Analysis Overview
SHA256
10b7fb1e6549953e9f90379ba2ec971514ea9047da7a1312c397d6238e28b01a
Threat Level: Known bad
The file NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-02 16:26
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-02 16:26
Reported
2023-11-02 16:29
Platform
win7-20231025-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\73CD2EAC = "C:\\Users\\Admin\\AppData\\Roaming\\73CD2EAC\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
Files
memory/2444-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2444-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1256-2-0x00000000029D0000-0x00000000029D6000-memory.dmp
memory/1256-3-0x00000000029D0000-0x00000000029D6000-memory.dmp
memory/2444-4-0x0000000001D60000-0x0000000002760000-memory.dmp
memory/1256-5-0x00000000029D0000-0x00000000029D6000-memory.dmp
memory/2428-6-0x0000000000100000-0x0000000000106000-memory.dmp
memory/2428-7-0x0000000077CE0000-0x0000000077CE1000-memory.dmp
memory/2428-8-0x0000000077CDF000-0x0000000077CE0000-memory.dmp
memory/2428-9-0x0000000077CDF000-0x0000000077CE1000-memory.dmp
memory/1256-10-0x0000000077B31000-0x0000000077B32000-memory.dmp
memory/2428-11-0x0000000000CA0000-0x0000000000CB6000-memory.dmp
memory/2444-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2444-13-0x0000000001D60000-0x0000000002760000-memory.dmp
memory/1256-14-0x0000000077CC0000-0x0000000077CC1000-memory.dmp
memory/2428-17-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1132-21-0x0000000000410000-0x0000000000416000-memory.dmp
memory/1132-23-0x0000000077B31000-0x0000000077B32000-memory.dmp
memory/1232-22-0x0000000000220000-0x0000000000226000-memory.dmp
memory/1256-26-0x0000000002980000-0x0000000002986000-memory.dmp
memory/1232-25-0x0000000000220000-0x0000000000226000-memory.dmp
memory/1256-27-0x0000000002980000-0x0000000002986000-memory.dmp
memory/1256-31-0x0000000077CA0000-0x0000000077CA1000-memory.dmp
memory/1256-32-0x000007FF0BCE0000-0x000007FF0BCEA000-memory.dmp
memory/1256-33-0x000007FEF6500000-0x000007FEF6643000-memory.dmp
memory/2428-34-0x0000000000160000-0x0000000000161000-memory.dmp
memory/1256-35-0x000007FF0BCE0000-0x000007FF0BCEA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-02 16:26
Reported
2023-11-02 16:29
Platform
win10v2004-20231023-en
Max time kernel
154s
Max time network
161s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84AD51EF = "C:\\Users\\Admin\\AppData\\Roaming\\84AD51EF\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f0a1d8b88918c29041545430dcef3daf298e78e451225c6275153e048c177049" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = 70c81478a90dda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\c8fc2c45cd115b2f1557946483e895fb11bed67c6c68b13c440eeb2112c09215" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004dd21578a90dda014dd21578a90dda014dd21578a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000303936653634336434616463313435623965373632313236366665643734663038326135393132366338643538303430656536326337323136666561373465640000b20009000400efbe62576e8362576e832e00000000000000000000000000000000000000000000000000b3453a00300039003600650036003400330064003400610064006300310034003500620039006500370036003200310032003600360066006500640037003400660030003800320061003500390031003200360063003800640035003800300034003000650065003600320063003700320031003600660065006100370034006500640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30393665363433643461646331343562396537363231323636666564373466303832613539313236633864353830343065653632633732313666656137346564000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5266ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5266ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = afd22d78a90dda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = 5dd2e377a90dda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000cd4f677a90dda010cd4f677a90dda010cd4f677a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000663061316438623838393138633239303431353435343330646365663364616632393865373865343531323235633632373531353365303438633137373034390000b20009000400efbe62576e8362576e832e00000000000000000000000000000000000000000000000000f4435900660030006100310064003800620038003800390031003800630032003900300034003100350034003500340033003000640063006500660033006400610066003200390038006500370038006500340035003100320032003500630036003200370035003100350033006500300034003800630031003700370030003400390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66306131643862383839313863323930343135343534333064636566336461663239386537386534353132323563363237353135336530343863313737303439000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d4f66ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d4f66ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\df7a5a5e35d359141c0730fcf65068c1f7ba01b07ca0d533ebe361be0f26ad5f" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e963cda-3bf2-46e5- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = 