Malware Analysis Report

2025-01-19 07:35

Sample ID 231102-txmzfafa4t
Target NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe
SHA256 10b7fb1e6549953e9f90379ba2ec971514ea9047da7a1312c397d6238e28b01a
Tags
upx tinba banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10b7fb1e6549953e9f90379ba2ec971514ea9047da7a1312c397d6238e28b01a

Threat Level: Known bad

The file NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe was found to be: Known bad.

Malicious Activity Summary

upx tinba banker persistence trojan

Tinba / TinyBanker

UPX packed file

Adds Run key to start application

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-02 16:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-02 16:26

Reported

2023-11-02 16:29

Platform

win7-20231025-en

Max time kernel

151s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Tinba / TinyBanker

trojan banker tinba

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\73CD2EAC = "C:\\Users\\Admin\\AppData\\Roaming\\73CD2EAC\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe"

C:\Windows\SysWOW64\winver.exe

winver

Network

Country Destination Domain Proto
US 8.8.8.8:53 spaines.pw udp
US 216.218.185.162:80 spaines.pw tcp

Files

memory/2444-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2444-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1256-2-0x00000000029D0000-0x00000000029D6000-memory.dmp

memory/1256-3-0x00000000029D0000-0x00000000029D6000-memory.dmp

memory/2444-4-0x0000000001D60000-0x0000000002760000-memory.dmp

memory/1256-5-0x00000000029D0000-0x00000000029D6000-memory.dmp

memory/2428-6-0x0000000000100000-0x0000000000106000-memory.dmp

memory/2428-7-0x0000000077CE0000-0x0000000077CE1000-memory.dmp

memory/2428-8-0x0000000077CDF000-0x0000000077CE0000-memory.dmp

memory/2428-9-0x0000000077CDF000-0x0000000077CE1000-memory.dmp

memory/1256-10-0x0000000077B31000-0x0000000077B32000-memory.dmp

memory/2428-11-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

memory/2444-12-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2444-13-0x0000000001D60000-0x0000000002760000-memory.dmp

memory/1256-14-0x0000000077CC0000-0x0000000077CC1000-memory.dmp

memory/2428-17-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1132-21-0x0000000000410000-0x0000000000416000-memory.dmp

memory/1132-23-0x0000000077B31000-0x0000000077B32000-memory.dmp

memory/1232-22-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1256-26-0x0000000002980000-0x0000000002986000-memory.dmp

memory/1232-25-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1256-27-0x0000000002980000-0x0000000002986000-memory.dmp

memory/1256-31-0x0000000077CA0000-0x0000000077CA1000-memory.dmp

memory/1256-32-0x000007FF0BCE0000-0x000007FF0BCEA000-memory.dmp

memory/1256-33-0x000007FEF6500000-0x000007FEF6643000-memory.dmp

memory/2428-34-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1256-35-0x000007FF0BCE0000-0x000007FF0BCEA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-02 16:26

