629d69dd765e814414f77819264159befca3153a73dbbc56e6ef7b8a22
-
Filesize
16KB
MD5aedb955135ac38369961ccd268d6bdc0
SHA18d7e1f57a8b5a7293ac4b30ca7fdad041228cd64
SHA2568412b8a5ec46c3e12885cdde34affd2803aa59564e9a276335f46fd6690882a8
SHA51247d1efa6d3b1228255a22b29402e00396518f71e78b7d6225f9ad13eddcd52b6cdb249626994b94e1046f8b876acbe4661984c140d8edd680cab70dd1f746ca3
-
Filesize
16KB
MD51bac617d3a778de867dd2a4009dcdeff
SHA13a4abb1192f42eeab1508522809a0283a72fe262
SHA256be1030604f5e462bca2b58ae591fd682c4df0ba176189308fa09435a1b04d150
SHA51260538d286b140f17c53281640e069a534c8803e747b203beb2cc4e93f62d920937f7b9ad6bc1078c5d65ef8d92bba06a3eba45528d549b010db82bba405647e8
-
Filesize
16KB
MD5db6420205e67a7e4cd909a3437f19fd5
SHA14731b8e45630d4bd8695583b009b0244df605212
SHA256a909e1e60243ef87832aa34086ff9d5d0ecc5092f3d6336127c1c5bea5ff302b
SHA51291a01781c42d6468fd419659e69e3368ae67ff7be5c7df4fe48eaeb13431d4e2746c0010ce1a00130363c25bb68433f65797ccdfc353db73d7e7b9e9be65ddd8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698751441
Filesize6KB
MD5d92d6f6e558feeba04ae607f32188797
SHA14614886948c786fb11624565d286a0e335341258
SHA25692a7a42c67ab43f34d394b64ddbb701e5d618ccea260a09beb99ec393a0775e1
SHA512eaefe61a85a5fcce8753ddffed60746d81ed29e9969b769d83960ad9be81ecdf75536fd0b8b5d835efcb892c9ca5a96e2e7f6be89b7003188479d5213641d228
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698751441
Filesize6KB
MD5d92d6f6e558feeba04ae607f32188797
SHA14614886948c786fb11624565d286a0e335341258
SHA25692a7a42c67ab43f34d394b64ddbb701e5d618ccea260a09beb99ec393a0775e1
SHA512eaefe61a85a5fcce8753ddffed60746d81ed29e9969b769d83960ad9be81ecdf75536fd0b8b5d835efcb892c9ca5a96e2e7f6be89b7003188479d5213641d228
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698751441
Filesize40KB
MD5777209cdaa197c93b9e70f0e135ad685
SHA19c86b9a6d558b0525f2225b500a445a85d28855f
SHA2562f69e9030e463f6597a9132d409791991923be4417d03a38431f5664bc5fddb2
SHA512afe14117aebc963339acf7c28b899d7cf6eaf481fe1c78bbe6e2890e7cfeba7bb754a93df2c597e578ea043bbf3685eb40d231446be32ab915ea95df2848b511
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize416B
MD5567115061138eaa628c6920003f2f4c2
SHA1e283fa5ec5ccbb36f6ad62edd66ba04fcbf883ba
SHA25623b73a5501052dde5fef333011b42c474268094ced38c3265b3efb47fd195c1d
SHA51284e54ec7f2c1cdf6de0ae96c61a6d37c4b25fccb80649e928f6dd317d8099d4e8ee388bbf1d36048dbeb907eb49345614435b5df49a6e5c7e7e3929bfe5326c2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize629B
MD5a00786b2f6a13d9a4259127d477b3394
SHA1953012f1201952b54d0cc08f2b7217d1f4c99cb8
SHA256e5e8d8782a338cfa802305616f3eb98577540d9ab55349fe763ff4b172bae9eb
SHA512855b7f857a06d6f0b407cd2e91f3d8815f2bc59be8d1db89c6c2bcd019dbfe5fa8c50fa7984e25c383479fdce90e4aea9154abe923dde91515c3195c79a72d3d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize213B
MD5bdfb901af5dfecf734dd1d744225c647
SHA190e0b83d02dbbc8d26102a3fb54989874b213af1
SHA256b5eb2936f9d384868b0526baf079f12167d1d86e66b945c97f6d34921e0be8da
SHA512f2dd1dfdf9284c7ec57d06b26ddbde471d4c5d344ab3e71f1377fb387a40b73e648e78103805e71924b0aa6758ebdac31fe664f532f52b71f1184be038544f4f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698751441
