Malware Analysis Report

2025-01-19 07:28

Sample ID 231101-rgddysdh98
Target NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
SHA256 6062125c6db4cc69fb9d78b3307338d1ee1887325a6f6826694fd2507bc343d1
Tags
tinba banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6062125c6db4cc69fb9d78b3307338d1ee1887325a6f6826694fd2507bc343d1

Threat Level: Known bad

The file NEAS.58fedc8422ca6adf2b137d0679c375c0.exe was found to be: Known bad.

Malicious Activity Summary

tinba banker persistence trojan

Tinba / TinyBanker

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 14:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 14:09

Reported

2023-11-01 17:10

Platform

win7-20231020-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe"

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\901FC304 = "C:\\Users\\Admin\\AppData\\Roaming\\901FC304\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 372 set thread context of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 372 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 372 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 372 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 372 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 372 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 372 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 2184 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 2184 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 2184 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 2184 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 2184 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 2348 wrote to memory of 1272 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1136 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhost.exe
PID 2348 wrote to memory of 1192 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\Dwm.exe
PID 2348 wrote to memory of 1272 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1724 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\SysWOW64\winver.exe

winver

C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 recdataoneveter.cc udp
US 216.218.185.162:80 recdataoneveter.cc tcp
US 8.8.8.8:53 diiqngijkpop.com udp
US 216.218.185.162:80 diiqngijkpop.com tcp

Files

memory/2184-2-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2184-4-0x0000000000510000-0x0000000000F10000-memory.dmp

memory/2348-6-0x0000000000180000-0x0000000000186000-memory.dmp

memory/1272-5-0x0000000002970000-0x0000000002976000-memory.dmp

memory/2348-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2348-14-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/1272-13-0x0000000077BD1000-0x0000000077BD2000-memory.dmp

memory/2348-12-0x0000000077D80000-0x0000000077D81000-memory.dmp

memory/1272-9-0x0000000002970000-0x0000000002976000-memory.dmp

memory/2348-8-0x0000000077D7F000-0x0000000077D80000-memory.dmp

memory/2348-7-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2348-11-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2348-10-0x0000000077D7F000-0x0000000077D81000-memory.dmp

memory/1272-3-0x0000000002970000-0x0000000002976000-memory.dmp

memory/2184-18-0x0000000000510000-0x0000000000F10000-memory.dmp

memory/1724-27-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1724-33-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1724-32-0x0000000077BD1000-0x0000000077BD2000-memory.dmp

memory/1272-31-0x0000000002980000-0x0000000002986000-memory.dmp

memory/1192-30-0x0000000001AA0000-0x0000000001AA6000-memory.dmp

memory/1136-29-0x0000000077BD1000-0x0000000077BD2000-memory.dmp

memory/1136-28-0x0000000000410000-0x0000000000416000-memory.dmp

memory/1272-25-0x0000000002980000-0x0000000002986000-memory.dmp

memory/1192-22-0x0000000001AA0000-0x0000000001AA6000-memory.dmp

memory/1136-20-0x0000000000410000-0x0000000000416000-memory.dmp

memory/2348-39-0x0000000000180000-0x0000000000186000-memory.dmp

memory/1272-40-0x0000000077D60000-0x0000000077D61000-memory.dmp

memory/2348-41-0x00000000001D0000-0x00000000001D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-01 14:09