Reported

2023-11-02 16:29

Platform

win10v2004-20231023-en

Max time kernel

154s

Max time network

161s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Tinba / TinyBanker

trojan banker tinba

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84AD51EF = "C:\\Users\\Admin\\AppData\\Roaming\\84AD51EF\\bin.exe" C:\Windows\SysWOW64\winver.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f0a1d8b88918c29041545430dcef3daf298e78e451225c6275153e048c177049" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = 70c81478a90dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c8fc2c45cd115b2f1557946483e895fb11bed67c6c68b13c440eeb2112c09215" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004dd21578a90dda014dd21578a90dda014dd21578a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000303936653634336434616463313435623965373632313236366665643734663038326135393132366338643538303430656536326337323136666561373465640000b20009000400efbe62576e8362576e832e00000000000000000000000000000000000000000000000000b3453a00300039003600650036003400330064003400610064006300310034003500620039006500370036003200310032003600360066006500640037003400660030003800320061003500390031003200360063003800640035003800300034003000650065003600320063003700320031003600660065006100370034006500640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30393665363433643461646331343562396537363231323636666564373466303832613539313236633864353830343065653632633732313666656137346564000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5266ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5266ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = afd22d78a90dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = 5dd2e377a90dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000cd4f677a90dda010cd4f677a90dda010cd4f677a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000663061316438623838393138633239303431353435343330646365663364616632393865373865343531323235633632373531353365303438633137373034390000b20009000400efbe62576e8362576e832e00000000000000000000000000000000000000000000000000f4435900660030006100310064003800620038003800390031003800630032003900300034003100350034003500340033003000640063006500660033006400610066003200390038006500370038006500340035003100320032003500630036003200370035003100350033006500300034003800630031003700370030003400390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66306131643862383839313863323930343135343534333064636566336461663239386537386534353132323563363237353135336530343863313737303439000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d4f66ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d4f66ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\df7a5a5e35d359141c0730fcf65068c1f7ba01b07ca0d533ebe361be0f26ad5f" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e963cda-3bf2-46e5- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = 96de2478a90dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15c2707f-ba5e-4b61- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\5ce3af507ec6917eb196d7f49abbe5b3d971dcd2acb624466c37db895437b8a8" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d72b131a-f444-4acf- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001d99fb77a90dda011d99fb77a90dda011d99fb77a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000633866633263343563643131356232663135353739343634383365383935666231316265643637633663363862313363343430656562323131326330393231350000b20009000400efbe62576e8362576e832e00000000000000000000000000000000000000000000000000e37e5400630038006600630032006300340035006300640031003100350062003200660031003500350037003900340036003400380033006500380039003500660062003100310062006500640036003700630036006300360038006200310033006300340034003000650065006200320031003100320063003000390032003100350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63386663326334356364313135623266313535373934363438336538393566623131626564363763366336386231336334343065656232313132633039323135000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5066ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5066ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000078240578a90dda0178240578a90dda0178240578a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000646637613561356533356433353931343163303733306663663635303638633166376261303162303763613064353333656265333631626530663236616435660000b20009000400efbe62576e8362576e832e0000000000000000000000000000000000000000000000000088f34a00640066003700610035006100350065003300350064003300350039003100340031006300300037003300300066006300660036003500300036003800630031006600370062006100300031006200300037006300610030006400350033003300650062006500330036003100620065003000660032003600610064003500660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64663761356135653335643335393134316330373330666366363530363863316637626130316230376361306435333365626533363162653066323661643566000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5166ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5166ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000061e62878a90dda0161e62878a90dda0161e62878a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000363737306333333166616534643130663364636166336134636261646462656162616232326634366630636564666433313061656433626235383939643138370000b20009000400efbe62576e8362576e832e000000000000000000000000000000000000000000000000009f312700360037003700300063003300330031006600610065003400640031003000660033006400630061006600330061003400630062006100640064006200650061006200610062003200320066003400360066003000630065006400660064003300310030006100650064003300620062003500380039003900640031003800370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36373730633333316661653464313066336463616633613463626164646265616261623232663436663063656466643331306165643362623538393964313837000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5366ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5366ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e936da77a90dda01e936da77a90dda01e936da77a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000356365336166353037656336393137656231393664376634396162626535623364393731646364326163623632343436366333376462383935343337623861380000b20009000400efbe62576e8362576e832e0000000000000000000000000000000000000000000000000017e17500350063006500330061006600350030003700650063003600390031003700650062003100390036006400370066003400390061006200620065003500620033006400390037003100640063006400320061006300620036003200340034003600360063003300370064006200380039003500340033003700620038006100380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35636533616635303765633639313765623139366437663439616262653562336439373164636432616362363234343636633337646238393534333762386138000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d4e66ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d4e66ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb829818-b476-4963- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = 7ae3fb77a90dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6770c331fae4d10f3dcaf3a4cbaddbeabab22f46f0cedfd310aed3bb5899d187" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\66ad4c69-cfed-4a7a- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91eecbd8-a759-4db6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = d94a0578a90dda01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\096e643d4adc145b9e7621266fed74f082a59126c8d58040ee62c7216fea74ed" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\backgroundTaskHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe C:\Windows\SysWOW64\winver.exe
PID 2804 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe C:\Windows\SysWOW64\winver.exe
PID 2804 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe C:\Windows\SysWOW64\winver.exe
PID 2804 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe C:\Windows\SysWOW64\winver.exe
PID 760 wrote to memory of 3292 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 2328 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\sihost.exe
PID 760 wrote to memory of 2340 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 760 wrote to memory of 2464 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\taskhostw.exe
PID 760 wrote to memory of 3292 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3472 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\svchost.exe
PID 760 wrote to memory of 3660 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 3760 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 760 wrote to memory of 3828 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 3940 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 760 wrote to memory of 4056 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 5004 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 4160 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 760 wrote to memory of 1284 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 760 wrote to memory of 4584 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 760 wrote to memory of 2716 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 760 wrote to memory of 3348 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 1104 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 2528 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\WerFault.exe
PID 760 wrote to memory of 4868 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\backgroundTaskHost.exe
PID 760 wrote to memory of 3424 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\System32\RuntimeBroker.exe
PID 760 wrote to memory of 2020 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 3044 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 764 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 1476 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 3380 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 760 wrote to memory of 3268 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 3640 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 4308 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 760 wrote to memory of 4576 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe
PID 760 wrote to memory of 4760 N/A C:\Windows\SysWOW64\winver.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\winver.exe