Filesize6KB
MD5e182d1ceeee02759bf30d0ab0471e5c5
SHA15b85aff1f2da0bf1eb42ee442da570eb4ebdaed0
SHA256d80804e13522c8140203f27439a369b1e36ee72c2f31996c3d0123a7e67ab508
SHA512ef5ac398f405ca622126e2c641dc91cd7967636e3de44b4f7b691c902543b6c2559d422f355cce17d16e4da797c5fe19268e34be370f8750fe2aba0ed09703d9
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698751441
Filesize6KB
MD5e182d1ceeee02759bf30d0ab0471e5c5
SHA15b85aff1f2da0bf1eb42ee442da570eb4ebdaed0
SHA256d80804e13522c8140203f27439a369b1e36ee72c2f31996c3d0123a7e67ab508
SHA512ef5ac398f405ca622126e2c641dc91cd7967636e3de44b4f7b691c902543b6c2559d422f355cce17d16e4da797c5fe19268e34be370f8750fe2aba0ed09703d9
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\c9a0a1cfbbb84ed0b32d4769a7d5327a_1
Filesize1KB
MD568362d456116db4b16691c82cfa1b600
SHA138763f9d1c9ebab786e47041cccd6de5f6de9e7a
SHA2561ffba4c61713ddb0196e85320aacacccd04b6f9109a6a4f6b83b20f2baad61bc
SHA512b9d5f17e855e652f24e17022a835057bc5fabe8039b0b16963836e586558ac2dfa38edd101b9496f237e2aa34dc051a360cc5b02b4974d9679658feb58fa26da
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\d58b8929a7e94b2690769bcd4003b61d_1
Filesize1KB
MD52b3c1f3e767f5f6a9537a90bc2b94469
SHA1f81811cf6fa1721ac93103b311c80f970502e0dd
SHA256604b514c20cab087e0f13bba78412434cdd99dd81654dc7ccd338f7b67360086
SHA512e6c62a67187444ca2b89f4d9896b829f85b1929f2e5ba212ae4abfd4e7432094771e489e8667fde403a7f5c333ce0b9be15c542a5324a8192472b72c1ccb3a12
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\c6e99513f531488bbe34ed5b6b16e932_1
Filesize2KB
MD57d0fb75f151fa106c77afd2768e16742
SHA1483b915ad567d4257ee9aa58ace1214135f94fd1
SHA2560422600ff8448242e01ba8b992f30174024acce5770ad72d4e3d102a90a47523
SHA5122a5ed0e951a9b21ca8a5a7609b732b183f08b9464ba2fe619aec15a3d69f1327c90c16133930b477f928a7def9675d2abfb11e2eb1108af96ca9e4fd4353dee1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\c6e99513f531488bbe34ed5b6b16e932_1
Filesize2KB
MD57d0fb75f151fa106c77afd2768e16742
SHA1483b915ad567d4257ee9aa58ace1214135f94fd1
SHA2560422600ff8448242e01ba8b992f30174024acce5770ad72d4e3d102a90a47523
SHA5122a5ed0e951a9b21ca8a5a7609b732b183f08b9464ba2fe619aec15a3d69f1327c90c16133930b477f928a7def9675d2abfb11e2eb1108af96ca9e4fd4353dee1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\35f06457b69946929ae5a8548ab9fbcd_1
Filesize1KB
MD533125389b5dcfcf858c72e6eb444503d
SHA1f85b6d3132f635106f423d7b5fd9981a836447fc
SHA256dbaef75680d3a139331328c2ae3ba78ba4ec441488ae30009786bd23b05fa3db
SHA512c858ea4d5ce33230d16568f2b2e2d07b037b76d5e636841c8c781976024527064e83721b66492126bea81189b60bb4927728d035a23c133821aaad719b8446dd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045\e0bee7a87144477691d16ad010aabda5_1
Filesize1KB
MD53976ce2fbf0e4176ae1b98488e64379f
SHA196f428eb2142b24380377962f810f6c197954740
SHA2562862d16805330483a404ad4d992c25dbdd056419dfbf5ff65806accf545f2647
SHA51276ec1e05eb6d3a496f67c7d23db884d5a9969f439e6ce8cec943363af83a7bdb6f02ac017ab82e3b03d370cef4e94611a4d184ae59c0ac5017b7ac346e1bea38