Reported

2023-11-01 17:09

Platform

win10v2004-20231023-en

Max time kernel

119s

Max time network

175s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Tinba / TinyBanker

trojan banker tinba

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F9EF627E = "C:\\Users\\Admin\\AppData\\Roaming\\F9EF627E\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3540 set thread context of 4524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\backgroundTaskHost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f600d4b-f369-4b65- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d3df10a1-4ab1-44ed- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f19a4b7b4ded9da56d435c1cd7e35f8b799280edea93ce8b48f7fabee2384b71" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63ba3905-79ba-44a2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63ba3905-79ba-44a2- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f27eb34d-081d-40f9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51b0e21b-0a31-4fb6- = 6ab155ffe50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\950d2fb4-4bc1-40c8- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000062701300e60cda01af40c902e60cda01501b6502e60cda01aab902000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000615707892000353235636439336262333933643762306531303633363266363939396437636437393834323065353964393764616231363762613430623836323836373132340000b20009000400efbe61570789615707892e0000000000000000000000000000000000000000000000000043288900350032003500630064003900330062006200330039003300640037006200300065003100300036003300360032006600360039003900390064003700630064003700390038003400320030006500350039006400390037006400610062003100360037006200610034003000620038003600320038003600370031003200340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001755a79b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35323563643933626233393364376230653130363336326636393939643763643739383432306535396439376461623136376261343062383632383637313234000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d9304dab8a271ee1192aae6ddb52da3e4aa66e0c271c14945b47c5aad1972038d9304dab8a271ee1192aae6ddb52da3e4ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d99c14d3-25aa-4afd- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd791fb1-59ba-446f- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac17408b-0840-4c3d- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f19a4b7b4ded9da56d435c1cd7e35f8b799280edea93ce8b48f7fabee2384b71" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1772a8e6-69f8-41f5- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000dec52c01e60cda01aa5ee409e60cda017a6f8f08e60cda01eae905000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000615707892000393633646561643466313665333831656135383666386335656465323939396135313861376265636565373561663633656164653439363965356639383263340000b20009000400efbe61570789615707892e0000000000000000000000000000000000000000000000000082642700390036003300640065006100640034006600310036006500330038003100650061003500380036006600380063003500650064006500320039003900390061003500310038006100370062006500630065006500370035006100660036003300650061006400650034003900360039006500350066003900380032006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001755a79b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39363364656164346631366533383165613538366638633565646532393939613531386137626563656537356166363365616465343936396535663938326334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038da804dab8a271ee1192aae6ddb52da3e4aa66e0c271c14945b47c5aad1972038da804dab8a271ee1192aae6ddb52da3e4ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d3df10a1-4ab1-44ed- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac17408b-0840-4c3d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f27eb34d-081d-40f9- = dddac110e60cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\950d2fb4-4bc1-40c8- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a21ca050-90dd-4899- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\713fc7c4-79e7-496b- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\950d2fb4-4bc1-40c8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\67933f3c-b8a1-4612- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f600d4b-f369-4b65- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009c1776ffe50cda019c1776ffe50cda019c1776ffe50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000615707892000376539383135623532663462633634306463613835663462663636653334633361646666346438653439326639346633646537643536613462643339316434340000b20009000400efbe61570789615707892e00000000000000000000000000000000000000000000000000643b5e00370065003900380031003500620035003200660034006200630036003400300064006300610038003500660034006200660036003600650033003400630033006100640066006600340064003800650034003900320066003900340066003300640065003700640035003600610034006200640033003900310064003400340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001755a79b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37653938313562353266346263363430646361383566346266363665333463336164666634643865343932663934663364653764353661346264333931643434000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d8204dab8a271ee1192aae6ddb52da3e4aa66e0c271c14945b47c5aad1972038d8204dab8a271ee1192aae6ddb52da3e4ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\34f0c418-8b8d-438d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c5f0aea-cf74-4f24- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f600d4b-f369-4b65- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c5f0aea-cf74-4f24- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007eeeacffe50cda017eeeacffe50cda017eeeacffe50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000615707892000393633646561643466313665333831656135383666386335656465323939396135313861376265636565373561663633656164653439363965356639383263340000b20009000400efbe61570789615707892e0000000000000000000000000000000000000000000000000082642700390036003300640065006100640034006600310036006500330038003100650061003500380036006600380063003500650064006500320039003900390061003500310038006100370062006500630065006500370035006100660036003300650061006400650034003900360039006500350066003900380032006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001755a79b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39363364656164346631366533383165613538366638633565646532393939613531386137626563656537356166363365616465343936396535663938326334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d8604dab8a271ee1192aae6ddb52da3e4aa66e0c271c14945b47c5aad1972038d8604dab8a271ee1192aae6ddb52da3e4ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\de037b1b-f299-42dd- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\719c7c2b-647c-4621- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\43213990-474b-448a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\56038947-8822-43e8- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000feb18404e60cda0173598d0de60cda012cac3e0de60cda01de5d02000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000615707892000376539383135623532663462633634306463613835663462663636653334633361646666346438653439326639346633646537643536613462643339316434340000b20009000400efbe61570789615707892e00000000000000000000000000000000000000000000000000643b5e00370065003900380031003500620035003200660034006200630036003400300064006300610038003500660034006200660036003600650033003400630033006100640066006600340064003800650034003900320066003900340066003300640065003700640035003600610034006200640033003900310064003400340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001755a79b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37653938313562353266346263363430646361383566346266363665333463336164666634643865343932663934663364653764353661346264333931643434000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dbf04dab8a271ee1192aae6ddb52da3e4aa66e0c271c14945b47c5aad1972038dbf04dab8a271ee1192aae6ddb52da3e4ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\233fb560-699d-43b5- = 