96de2478a90dda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15c2707f-ba5e-4b61- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\5ce3af507ec6917eb196d7f49abbe5b3d971dcd2acb624466c37db895437b8a8" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d72b131a-f444-4acf- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001d99fb77a90dda011d99fb77a90dda011d99fb77a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000633866633263343563643131356232663135353739343634383365383935666231316265643637633663363862313363343430656562323131326330393231350000b20009000400efbe62576e8362576e832e00000000000000000000000000000000000000000000000000e37e5400630038006600630032006300340035006300640031003100350062003200660031003500350037003900340036003400380033006500380039003500660062003100310062006500640036003700630036006300360038006200310033006300340034003000650065006200320031003100320063003000390032003100350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63386663326334356364313135623266313535373934363438336538393566623131626564363763366336386231336334343065656232313132633039323135000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5066ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5066ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000078240578a90dda0178240578a90dda0178240578a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000646637613561356533356433353931343163303733306663663635303638633166376261303162303763613064353333656265333631626530663236616435660000b20009000400efbe62576e8362576e832e0000000000000000000000000000000000000000000000000088f34a00640066003700610035006100350065003300350064003300350039003100340031006300300037003300300066006300660036003500300036003800630031006600370062006100300031006200300037006300610030006400350033003300650062006500330036003100620065003000660032003600610064003500660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64663761356135653335643335393134316330373330666366363530363863316637626130316230376361306435333365626533363162653066323661643566000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5166ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5166ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000061e62878a90dda0161e62878a90dda0161e62878a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000363737306333333166616534643130663364636166336134636261646462656162616232326634366630636564666433313061656433626235383939643138370000b20009000400efbe62576e8362576e832e000000000000000000000000000000000000000000000000009f312700360037003700300063003300330031006600610065003400640031003000660033006400630061006600330061003400630062006100640064006200650061006200610062003200320066003400360066003000630065006400660064003300310030006100650064003300620062003500380039003900640031003800370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36373730633333316661653464313066336463616633613463626164646265616261623232663436663063656466643331306165643362623538393964313837000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d5366ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d5366ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a88bbb11-ac4d-4ce9- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e936da77a90dda01e936da77a90dda01e936da77a90dda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000062576e832000356365336166353037656336393137656231393664376634396162626535623364393731646364326163623632343436366333376462383935343337623861380000b20009000400efbe62576e8362576e832e0000000000000000000000000000000000000000000000000017e17500350063006500330061006600350030003700650063003600390031003700650062003100390036006400370066003400390061006200620065003500620033006400390037003100640063006400320061006300620036003200340034003600360063003300370064006200380039003500340033003700620038006100380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000a801fce51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35636533616635303765633639313765623139366437663439616262653562336439373164636432616362363234343636633337646238393534333762386138000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d4e66ba81a771ee1192aa5e82b88fb323aa66e0c271c14945b47c5aad1972038d4e66ba81a771ee1192aa5e82b88fb323ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb829818-b476-4963- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = 7ae3fb77a90dda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a2064acd-2190-4866- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6770c331fae4d10f3dcaf3a4cbaddbeabab22f46f0cedfd310aed3bb5899d187" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\66ad4c69-cfed-4a7a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91eecbd8-a759-4db6- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb226784-10d2-445c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0993b293-1188-4648- = d94a0578a90dda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5fbc128-01d1-46d7- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\096e643d4adc145b9e7621266fed74f082a59126c8d58040ee62c7216fea74ed" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a04a636-a51f-4c55- | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.482c3e2e3cc73e69e1536e0a85385d20.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3660 -s 388
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.185.218.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2804-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2804-1-0x0000000002160000-0x0000000002161000-memory.dmp
memory/2804-2-0x00000000021C0000-0x0000000002BC0000-memory.dmp
memory/760-3-0x00000000028F0000-0x00000000028F6000-memory.dmp
memory/3292-5-0x0000000000890000-0x0000000000896000-memory.dmp
memory/3292-7-0x00007FFE3CAED000-0x00007FFE3CAEE000-memory.dmp
memory/760-6-0x00000000775E2000-0x00000000775E3000-memory.dmp
memory/2804-8-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2804-9-0x00000000021C0000-0x0000000002BC0000-memory.dmp
memory/760-11-0x00000000028F0000-0x00000000028F6000-memory.dmp
memory/2340-13-0x00000000000C0000-0x00000000000C6000-memory.dmp
memory/2328-15-0x00000000001E0000-0x00000000001E6000-memory.dmp
memory/2464-14-0x0000000000630000-0x0000000000636000-memory.dmp
memory/3292-17-0x00000000029A0000-0x00000000029A6000-memory.dmp
memory/2340-16-0x00000000000C0000-0x00000000000C6000-memory.dmp
memory/2464-21-0x0000000000630000-0x0000000000636000-memory.dmp
memory/3472-23-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/3760-22-0x0000000000A10000-0x0000000000A16000-memory.dmp
memory/3660-20-0x0000000000060000-0x0000000000066000-memory.dmp
memory/3292-19-0x00000000029A0000-0x00000000029A6000-memory.dmp
memory/3472-18-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/3828-24-0x0000000000940000-0x0000000000946000-memory.dmp
memory/3760-25-0x0000000000A10000-0x0000000000A16000-memory.dmp
memory/3828-26-0x0000000000940000-0x0000000000946000-memory.dmp
memory/3940-27-0x00000000000A0000-0x00000000000A6000-memory.dmp
memory/4056-28-0x00000000000C0000-0x00000000000C6000-memory.dmp
memory/5004-29-0x0000000000980000-0x0000000000986000-memory.dmp
memory/4056-30-0x00000000000C0000-0x00000000000C6000-memory.dmp
memory/4160-31-0x0000000000220000-0x0000000000226000-memory.dmp
memory/1284-32-0x00000000006F0000-0x00000000006F6000-memory.dmp
memory/4160-34-0x0000000000220000-0x0000000000226000-memory.dmp
memory/5004-33-0x0000000000980000-0x0000000000986000-memory.dmp
memory/1284-35-0x00000000006F0000-0x00000000006F6000-memory.dmp
memory/4584-36-0x0000000000B60000-0x0000000000B66000-memory.dmp
memory/2716-37-0x0000000000740000-0x0000000000746000-memory.dmp
memory/3348-38-0x0000000000100000-0x0000000000106000-memory.dmp
memory/1104-39-0x0000000000F50000-0x0000000000F56000-memory.dmp
memory/3348-40-0x0000000000100000-0x0000000000106000-memory.dmp
memory/1104-41-0x0000000000F50000-0x0000000000F56000-memory.dmp
memory/2716-42-0x00007FFE3CAED000-0x00007FFE3CAEE000-memory.dmp
memory/2716-43-0x00007FFE3CAED000-0x00007FFE3CAEE000-memory.dmp
memory/2528-44-0x0000000000560000-0x0000000000566000-memory.dmp
memory/2528-45-0x0000000000560000-0x0000000000566000-memory.dmp
memory/2716-48-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1698942402
| MD5 | ba7029663c526022bf917505595e51d5 |
| SHA1 | 9af92c5f3e0d7aeb6be35639627a21d94a88edc0 |
| SHA256 | 40987dff53bcb5fe07901f34d5ef2ca7d810bfdc5e51090735f5456b704824ac |