winver

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3660 -s 388

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 spaines.pw udp
US 216.218.185.162:80 spaines.pw tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 162.185.218.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2804-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2804-1-0x0000000002160000-0x0000000002161000-memory.dmp

memory/2804-2-0x00000000021C0000-0x0000000002BC0000-memory.dmp

memory/760-3-0x00000000028F0000-0x00000000028F6000-memory.dmp

memory/3292-5-0x0000000000890000-0x0000000000896000-memory.dmp

memory/3292-7-0x00007FFE3CAED000-0x00007FFE3CAEE000-memory.dmp

memory/760-6-0x00000000775E2000-0x00000000775E3000-memory.dmp

memory/2804-8-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2804-9-0x00000000021C0000-0x0000000002BC0000-memory.dmp

memory/760-11-0x00000000028F0000-0x00000000028F6000-memory.dmp

memory/2340-13-0x00000000000C0000-0x00000000000C6000-memory.dmp

memory/2328-15-0x00000000001E0000-0x00000000001E6000-memory.dmp

memory/2464-14-0x0000000000630000-0x0000000000636000-memory.dmp

memory/3292-17-0x00000000029A0000-0x00000000029A6000-memory.dmp

memory/2340-16-0x00000000000C0000-0x00000000000C6000-memory.dmp

memory/2464-21-0x0000000000630000-0x0000000000636000-memory.dmp

memory/3472-23-0x00000000007F0000-0x00000000007F6000-memory.dmp

memory/3760-22-0x0000000000A10000-0x0000000000A16000-memory.dmp

memory/3660-20-0x0000000000060000-0x0000000000066000-memory.dmp

memory/3292-19-0x00000000029A0000-0x00000000029A6000-memory.dmp

memory/3472-18-0x00000000007F0000-0x00000000007F6000-memory.dmp

memory/3828-24-0x0000000000940000-0x0000000000946000-memory.dmp

memory/3760-25-0x0000000000A10000-0x0000000000A16000-memory.dmp

memory/3828-26-0x0000000000940000-0x0000000000946000-memory.dmp

memory/3940-27-0x00000000000A0000-0x00000000000A6000-memory.dmp

memory/4056-28-0x00000000000C0000-0x00000000000C6000-memory.dmp

memory/5004-29-0x0000000000980000-0x0000000000986000-memory.dmp

memory/4056-30-0x00000000000C0000-0x00000000000C6000-memory.dmp

memory/4160-31-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1284-32-0x00000000006F0000-0x00000000006F6000-memory.dmp

memory/4160-34-0x0000000000220000-0x0000000000226000-memory.dmp

memory/5004-33-0x0000000000980000-0x0000000000986000-memory.dmp

memory/1284-35-0x00000000006F0000-0x00000000006F6000-memory.dmp

memory/4584-36-0x0000000000B60000-0x0000000000B66000-memory.dmp

memory/2716-37-0x0000000000740000-0x0000000000746000-memory.dmp

memory/3348-38-0x0000000000100000-0x0000000000106000-memory.dmp

memory/1104-39-0x0000000000F50000-0x0000000000F56000-memory.dmp

memory/3348-40-0x0000000000100000-0x0000000000106000-memory.dmp

memory/1104-41-0x0000000000F50000-0x0000000000F56000-memory.dmp

memory/2716-42-0x00007FFE3CAED000-0x00007FFE3CAEE000-memory.dmp

memory/2716-43-0x00007FFE3CAED000-0x00007FFE3CAEE000-memory.dmp

memory/2528-44-0x0000000000560000-0x0000000000566000-memory.dmp

memory/2528-45-0x0000000000560000-0x0000000000566000-memory.dmp

memory/2716-48-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1698942402

MD5 ba7029663c526022bf917505595e51d5
SHA1 9af92c5f3e0d7aeb6be35639627a21d94a88edc0
SHA256 40987dff53bcb5fe07901f34d5ef2ca7d810bfdc5e51090735f5456b704824ac
SHA512 af098948df4c6edb178eadde0551f23278e723b4bb0de68da7c21fb2ab1c9f60578a3b6a28de297583f9ac50712917b74fb15c010ec090773d76136794607202