21988cffe50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd791fb1-59ba-446f- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c5e24700e60cda01d8daa702e60cda011e1c4602e60cda0181c106000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000615707892000386536633936613064383638323461656631643164346233336434633261366361353935376133656331353937666533386266366333303131616665396330350000b20009000400efbe61570789615707892e00000000000000000000000000000000000000000000000000dd173800380065003600630039003600610030006400380036003800320034006100650066003100640031006400340062003300330064003400630032006100360063006100350039003500370061003300650063003100350039003700660065003300380062006600360063003300300031003100610066006500390063003000350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001755a79b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38653663393661306438363832346165663164316434623333643463326136636135393537613365633135393766653338626636633330313161666539633035000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d9404dab8a271ee1192aae6ddb52da3e4aa66e0c271c14945b47c5aad1972038d9404dab8a271ee1192aae6ddb52da3e4ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a21ca050-90dd-4899- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\34f0c418-8b8d-438d- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\8e6c96a0d86824aef1d1d4b33d4c2a6ca5957a3ec1597fe38bf6c3011afe9c05" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd791fb1-59ba-446f- = a1732905e60cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd791fb1-59ba-446f- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac84dcae-6c58-48df- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac84dcae-6c58-48df- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6aa8a939-df61-4b82- = 6ffa911be60cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\233fb560-699d-43b5- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\34f0c418-8b8d-438d- = a4f6a8ffe50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\719c7c2b-647c-4621- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f27eb34d-081d-40f9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6aa8a939-df61-4b82- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a21ca050-90dd-4899- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\719c7c2b-647c-4621- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\963dead4f16e381ea586f8c5ede2999a518a7becee75af63eade4969e5f982c4" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ce76d586-5385-4a3a- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92a3eea9-97d7-4554- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\78e12d1a-acfc-40f6- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51b0e21b-0a31-4fb6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\34f0c418-8b8d-438d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1772a8e6-69f8-41f5- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\51b0e21b-0a31-4fb6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d3df10a1-4ab1-44ed- = 649f99ffe50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f27eb34d-081d-40f9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7c5f0aea-cf74-4f24- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\963dead4f16e381ea586f8c5ede2999a518a7becee75af63eade4969e5f982c4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0f600d4b-f369-4b65- = 3caf80ffe50cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d3df10a1-4ab1-44ed- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac17408b-0840-4c3d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\56038947-8822-43e8- = 71a63910e60cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d3df10a1-4ab1-44ed- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a7ed8dffe50cda01a7ed8dffe50cda01a7ed8dffe50cda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000615707892000663139613462376234646564396461353664343335633163643765333566386237393932383065646561393363653862343866376661626565323338346237310000b20009000400efbe61570789615707892e0000000000000000000000000000000000000000000000000059654600660031003900610034006200370062003400640065006400390064006100350036006400340033003500630031006300640037006500330035006600380062003700390039003200380030006500640065006100390033006300650038006200340038006600370066006100620065006500320033003800340062003700310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001755a79b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66313961346237623464656439646135366434333563316364376533356638623739393238306564656139336365386234386637666162656532333834623731000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d8404dab8a271ee1192aae6ddb52da3e4aa66e0c271c14945b47c5aad1972038d8404dab8a271ee1192aae6ddb52da3e4ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f75c3424-d839-473d- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63ba3905-79ba-44a2- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\950d2fb4-4bc1-40c8- = 47eabd04e60cda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\de037b1b-f299-42dd- = 287de704e60cda01 C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 3540 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 3540 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 3540 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 3540 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 3540 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe
PID 4524 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 4524 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 4524 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 4524 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe C:\Windows\SysWOW64\winver.exe
PID 3056 wrote to memory of 3288 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 2692 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\sihost.exe
PID 3056 wrote to memory of 2808 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 3056 wrote to memory of 2848 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhostw.exe
PID 3056 wrote to memory of 3288 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 3436 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 3056 wrote to memory of 3688 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 3780 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3056 wrote to memory of 3840 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3056 wrote to memory of 3936 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3056 wrote to memory of 3468 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3056 wrote to memory of 4428 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3056 wrote to memory of 2876 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3056 wrote to memory of 3340 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3056 wrote to memory of 2092 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3056 wrote to memory of 1824 N/A C:\Windows\SysWOW64\winver.exe N/A
PID 3056 wrote to memory of 2492 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3056 wrote to memory of 932 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 3056 wrote to memory of 3108 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3056 wrote to memory of 2252 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 3056 wrote to memory of 1652 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 4584 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 4348 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 400 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2204 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 3056 wrote to memory of 3324 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2548 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 1564 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 3056 wrote to memory of 1876 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2312 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 4572 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 3692 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2776 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 3604 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 4532 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 5068 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2520 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 1500 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 3356 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3056 wrote to memory of 4368 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2596 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 1672 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 1936 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 756 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2656 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 1636 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2268 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 4084 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2980 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 2796 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 3632 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 184 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 208 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 3056 wrote to memory of 4852 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.58fedc8422ca6adf2b137d0679c375c0.exe"