| SHA512 | af098948df4c6edb178eadde0551f23278e723b4bb0de68da7c21fb2ab1c9f60578a3b6a28de297583f9ac50712917b74fb15c010ec090773d76136794607202 |
memory/2716-54-0x0000000000740000-0x0000000000746000-memory.dmp
memory/1104-55-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp
memory/2716-56-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp
memory/2528-70-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp
memory/2528-78-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp
memory/3292-94-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp
memory/3292-95-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp
memory/3292-96-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp
memory/3292-97-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-98-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-99-0x0000000002F60000-0x0000000002F70000-memory.dmp
memory/3292-100-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-101-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-102-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-103-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-104-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-106-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-109-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-108-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-110-0x0000000002F80000-0x0000000002F90000-memory.dmp
memory/3292-111-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-112-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-114-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-113-0x0000000002F80000-0x0000000002F90000-memory.dmp
memory/3292-116-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-118-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-119-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-120-0x0000000002F60000-0x0000000002F70000-memory.dmp
memory/3292-122-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-125-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-123-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-128-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-127-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-130-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-129-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-131-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-132-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3292-133-0x0000000002F80000-0x0000000002F90000-memory.dmp
memory/4868-134-0x0000000000EC0000-0x0000000000EC6000-memory.dmp
memory/3424-135-0x0000000000D00000-0x0000000000D06000-memory.dmp
memory/3424-136-0x0000000000D00000-0x0000000000D06000-memory.dmp
memory/3424-137-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp
memory/4868-138-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp
memory/4868-139-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp
memory/3424-140-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp
memory/3424-141-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp
memory/3760-142-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\1b6573e827a2430187b4524b66bb7d3d_1
| MD5 | 151bfed20c27ab04babd8739e1bf791f |
| SHA1 | 432d0239ef43f62f1ac193d3bade34ddb35dddca |
| SHA256 | 4db32fc465b5b012b4cdeeb668dfde972f6ccb9129adf8d4e2c9c48d945905b3 |
| SHA512 | 6f1d5b10ff5afef876874b5d9a9c6c40d3c58e28aeb3d12d0a02ac8be78428d0ce9380a6363642058d2f7225ea4373f90feea042eda84416f686526847e2deee |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1698942441
| MD5 | 0856437ef52e2ab5d746426a94dfc228 |
| SHA1 | b2499addb4fc9e730526d4102ccdc9fe9d5bdc86 |
| SHA256 | 7094a1e275438131cc8c6873c1c1a7ca00060e62f36c44f49d961488a76bec70 |
| SHA512 | f52653fbd2044050c6ef57a1b5f99903742cee52389081c07c20d3d541b9fe2da065a4c9ecc166b302b3475a1ef81dbbf99580f86d6f1b3c1d030d0b4835d698 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1698942441
| MD5 | ab8c60261747cf88389843c7d605938a |
| SHA1 | 6f4d30cecfbad1e72b11c05e5754faabf29f9d60 |
| SHA256 | 59fbda6cfe90908a8ea0eb49c5303e68ad8ef0932fee2abbb688939a5c1144d5 |
| SHA512 | d9f9e66de9fa74b0028152e9dd3a6c822571e5eb022770519c26a7bdc743ae49652164995008d122753138632520d1c38fd156b61de7ef9ab238b6a242d316a0 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1698942441
| MD5 | 9bdc49bdee9fbbad7402603f06eb9e90 |
| SHA1 | 5bc67d34d4557b3eef6f91a0c0b6e054b5e6eff9 |
| SHA256 | 60a56c6f2f7af95574176aa2c16f6ca82ee72d692b34a7edf599ffd7cb16b90b |