memory/2716-54-0x0000000000740000-0x0000000000746000-memory.dmp

memory/1104-55-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp

memory/2716-56-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp

memory/2528-70-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp

memory/2528-78-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp

memory/3292-94-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp

memory/3292-95-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp

memory/3292-96-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp

memory/3292-97-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-98-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-99-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/3292-100-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-101-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-102-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-103-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-104-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-106-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-109-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-108-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-110-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/3292-111-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-112-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-114-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-113-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/3292-116-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-118-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-119-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-120-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/3292-122-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-125-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-123-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-128-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-127-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-130-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-129-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-131-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-132-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3292-133-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/4868-134-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

memory/3424-135-0x0000000000D00000-0x0000000000D06000-memory.dmp

memory/3424-136-0x0000000000D00000-0x0000000000D06000-memory.dmp

memory/3424-137-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp

memory/4868-138-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp

memory/4868-139-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp

memory/3424-140-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp

memory/3424-141-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp

memory/3760-142-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\1b6573e827a2430187b4524b66bb7d3d_1

MD5 151bfed20c27ab04babd8739e1bf791f
SHA1 432d0239ef43f62f1ac193d3bade34ddb35dddca
SHA256 4db32fc465b5b012b4cdeeb668dfde972f6ccb9129adf8d4e2c9c48d945905b3
SHA512 6f1d5b10ff5afef876874b5d9a9c6c40d3c58e28aeb3d12d0a02ac8be78428d0ce9380a6363642058d2f7225ea4373f90feea042eda84416f686526847e2deee

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698942441

MD5 0856437ef52e2ab5d746426a94dfc228
SHA1 b2499addb4fc9e730526d4102ccdc9fe9d5bdc86
SHA256 7094a1e275438131cc8c6873c1c1a7ca00060e62f36c44f49d961488a76bec70
SHA512 f52653fbd2044050c6ef57a1b5f99903742cee52389081c07c20d3d541b9fe2da065a4c9ecc166b302b3475a1ef81dbbf99580f86d6f1b3c1d030d0b4835d698

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698942441

MD5 ab8c60261747cf88389843c7d605938a
SHA1 6f4d30cecfbad1e72b11c05e5754faabf29f9d60
SHA256 59fbda6cfe90908a8ea0eb49c5303e68ad8ef0932fee2abbb688939a5c1144d5
SHA512 d9f9e66de9fa74b0028152e9dd3a6c822571e5eb022770519c26a7bdc743ae49652164995008d122753138632520d1c38fd156b61de7ef9ab238b6a242d316a0

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698942441

MD5 9bdc49bdee9fbbad7402603f06eb9e90
SHA1 5bc67d34d4557b3eef6f91a0c0b6e054b5e6eff9
SHA256 60a56c6f2f7af95574176aa2c16f6ca82ee72d692b34a7edf599ffd7cb16b90b
SHA512 98a41c386f7fba8420084845822c794a25e374ed5eb29ff5ec1b59263b84c1ccd3dc407e15c27e2887aa3a18f1757302a4d2153a15a99d0510efe21d2e18b7a1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1698942402

MD5 ba7029663c526022bf917505595e51d5
SHA1 9af92c5f3e0d7aeb6be35639627a21d94a88edc0
SHA256 40987dff53bcb5fe07901f34d5ef2ca7d810bfdc5e51090735f5456b704824ac
SHA512 af098948df4c6edb178eadde0551f23278e723b4bb0de68da7c21fb2ab1c9f60578a3b6a28de297583f9ac50712917b74fb15c010ec090773d76136794607202

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 063b7ab51b405854cb7f9af9b12be762
SHA1 c8b0832a7ec42ea0f5b98387ed44bdf320b88761
SHA256 9dbc594f82e6ae503cfc5f255ba2f1c480de28e961468682815279e2459ee475
SHA512 92ca0d4c810c33fdf002cc4c36a7d8f0eeaabfa7553c37b72f829adcd80a931202fb1d039938228cde735f2268f085c5e62aef2ba4f5d4e14f34eb7b16ceb613

memory/3044-192-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

memory/2020-191-0x00000000007C0000-0x00000000007C6000-memory.dmp

memory/4868-193-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat.~tmp

MD5 f5880232c64ab19f5d4bf419e3af57bf
SHA1 9dde00c841afcff558944ae723a6364327603670
SHA256 75e3b4c64dce76181388f9bab3773db18982fef0b398f345168edaf4b4254f87
SHA512 4a535ebb67ebfdbf4ef23f87df956b3f0aaf22b226bd6c66f86c8c192e75c999d04b522d0add475b44062e16f9691bd3beaea4a54e5e14d64da138a6a5a4e45e