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3688 -s 928

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 184 -s 968

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 recdataoneveter.cc udp
US 216.218.185.162:80 recdataoneveter.cc tcp
US 8.8.8.8:53 diiqngijkpop.com udp
US 216.218.185.162:80 diiqngijkpop.com tcp
US 8.8.8.8:53 162.185.218.216.in-addr.arpa udp
US 8.8.8.8:53 hiwxuvuponqw.com udp
US 216.218.185.162:80 hiwxuvuponqw.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/4524-2-0x0000000000400000-0x0000000000405000-memory.dmp

memory/4524-3-0x0000000000600000-0x0000000001000000-memory.dmp

memory/3056-9-0x0000000002760000-0x0000000002766000-memory.dmp

memory/3056-6-0x0000000002760000-0x0000000002766000-memory.dmp

memory/3288-4-0x0000000000E60000-0x0000000000E66000-memory.dmp

memory/3288-8-0x0000000000E60000-0x0000000000E66000-memory.dmp

memory/3056-7-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

memory/3056-5-0x0000000002760000-0x0000000002766000-memory.dmp

memory/3288-10-0x00007FF96DD8D000-0x00007FF96DD8E000-memory.dmp

memory/4524-13-0x0000000000600000-0x0000000001000000-memory.dmp

memory/2692-14-0x0000000000850000-0x0000000000856000-memory.dmp

memory/2808-15-0x0000000000390000-0x0000000000396000-memory.dmp

memory/2692-16-0x0000000000850000-0x0000000000856000-memory.dmp

memory/2848-17-0x0000000000150000-0x0000000000156000-memory.dmp

memory/3436-20-0x00000000009A0000-0x00000000009A6000-memory.dmp

memory/3288-21-0x0000000000E30000-0x0000000000E36000-memory.dmp

memory/2848-23-0x0000000000150000-0x0000000000156000-memory.dmp

memory/3688-22-0x00000000001D0000-0x00000000001D6000-memory.dmp

memory/3840-26-0x0000000000580000-0x0000000000586000-memory.dmp

memory/3436-25-0x00000000009A0000-0x00000000009A6000-memory.dmp

memory/3780-24-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

memory/2808-19-0x0000000000390000-0x0000000000396000-memory.dmp

memory/3288-18-0x0000000000E30000-0x0000000000E36000-memory.dmp

memory/3780-27-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

memory/3840-28-0x0000000000580000-0x0000000000586000-memory.dmp

memory/3936-29-0x0000000000D00000-0x0000000000D06000-memory.dmp

memory/3468-30-0x0000000000A50000-0x0000000000A56000-memory.dmp

memory/4428-31-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

memory/2876-32-0x0000000000B60000-0x0000000000B66000-memory.dmp

memory/3468-33-0x0000000000A50000-0x0000000000A56000-memory.dmp

memory/4428-34-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

memory/2876-35-0x0000000000B60000-0x0000000000B66000-memory.dmp

memory/3340-36-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

memory/2092-37-0x00000000000E0000-0x00000000000E6000-memory.dmp

memory/1824-38-0x00000000000D0000-0x00000000000D6000-memory.dmp

memory/2492-39-0x0000000000C10000-0x0000000000C16000-memory.dmp

memory/1824-40-0x00000000000D0000-0x00000000000D6000-memory.dmp

memory/2492-41-0x0000000000C10000-0x0000000000C16000-memory.dmp

memory/932-45-0x0000000000150000-0x0000000000156000-memory.dmp

memory/932-46-0x0000000000150000-0x0000000000156000-memory.dmp

memory/932-57-0x00007FF96DF00000-0x00007FF96DF01000-memory.dmp

memory/932-60-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

memory/3108-67-0x0000000000990000-0x0000000000996000-memory.dmp

memory/3108-68-0x00007FF96DD8D000-0x00007FF96DD8E000-memory.dmp

memory/3108-69-0x00007FF96DD8D000-0x00007FF96DD8E000-memory.dmp

memory/3108-70-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

memory/3108-71-0x00007FF96DF20000-0x00007FF96DF21000-memory.dmp

memory/3288-72-0x00007FF96DF20000-0x00007FF96DF21000-memory.dmp

memory/3780-73-0x00007FF96DF00000-0x00007FF96DF01000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\ea087b19cf7a4c30980d13fde95b5421_1

MD5 664f99e3fe15178ffb242a6e5bff5e60
SHA1 a95099e7ae7402b3d5d175625bc073b588c3957f
SHA256 550e564a6c493f582eba1ba795498ed44678ca1f7a8520200b3781f89f6221e6
SHA512 ad7d96763b8325e88883274fc55dcaa228716e4e92db6c492541d169f2dfe980cfa9ff5b587a9ca7444e8c7cfcbc56db51264740c306ed00119dc64d459c673c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\9c5925f597f540ae99ecea64fa925c44_1

MD5 b6f48a7ec498dd01b0685a4aad3537b6
SHA1 2ab6a9c0bc4a6c2131c7e85f0974e9c6f064169a
SHA256 00f58087fbb7a3d0fd9fbc7d4339725a4b0fbfd0673c48c00986518c8a969e2f
SHA512 975f9c5e7cc0e04ce40e7e8dfd9abc13cd0d56bebd34c04f80f724ec6f53bb32d0b5d87dc6fce15db91ca8b510859651a71002dee339303b60051cb0ccc6b463

memory/2252-84-0x0000000000070000-0x0000000000076000-memory.dmp

memory/2252-85-0x0000000000070000-0x0000000000076000-memory.dmp

memory/2252-86-0x00007FF96DF20000-0x00007FF96DF21000-memory.dmp

memory/3108-87-0x0000000000990000-0x0000000000996000-memory.dmp

memory/2252-88-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 02eb0b597efe8fa7279227d9a10cc87e
SHA1 092095f8fd04bfe0833b35b2b26a4a4dc63f7b99
SHA256 0aee74d74847e228dd9d2f39e9ee5c298c5cbf25f7fa50e8a71e3b4aed2f26b7
SHA512 3ec46ed9b50e17da465ef0cd809bfadefe22ec4842c473e572317852bc8455faa13b39a21d590ed5f1035d8d7b9f4660378038b8afbd85e5688fcb2ba68b212c

memory/1652-98-0x0000000000A70000-0x0000000000A76000-memory.dmp

memory/4584-99-0x0000000000570000-0x0000000000576000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698858485

MD5 65ad5a681fb06f288e81a8105bcf3df6
SHA1 0e6417a100e43e4d6abc07e21dbafdf31151b970
SHA256 ce8c8851b168c7b057fc72dda6297422730a9999c174ec7cd442cd11f330ea53
SHA512 0bb309c73e1e98ebea08fc47c6e21cd60600847af88db6176da6250998c6659c76f9a63f158477662b6c9bc1084f79d96049b2f251a9af38318beff2574e229b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 88cc1807ec4cc644ed78361792d61027
SHA1 63bf0960c0a8bbbc521f2d22cb3bca4daa72ea95
SHA256 f31373a556bdc1e6ef80b21e014de8fdecdabb8bea103cde4ca371ddfce69fd6
SHA512 6c93f2cdc22717766eef1b83bdcf069a13560deaf4ab8ce56edfd82c4765573f9d4362e4add99289b9b2f84f86a071bd959430a7fba2fb7ec1edc20924e79625

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\cbbbc4599f754e659cdae88c1bee2223_1

MD5 bcc5971432ea00c2b3d6f781a64da033
SHA1 f730dc1bab2660025550f2025a40992de2581b0e
SHA256 7c769724f90fcc6473cf08c6161bb0651ba8866ba1d74c77f718c2762b4c0223
SHA512 6029e7ea86ddbfa0caa6038187136dfe0ed8c7ff502fe26d3f1d86091a101acb272a2618a3e2a0b700665ee02a14e5cbaa27712fc7a0f845bc29c219f312f7c1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698858485

MD5 09f0216e185a58e05b508755454c25f5
SHA1 7000aaace7a06c88082a3f6b39054fa5950c5f5d
SHA256 f04d06a1b494bb10194f2f2fd60bc7ff09ad1b385c284ea4f26f35fcc27441f9
SHA512 5c14fef750b953ac08c72fe38ac1d3515b5f4f2cb3e943bd092d994903ef4627db474b83d7b1a0dd837b536ebc729ed689571582b322bc257d533c6f7de5b701