| SHA512 | 98a41c386f7fba8420084845822c794a25e374ed5eb29ff5ec1b59263b84c1ccd3dc407e15c27e2887aa3a18f1757302a4d2153a15a99d0510efe21d2e18b7a1 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1698942402
| MD5 | ba7029663c526022bf917505595e51d5 |
| SHA1 | 9af92c5f3e0d7aeb6be35639627a21d94a88edc0 |
| SHA256 | 40987dff53bcb5fe07901f34d5ef2ca7d810bfdc5e51090735f5456b704824ac |
| SHA512 | af098948df4c6edb178eadde0551f23278e723b4bb0de68da7c21fb2ab1c9f60578a3b6a28de297583f9ac50712917b74fb15c010ec090773d76136794607202 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 063b7ab51b405854cb7f9af9b12be762 |
| SHA1 | c8b0832a7ec42ea0f5b98387ed44bdf320b88761 |
| SHA256 | 9dbc594f82e6ae503cfc5f255ba2f1c480de28e961468682815279e2459ee475 |
| SHA512 | 92ca0d4c810c33fdf002cc4c36a7d8f0eeaabfa7553c37b72f829adcd80a931202fb1d039938228cde735f2268f085c5e62aef2ba4f5d4e14f34eb7b16ceb613 |
memory/3044-192-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
memory/2020-191-0x00000000007C0000-0x00000000007C6000-memory.dmp
memory/4868-193-0x0000000000EC0000-0x0000000000EC6000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat.~tmp
| MD5 | f5880232c64ab19f5d4bf419e3af57bf |
| SHA1 | 9dde00c841afcff558944ae723a6364327603670 |
| SHA256 | 75e3b4c64dce76181388f9bab3773db18982fef0b398f345168edaf4b4254f87 |
| SHA512 | 4a535ebb67ebfdbf4ef23f87df956b3f0aaf22b226bd6c66f86c8c192e75c999d04b522d0add475b44062e16f9691bd3beaea4a54e5e14d64da138a6a5a4e45e |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\d308b3e1a21349df8e97a6d9acef7e50_1
| MD5 | 5039299af2ee276c5fb9dce032341223 |
| SHA1 | 9cf941a110c5c554567cf98fbb409c374355508e |
| SHA256 | ca91fdd8aae06752df85535c9893afd80d9577aea7579da4588b6c0a4d3d1848 |
| SHA512 | 478639f8e9e3b809a2ff5b0c0546e703ce27a3a73b866ed427a2ed0869113cbb481bd901a28848db8e269998946672a0a86ff3119983a8dadc7090e73e8da663 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 353fbdb26c8678af172b6eb084a92a97 |
| SHA1 | 1747140259968e566fd117881a1bd2567b8d2cb5 |
| SHA256 | 4482974908ddbc7088949b13938893793287213692edd792dc83c903f1f06920 |
| SHA512 | 668e7912ae0b3b67997b23280a1392858847f3ce88b647948ec9c7b345756716a69c2cc3077365b2c047c952655f184aa208f24c08e35ab99f67c588a211ec5c |
memory/2328-221-0x00007FFE3CC70000-0x00007FFE3CC71000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\80334207b9f9456d932cf4328b8b34af_1
| MD5 | 581e374e6fcf2955102cdcb2494fe378 |
| SHA1 | 4edb31a0c35d91719b271ad9322e309e6714dbe6 |
| SHA256 | e7c6520862be91ff45d85df78c4b3043b88c4a6d258dc649f9038356cc2186e9 |
| SHA512 | ebb1fd52d8bea4c5f4d1fdfc6ff8e83e905fc615e43eef4dba7587006106ab8f7201086586ea07344fc3a3cd4a49ea2a7a8b16f65f034350eb07a1702307b0d8 |
memory/764-229-0x0000000000550000-0x0000000000556000-memory.dmp
memory/1476-230-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/3828-231-0x00007FFE3CC60000-0x00007FFE3CC61000-memory.dmp
memory/3828-232-0x00007FFE3CC80000-0x00007FFE3CC81000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\1b6573e827a2430187b4524b66bb7d3d_1
| MD5 | 151bfed20c27ab04babd8739e1bf791f |
| SHA1 | 432d0239ef43f62f1ac193d3bade34ddb35dddca |
| SHA256 | 4db32fc465b5b012b4cdeeb668dfde972f6ccb9129adf8d4e2c9c48d945905b3 |
| SHA512 | 6f1d5b10ff5afef876874b5d9a9c6c40d3c58e28aeb3d12d0a02ac8be78428d0ce9380a6363642058d2f7225ea4373f90feea042eda84416f686526847e2deee |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a88bbb11-ac4d-4ce9-9ebf-e5ad74d03dd6.down_data
| MD5 | 4289a38aa8b7070772292a7891064147 |
| SHA1 | d3f6e44aa294f067329f1ff6a51f9fab1719ad29 |
| SHA256 | d4540c3c005495cb01ae6aaf4768bee74b1b02f8eeb71a1a9b2d56ae922709e6 |
| SHA512 | 109c1e15d06a7a21768f182c6ffabb09c97e6a41c65d66a9c11fa2e6f0e38ab62680470d9b738221fe1e6b6741756980f538d86f4a76d3569c034d214b0e3077 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0993b293-1188-4648-be77-0c1c4425125c.down_data
| MD5 | c2739f5ea0662f74ef5d7828ed8c9b52 |
| SHA1 | 203ad3e38ad4f70937aaab1f266465d2c503f56d |
| SHA256 | 19e5f96da6ec2edeec154d2ab2e1c9958de142c26288c61a690a3217ab89c9ee |
| SHA512 | 4409b4fc85ec54e6d624b421a64a5f5d4838d9f3354c2df3ec93ea9c573cf4836d8d6309cf08465cd67e2ebf6438aabce3f95f71509077a786477e581b2fb143 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a5fbc128-01d1-46d7-9d38-a5d9812a46fb.down_data
| MD5 | 03ef86af5461c5afaefd34e654536160 |
| SHA1 | 5fef5eac5bda6d9791cd1f01607002cbe0bc39ac |
| SHA256 | a41e04a6b6b9a1a94678be40c179be4e2d8f4c3b081a89f01ea8a9bf87dafec4 |
| SHA512 | 84e32e51ee9718f312339459fce5f7f22142d656f3ea9f0f1883ba203c601feb38bcd030552ef76d895d3aa3590812556a055b3b9189c5db9bdb3232ef2e3625 |