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\d308b3e1a21349df8e97a6d9acef7e50_1

MD5 5039299af2ee276c5fb9dce032341223
SHA1 9cf941a110c5c554567cf98fbb409c374355508e
SHA256 ca91fdd8aae06752df85535c9893afd80d9577aea7579da4588b6c0a4d3d1848
SHA512 478639f8e9e3b809a2ff5b0c0546e703ce27a3a73b866ed427a2ed0869113cbb481bd901a28848db8e269998946672a0a86ff3119983a8dadc7090e73e8da663

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat

MD5 353fbdb26c8678af172b6eb084a92a97
SHA1 1747140259968e566fd117881a1bd2567b8d2cb5
SHA256 4482974908ddbc7088949b13938893793287213692edd792dc83c903f1f06920
SHA512 668e7912ae0b3b67997b23280a1392858847f3ce88b647948ec9c7b345756716a69c2cc3077365b2c047c952655f184aa208f24c08e35ab99f67c588a211ec5c

memory/2328-221-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\80334207b9f9456d932cf4328b8b34af_1

MD5 581e374e6fcf2955102cdcb2494fe378
SHA1 4edb31a0c35d91719b271ad9322e309e6714dbe6
SHA256 e7c6520862be91ff45d85df78c4b3043b88c4a6d258dc649f9038356cc2186e9
SHA512 ebb1fd52d8bea4c5f4d1fdfc6ff8e83e905fc615e43eef4dba7587006106ab8f7201086586ea07344fc3a3cd4a49ea2a7a8b16f65f034350eb07a1702307b0d8

memory/764-229-0x0000000000550000-0x0000000000556000-memory.dmp

memory/1476-230-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/3828-231-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp

memory/3828-232-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\1b6573e827a2430187b4524b66bb7d3d_1

MD5 151bfed20c27ab04babd8739e1bf791f
SHA1 432d0239ef43f62f1ac193d3bade34ddb35dddca
SHA256 4db32fc465b5b012b4cdeeb668dfde972f6ccb9129adf8d4e2c9c48d945905b3
SHA512 6f1d5b10ff5afef876874b5d9a9c6c40d3c58e28aeb3d12d0a02ac8be78428d0ce9380a6363642058d2f7225ea4373f90feea042eda84416f686526847e2deee

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a88bbb11-ac4d-4ce9-9ebf-e5ad74d03dd6.down_data

MD5 4289a38aa8b7070772292a7891064147
SHA1 d3f6e44aa294f067329f1ff6a51f9fab1719ad29
SHA256 d4540c3c005495cb01ae6aaf4768bee74b1b02f8eeb71a1a9b2d56ae922709e6
SHA512 109c1e15d06a7a21768f182c6ffabb09c97e6a41c65d66a9c11fa2e6f0e38ab62680470d9b738221fe1e6b6741756980f538d86f4a76d3569c034d214b0e3077

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0993b293-1188-4648-be77-0c1c4425125c.down_data

MD5 c2739f5ea0662f74ef5d7828ed8c9b52
SHA1 203ad3e38ad4f70937aaab1f266465d2c503f56d
SHA256 19e5f96da6ec2edeec154d2ab2e1c9958de142c26288c61a690a3217ab89c9ee
SHA512 4409b4fc85ec54e6d624b421a64a5f5d4838d9f3354c2df3ec93ea9c573cf4836d8d6309cf08465cd67e2ebf6438aabce3f95f71509077a786477e581b2fb143

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a5fbc128-01d1-46d7-9d38-a5d9812a46fb.down_data

MD5 03ef86af5461c5afaefd34e654536160
SHA1 5fef5eac5bda6d9791cd1f01607002cbe0bc39ac
SHA256 a41e04a6b6b9a1a94678be40c179be4e2d8f4c3b081a89f01ea8a9bf87dafec4
SHA512 84e32e51ee9718f312339459fce5f7f22142d656f3ea9f0f1883ba203c601feb38bcd030552ef76d895d3aa3590812556a055b3b9189c5db9bdb3232ef2e3625