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698858485

MD5 7fb3ad70d7f5b49c48226ee3637ba3b5
SHA1 5bd531efc014ef00a88b2f47bde31cfb48041582
SHA256 880e1f6374b53197e4d7d9ad65e45559c5a2bd2a492564adb550f1323a611fec
SHA512 72e2024148c5aa09e643cf2ef026c4a444a20fddd2c82f5757526926339055a5212f05a6f925a9cd2af7909d92cbc33d5368eaf9d1b67e6dde6e8444f9d3dd9c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 e039780ed07ac69692a8c773a7321124
SHA1 17f34b39cf0bc94b58144c8f62ab5b216122ca54
SHA256 11aff484ecf56f50dba5bb8a1bccb564326a5d82bc3b19d346b086047f48b170
SHA512 7e1e9a2fc5776552acf488cc81006eafdf658e9118a7e75ba73354ec251ade59c422d7557d045a71eacbe2b8dff7ad94a509e1b3164b5f77dadf075bef804afc

memory/2252-161-0x0000000000070000-0x0000000000076000-memory.dmp

memory/2692-164-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

memory/3840-165-0x00007FF96DF00000-0x00007FF96DF01000-memory.dmp

memory/3840-166-0x00007FF96DF20000-0x00007FF96DF21000-memory.dmp

memory/3840-167-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

memory/4348-168-0x00000000009F0000-0x00000000009F6000-memory.dmp

memory/400-169-0x0000000000660000-0x0000000000666000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\9c5925f597f540ae99ecea64fa925c44_1

MD5 b6f48a7ec498dd01b0685a4aad3537b6
SHA1 2ab6a9c0bc4a6c2131c7e85f0974e9c6f064169a
SHA256 00f58087fbb7a3d0fd9fbc7d4339725a4b0fbfd0673c48c00986518c8a969e2f
SHA512 975f9c5e7cc0e04ce40e7e8dfd9abc13cd0d56bebd34c04f80f724ec6f53bb32d0b5d87dc6fce15db91ca8b510859651a71002dee339303b60051cb0ccc6b463

memory/3780-171-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

memory/2204-174-0x0000000000520000-0x0000000000526000-memory.dmp

memory/3324-175-0x0000000000300000-0x0000000000306000-memory.dmp

memory/2204-176-0x0000000000520000-0x0000000000526000-memory.dmp

memory/2548-194-0x0000000000D20000-0x0000000000D26000-memory.dmp

memory/1564-196-0x00000000001F0000-0x00000000001F6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\51b0e21b-0a31-4fb6-a12f-bc4ea05a96ec.up_meta_secure

MD5 a6032c7c9268437b1fd876b1a32d9174
SHA1 f805c60420b8c2aa85d864cf097bfd90d6880731
SHA256 afb221a76dca57221ff78b317e4d534960dfd04dc86371da424658da283c3069
SHA512 90da9a334ae4ba089a7f09e6f5d6c965b8ed3d1697ec716274d79a9a0a27e9bf8fdcaf04dcfd840f8c4167dd586af6fc6772f32d2753c948415c4568d6f772bf

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\34f0c418-8b8d-438d-84e0-58baf00205da.down_data

MD5 e5bfd664e79539a4eae9c5257679f95f
SHA1 bcc8f59a4da340dcc47a73dd906381cfefd8be60
SHA256 d8eaa82f00f5cc2d450fb59c831f00e0de786cae523bca75b223e84ada0aac80
SHA512 aa24d9d33c8de759db4985d45f2c004cea5e9368abd31e11b12bc54a661afc0484b189dac4cdd1164dd7fc950ad7821dd583bde2a26baf02af3fda4b2ca0d25f

memory/1564-205-0x00007FF96DF20000-0x00007FF96DF21000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\34f0c418-8b8d-438d-84e0-58baf00205da.up_meta_secure

MD5 67f086ee5caba72ee73c7588e5dc2550
SHA1 7dc8a339e5fb037111d98dbda889a9872398e13f
SHA256 8120eed41f8c656e70e403648bc3f1946d70dcb58aca7aa8628f6f7895d7465d
SHA512 6407926a82d4fd24769466bee9cb24dc2ecbd02b1e0954ce27569389f3cd165ec48fe2755b58762c84e3d92bde4ab08b828ef406fa4f09eebdbe8e6ffa381999

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\51b0e21b-0a31-4fb6-a12f-bc4ea05a96ec.down_data

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\233fb560-699d-43b5-ac0b-9166768db2ab.down_data

MD5 d389905c2e73a7f3834143929ac3b14a
SHA1 3e8f9c707ff41d10a8694e87898d3c170bacae57
SHA256 0a2abc6aef3b2b121d466bb23d2e843e545409da5a3bf8cfdf1e67fbcdfc4799
SHA512 76ca92b8d20f3ac41c97e373067655ae27e36c7cc3f555af08cd18ae5a82e37ec6783bc7c21f02a7bd4431bd4a7553093444ca7b3fe113a8058b7ccc636807fb

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\34f0c418-8b8d-438d-84e0-58baf00205da.down_data

MD5 e5bfd664e79539a4eae9c5257679f95f
SHA1 bcc8f59a4da340dcc47a73dd906381cfefd8be60
SHA256 d8eaa82f00f5cc2d450fb59c831f00e0de786cae523bca75b223e84ada0aac80
SHA512 aa24d9d33c8de759db4985d45f2c004cea5e9368abd31e11b12bc54a661afc0484b189dac4cdd1164dd7fc950ad7821dd583bde2a26baf02af3fda4b2ca0d25f

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\d3df10a1-4ab1-44ed-a971-71f79c80899f.up_meta_secure

MD5 afadd7994cb0498f3e37578f794f95f0
SHA1 e5e5ad78b70c8f15ee2f08ab2babccd88765152c
SHA256 91488eb550a84b0fc698132c3a7b68cd9032145ef99b6cc539aa7330a5d5604a
SHA512 04eafa4ef7cdd800da8050f624ac19e41926913d0393a7e458f4c975f0cb44d298116203fe4437bbde0986fd2c6f80d2bb7b984ebbc586ce241a15741da899de

memory/2312-233-0x0000000000200000-0x0000000000206000-memory.dmp

memory/1876-232-0x00000000006B0000-0x00000000006B6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f600d4b-f369-4b65-b54e-b9a78817b7dc.up_meta_secure

MD5 e46caf4f8c0ae877ce5d371d8d2e0cc0
SHA1 e661f047ca183450ecb82fa5353d4c9a967234de
SHA256 d2eb0ec732d9e0ff809e2a52ab545bb4ded032a6cb21991e9b157e39bce99e54
SHA512 467eab1733a083c10999eab2286805e4a251100dacdc72635607ad7e393b6dbd211e89dfb71e27aa9da5eb065db99a933b36ee9f8e39a1b0387f26dcbf5291e4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\d3df10a1-4ab1-44ed-a971-71f79c80899f.down_data

MD5 75aa2ff2c506f039fabc22e665e7a521
SHA1 ba33e7533dee32ba491a1fa58eba1dbcee7a42a0
SHA256 f6f2cd3ec833c2a9c6d0c22b4cdac76d1a51e951fa1d73b634778d401b2278a4
SHA512 6e26895ff51f5b5228fcebfcc0eb2265a682f646aef48a9d2d9c642d3381d1cc71fdd2ce4f1e22b4a32223176b20d795dc85b922966ad70105340ea8fe0506f3

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\d3df10a1-4ab1-44ed-a971-71f79c80899f.down_data

MD5 75aa2ff2c506f039fabc22e665e7a521
SHA1 ba33e7533dee32ba491a1fa58eba1dbcee7a42a0
SHA256 f6f2cd3ec833c2a9c6d0c22b4cdac76d1a51e951fa1d73b634778d401b2278a4
SHA512 6e26895ff51f5b5228fcebfcc0eb2265a682f646aef48a9d2d9c642d3381d1cc71fdd2ce4f1e22b4a32223176b20d795dc85b922966ad70105340ea8fe0506f3

memory/1564-250-0x00000000001F0000-0x00000000001F6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\233fb560-699d-43b5-ac0b-9166768db2ab.up_meta_secure

MD5 51f587ca8e06313c2ad7ecfd39017b30
SHA1 49e274d46788b0ef51e04c12d30c389e331ddaf4
SHA256 1fe7a307c63d622248f563f73538943de60bc1a35b209ddfb02e56bce51fe092
SHA512 6ceb307648e1cf4091f48c5abaab5de8fbaf8d27a715994daa1c407b807acf753880f9e87a1489f4025fd0c0be59ac952235dfc628637114436fec938f8f2dd2

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\233fb560-699d-43b5-ac0b-9166768db2ab.down_data

MD5 d389905c2e73a7f3834143929ac3b14a
SHA1 3e8f9c707ff41d10a8694e87898d3c170bacae57
SHA256 0a2abc6aef3b2b121d466bb23d2e843e545409da5a3bf8cfdf1e67fbcdfc4799
SHA512 76ca92b8d20f3ac41c97e373067655ae27e36c7cc3f555af08cd18ae5a82e37ec6783bc7c21f02a7bd4431bd4a7553093444ca7b3fe113a8058b7ccc636807fb

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f600d4b-f369-4b65-b54e-b9a78817b7dc.down_data

MD5 4000302699baa335548c20843dc38d00
SHA1 8f0c399518f4da1a85094c6b4ed6de1c23b6741a
SHA256 bad6c7554c665752c27e953c3af4d92f578df22510299f33710946ba78f26d71
SHA512 8c540a8e9b70b6cee8d83021f32f636288c35a0e3984c3272f3cff442a64eb127432d69494d4e43db44100806214987e3fe615e62fd6cdb719d4058ff0676ed9

memory/4572-265-0x00000000007F0000-0x00000000007F6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\7c5f0aea-cf74-4f24-b361-2ed5e6bfdeed.up_meta_secure

MD5 d3e099c34569ba9f2b53943abab8b104
SHA1 09fe888073308eed27ba2b02f22052939eed0fee
SHA256 7a5e483e1e3b4ecce72c4273d5ef19691341051334a9ff0f09f9bb3af037e7b4
SHA512 6115c04d0ad9d40b71c7021b886b1091eb144229ab98502d228ea6be4c7652406eb33762df1d73dc554e7c9e47bd5b0fb0555490d37eb6140c374fef8f0bcab0

memory/3288-279-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7c5f0aea-cf74-4f24-b361-2ed5e6bfdeed.down_data

MD5 59781bc17733ecaa80a6c8e1782edb85
SHA1 78e0bf70b62f90ff6e4f1ae007132aec0e0f9e4b
SHA256 0257443183ab9627d367b589e13771b4aba038b445920e7f2ae4cff643f177d5
SHA512 cd6aae647dd0ed676cf03a3827789ceb4cc0b747538fb719ac5d7bedf641f511982ad7d0bb761ddabdd4114144a67ce15be045617d81e678aeced8c7768fa8b4

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\51b0e21b-0a31-4fb6-a12f-bc4ea05a96ec.down_data

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

memory/3356-342-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

memory/3356-343-0x00007FF96DF10000-0x00007FF96DF11000-memory.dmp

memory/3356-344-0x00007FF96DF00000-0x00007FF96DF01000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f600d4b-f369-4b65-b54e-b9a78817b7dc.down_data

MD5 4000302699baa335548c20843dc38d00
SHA1 8f0c399518f4da1a85094c6b4ed6de1c23b6741a
SHA256 bad6c7554c665752c27e953c3af4d92f578df22510299f33710946ba78f26d71
SHA512 8c540a8e9b70b6cee8d83021f32f636288c35a0e3984c3272f3cff442a64eb127432d69494d4e43db44100806214987e3fe615e62fd6cdb719d4058ff0676ed9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\f73e9e000062f9fb266761487c602a07c514e24f01f4723bc5576fa15c09244d

MD5 d389905c2e73a7f3834143929ac3b14a
SHA1 3e8f9c707ff41d10a8694e87898d3c170bacae57
SHA256 0a2abc6aef3b2b121d466bb23d2e843e545409da5a3bf8cfdf1e67fbcdfc4799
SHA512 76ca92b8d20f3ac41c97e373067655ae27e36c7cc3f555af08cd18ae5a82e37ec6783bc7c21f02a7bd4431bd4a7553093444ca7b3fe113a8058b7ccc636807fb

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f600d4b-f369-4b65-b54e-b9a78817b7dc.down_data

MD5 4000302699baa335548c20843dc38d00
SHA1 8f0c399518f4da1a85094c6b4ed6de1c23b6741a
SHA256 bad6c7554c665752c27e953c3af4d92f578df22510299f33710946ba78f26d71
SHA512 8c540a8e9b70b6cee8d83021f32f636288c35a0e3984c3272f3cff442a64eb127432d69494d4e43db44100806214987e3fe615e62fd6cdb719d4058ff0676ed9

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\d3df10a1-4ab1-44ed-a971-71f79c80899f.down_data

MD5 75aa2ff2c506f039fabc22e665e7a521
SHA1 ba33e7533dee32ba491a1fa58eba1dbcee7a42a0
SHA256 f6f2cd3ec833c2a9c6d0c22b4cdac76d1a51e951fa1d73b634778d401b2278a4
SHA512 6e26895ff51f5b5228fcebfcc0eb2265a682f646aef48a9d2d9c642d3381d1cc71fdd2ce4f1e22b4a32223176b20d795dc85b922966ad70105340ea8fe0506f3

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\51b0e21b-0a31-4fb6-a12f-bc4ea05a96ec.down_data

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\1467959b-a44a-4c77-a889-da4215bf090d.up_meta_secure

MD5 67f086ee5caba72ee73c7588e5dc2550
SHA1 7dc8a339e5fb037111d98dbda889a9872398e13f
SHA256 8120eed41f8c656e70e403648bc3f1946d70dcb58aca7aa8628f6f7895d7465d
SHA512 6407926a82d4fd24769466bee9cb24dc2ecbd02b1e0954ce27569389f3cd165ec48fe2755b58762c84e3d92bde4ab08b828ef406fa4f09eebdbe8e6ffa381999

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\51b0e21b-0a31-4fb6-a12f-bc4ea05a96ec.8db17e5e-b03c-48a3-8fc7-7ea7bb171a2a.down_meta

MD5 588942ef5d49811ccb5ba4ca40de08b6
SHA1 038555c221fffe41fec13b38397245860437fd78
SHA256 fbcc502937b39e18226063db75bd84b264708b3e4d72d4011e98b483c0c4b8f3
SHA512 8c4cefa50e51de6f2188908e834db8b8a69d82fe1cf7145e8a678d2ecda9ee2bdcb3e51f003e4b80974b1f39c5e9395f560009fc47085dd4a34fda88c8ff7180

memory/3356-410-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f600d4b-f369-4b65-b54e-b9a78817b7dc.3075a43c-c65d-4afb-8bc8-f925539dbfe6.down_meta

MD5 21169cce00833df9ff0fde7998581cd1
SHA1 b5ac17591e2a90ef76406f42ef14f815570e0a51
SHA256 73f294220bb92cf6bacdf45552ebbd49cd44d4c49a53fec96c66d2ecb6a8d167
SHA512 d7859990b5b10fe1ce8888fa03ad01e52b1f143f00ad9940e257308e45afaaf94addc9dba61abdc32ccd22c7ee28696e9f89fc352b6a8b18758d4aae6a60a508

memory/3356-416-0x00007FF96DF20000-0x00007FF96DF21000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\0f600d4b-f369-4b65-b54e-b9a78817b7dc.bd94fb58-f202-4963-aafe-d31abdd6f244.down_meta

MD5 0868edc0ae4a9503f75da5bf79a33a2d
SHA1 4ffe83377c742cd513393062761b58013fd4f737
SHA256 72d43abd900a80a5dbf2d1bf19211a1b328eb87aac13b091396c4f76b488c80c
SHA512 5823b0e46592d411e08ccac556587224c828bc8a9db983b5a0d06513c5c63838c3e3afe7a3593e44f8cd6b677300af31c2d3d745670fbd794447cd9112b13587

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\31f93f0a-10cd-4fce-b309-3f5e11964ae5.up_meta_secure

MD5 a6032c7c9268437b1fd876b1a32d9174
SHA1 f805c60420b8c2aa85d864cf097bfd90d6880731
SHA256 afb221a76dca57221ff78b317e4d534960dfd04dc86371da424658da283c3069
SHA512 90da9a334ae4ba089a7f09e6f5d6c965b8ed3d1697ec716274d79a9a0a27e9bf8fdcaf04dcfd840f8c4167dd586af6fc6772f32d2753c948415c4568d6f772bf

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\d3df10a1-4ab1-44ed-a971-71f79c80899f.e392a317-3df1-4581-89bf-30e3471c6033.down_meta

MD5 5b1b72d1562c20b551fca3f33bcd8ad4
SHA1 905f4d1a0997e6e405cc69191a909ce137d9ba08
SHA256 9ae2a9251bba05d0e95069fda68334d6e3f1b46fbe739579233adcdafb881aaf
SHA512 e9c80fe6b60bc9393d71d9e7085c04e44e812f17c72d6be6fe64744a5df58d5ed510e90f09b59f9d2055b9b241aba04b3dec2ad08c0448e90bc83330234452a2

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\d3df10a1-4ab1-44ed-a971-71f79c80899f.af2a35eb-58fc-463c-ae30-6918712b243d.down_meta

MD5 9c586766ce5be0d5c623b7b1ddf6f5de
SHA1 cee3f2194f5fff29dbd08600f0fb98d7fb21f54c
SHA256 43b5a978838962695703af088cc97413acb3eb9f3439db801e0c92a52e562a44
SHA512 e33b8caec03f1b571bbe1c22cd78098bc3e8f403af6c5a190677008ff2f76ab15be17b95eaa44ea37dfbc01bf1ebe5702cd1643f2f91d22c6b0437ca50b88440

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\8e6c96a0d86824aef1d1d4b33d4c2a6ca5957a3ec1597fe38bf6c3011afe9c05

MD5 e5bfd664e79539a4eae9c5257679f95f
SHA1 bcc8f59a4da340dcc47a73dd906381cfefd8be60
SHA256 d8eaa82f00f5cc2d450fb59c831f00e0de786cae523bca75b223e84ada0aac80
SHA512 aa24d9d33c8de759db4985d45f2c004cea5e9368abd31e11b12bc54a661afc0484b189dac4cdd1164dd7fc950ad7821dd583bde2a26baf02af3fda4b2ca0d25f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\963dead4f16e381ea586f8c5ede2999a518a7becee75af63eade4969e5f982c4

MD5 59781bc17733ecaa80a6c8e1782edb85
SHA1 78e0bf70b62f90ff6e4f1ae007132aec0e0f9e4b
SHA256 0257443183ab9627d367b589e13771b4aba038b445920e7f2ae4cff643f177d5
SHA512 cd6aae647dd0ed676cf03a3827789ceb4cc0b747538fb719ac5d7bedf641f511982ad7d0bb761ddabdd4114144a67ce15be045617d81e678aeced8c7768fa8b4

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\7c5f0aea-cf74-4f24-b361-2ed5e6bfdeed.down_data

MD5 59781bc17733ecaa80a6c8e1782edb85
SHA1 78e0bf70b62f90ff6e4f1ae007132aec0e0f9e4b
SHA256 0257443183ab9627d367b589e13771b4aba038b445920e7f2ae4cff643f177d5
SHA512 cd6aae647dd0ed676cf03a3827789ceb4cc0b747538fb719ac5d7bedf641f511982ad7d0bb761ddabdd4114144a67ce15be045617d81e678aeced8c7768fa8b4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698858485

MD5 7fb3ad70d7f5b49c48226ee3637ba3b5
SHA1 5bd531efc014ef00a88b2f47bde31cfb48041582
SHA256 880e1f6374b53197e4d7d9ad65e45559c5a2bd2a492564adb550f1323a611fec
SHA512 72e2024148c5aa09e643cf2ef026c4a444a20fddd2c82f5757526926339055a5212f05a6f925a9cd2af7909d92cbc33d5368eaf9d1b67e6dde6e8444f9d3dd9c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698858485

MD5 65ad5a681fb06f288e81a8105bcf3df6
SHA1 0e6417a100e43e4d6abc07e21dbafdf31151b970
SHA256 ce8c8851b168c7b057fc72dda6297422730a9999c174ec7cd442cd11f330ea53
SHA512 0bb309c73e1e98ebea08fc47c6e21cd60600847af88db6176da6250998c6659c76f9a63f158477662b6c9bc1084f79d96049b2f251a9af38318beff2574e229b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\296bb324dfcb4fd8b43088b14cc7fccb_1

MD5 f8841fa25ac0a36081bdf7fa6f28e748
SHA1 7473f63364ac026d33f7d46b9a865161dd80ed34
SHA256 2f69d8eeb451b5d8da57579b859361f8f75ff2dde0d82c4ee6ec39af9dad0c7d
SHA512 d37a116f2a0414af9cb3698b1311c79ff193d15d769ab06008dcc309df78e960d623ba9b80f7e11369cb1264390d4027b4641ea044e41da948bd5ccd6641cc08

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045\b78b2edf59924efe811a750fa9eec5a6_1

MD5 843a4e2d66c253043b46c6f43798ddae
SHA1 3177502faf7b3b61fa954b044213d2f748082fc1
SHA256 c07ebedc8ce092868383649999dffacb0271f9e9fb07d3a8ac62ad3f58be915b
SHA512 fb8f34b62d9e8a2a97588beae263765cbcc2a68d537819cc99c3cc586ad22aa2606f89bdb164b3fdede7ab85ff3326bd4975c32b47052b23b48cadfc13ffff0c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

memory/4852-520-0x0000000000250000-0x0000000000256000-memory.dmp

memory/4852-522-0x0000000000250000-0x0000000000256000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\525cd93bb393d7b0e106362f6999d7cd798420e59d97dab167ba40b862867124

MD5 47b6fc8928252d3e075426156f526644
SHA1 38a00cd13f932f20b33325cd41d17e958f8666f7
SHA256 436e53bc08ade2db5a8aa774deac07b5c69590d7800e46f7a90aa664c7596b09
SHA512 4dcc6a2fcf7e60b487be881219bb1ec737be165b57b1b5418d4818ba42013542d68e68d31598547c1c5451b78e72109bfe2d2e97d40f331615033dd968dc0a9f