Analysis Overview
SHA256
547478771a243352e2a5382c52c98178dea3386d5dc958d2b48120a11486732e
Threat Level: Known bad
The file NEAS.3748f49a814add865524c9a8d8d56df0.exe was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-03 13:48
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-03 13:48
Reported
2023-11-03 13:58
Platform
win7-20231020-en
Max time kernel
150s
Max time network
170s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\9EDE4612 = "C:\\Users\\Admin\\AppData\\Roaming\\9EDE4612\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.3748f49a814add865524c9a8d8d56df0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3748f49a814add865524c9a8d8d56df0.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
Files
memory/1896-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1896-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1896-3-0x0000000001D40000-0x0000000002740000-memory.dmp
memory/2324-4-0x0000000000090000-0x0000000000096000-memory.dmp
memory/1316-2-0x0000000002AD0000-0x0000000002AD6000-memory.dmp
memory/1316-6-0x0000000002AD0000-0x0000000002AD6000-memory.dmp
memory/2324-7-0x0000000000FC0000-0x0000000000FD6000-memory.dmp
memory/1316-11-0x0000000077AE1000-0x0000000077AE2000-memory.dmp
memory/2324-10-0x0000000077C90000-0x0000000077C91000-memory.dmp
memory/2324-9-0x0000000077C8F000-0x0000000077C91000-memory.dmp
memory/2324-8-0x0000000077C8F000-0x0000000077C90000-memory.dmp
memory/1896-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1896-13-0x0000000001D40000-0x0000000002740000-memory.dmp
memory/2324-15-0x0000000000090000-0x0000000000096000-memory.dmp
memory/2324-16-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1316-17-0x0000000077C70000-0x0000000077C71000-memory.dmp
memory/1284-23-0x0000000000280000-0x0000000000286000-memory.dmp
memory/2324-29-0x0000000000090000-0x0000000000096000-memory.dmp
memory/1284-28-0x0000000000280000-0x0000000000286000-memory.dmp
memory/1172-27-0x0000000077AE1000-0x0000000077AE2000-memory.dmp
memory/1172-26-0x00000000003D0000-0x00000000003D6000-memory.dmp
memory/1316-25-0x0000000002AE0000-0x0000000002AE6000-memory.dmp
memory/1316-30-0x0000000002AE0000-0x0000000002AE6000-memory.dmp
memory/2324-34-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1316-35-0x0000000077C50000-0x0000000077C51000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-03 13:48
Reported
2023-11-03 14:01
Platform
win10v2004-20231023-en
Max time kernel
164s
Max time network
168s
Command Line
Signatures
Tinba / TinyBanker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8E4F706F = "C:\\Users\\Admin\\AppData\\Roaming\\8E4F706F\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\backgroundTaskHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d0219c0-9f1a-4db4- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2627c808a0ba18432cf5bae23894f1892c0a1efce0a5f1ebd5e3e310ea89f456" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2ea96afe-7d5f-40d9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bc8c35-3e4f-47fe- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000008e31a3035e0eda010db628045e0eda010db628045e0eda01112e06000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006357796f2000626130333864396332626637343964376666653966313439373039643065363736303334646665613665343962646631613261363366323731663137373063620000b20009000400efbe6357796f6357796f2e0000000000000000000000000000000000000000000000000012cc2401620061003000330038006400390063003200620066003700340039006400370066006600650039006600310034003900370030003900640030006500360037003600300033003400640066006500610036006500340039006200640066003100610032006100360033006600320037003100660031003700370030006300620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000028201eef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62613033386439633262663734396437666665396631343937303964306536373630333464666561366534396264663161326136336632373166313737306362000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d8c47dfb5a271ee1192aa6a5f8f24fa42aa66e0c271c14945b47c5aad1972038d8c47dfb5a271ee1192aa6a5f8f24fa42ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95114e98-2ded-4de7- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000368292035e0eda01c11bc0085e0eda01b17c3b075e0eda01fcf705000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006357796f2000653462313339613833653734383430323437373962356663633434663465656230633736386439613133613133393266613637366161373931323762383834310000b20009000400efbe6357796f6357796f2e00000000000000000000000000000000000000000000000000ca542e01650034006200310033003900610038003300650037003400380034003000320034003700370039006200350066006300630034003400660034006500650062003000630037003600380064003900610031003300610031003300390032006600610036003700360061006100370039003100320037006200380038003400310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000028201eef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65346231333961383365373438343032343737396235666363343466346565623063373638643961313361313339326661363736616137393132376238383431000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dac47dfb5a271ee1192aa6a5f8f24fa42aa66e0c271c14945b47c5aad1972038dac47dfb5a271ee1192aa6a5f8f24fa42ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1671e926-767d-4482- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0021f7e8-2ee7-4cf9- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\522b668d-4d52-4de0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084c5b06-bee6-4084- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2627c808a0ba18432cf5bae23894f1892c0a1efce0a5f1ebd5e3e310ea89f456" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f2fab91-37a7-48b4- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cad568f-7fae-4ad9- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11d2247-ad49-460f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\521196a2-1495-4ab6- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000653b730e5e0eda019881e1105e0eda01f883fd0e5e0eda01b0df07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006357786f2000336164653431383761376432643035376138656635623638396530633435356239383065633564366162653734626232633362376232376539663934366331380000b20009000400efbe6357786f6357786f2e000000000000000000000000000000000000000000000000008e001500330061006400650034003100380037006100370064003200640030003500370061003800650066003500620036003800390065003000630034003500350062003900380030006500630035006400360061006200650037003400620062003200630033006200370062003200370065003900660039003400360063003100380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000028201eef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33616465343138376137643264303537613865663562363839653063343535623938306563356436616265373462623263336237623237653966393436633138000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dbd47dfb5a271ee1192aa6a5f8f24fa42aa66e0c271c14945b47c5aad1972038dbd47dfb5a271ee1192aa6a5f8f24fa42ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084c5b06-bee6-4084- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084c5b06-bee6-4084- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000eb4778035e0eda01b55407045e0eda01b55407045e0eda01821d07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006357786f2000323632376338303861306261313834333263663562616532333839346631383932633061316566636530613566316562643565336533313065613839663435360000b20009000400efbe6357786f6357786f2e0000000000000000000000000000000000000000000000000001b20600320036003200370063003800300038006100300062006100310038003400330032006300660035006200610065003200330038003900340066003100380039003200630030006100310065006600630065003000610035006600310065006200640035006500330065003300310030006500610038003900660034003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000028201eef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32363237633830386130626131383433326366356261653233383934663138393263306131656663653061356631656264356533653331306561383966343536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d8947dfb5a271ee1192aa6a5f8f24fa42aa66e0c271c14945b47c5aad1972038d8947dfb5a271ee1192aa6a5f8f24fa42ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bc8c35-3e4f-47fe- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bc8c35-3e4f-47fe- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1671e926-767d-4482- = dcaf470d5e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0021f7e8-2ee7-4cf9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11d2247-ad49-460f- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c0ede79d-e3b3-41b6- = d199ce015e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2ea96afe-7d5f-40d9- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2ea96afe-7d5f-40d9- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\084c5b06-bee6-4084- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8b7ddf5e-3e05-47f9- = e6f085055e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d0219c0-9f1a-4db4- = 2b9fc3015e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\24a65a36-c5aa-4bb6- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\24a65a36-c5aa-4bb6- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000ee82cd015e0eda01ee82cd015e0eda01ee82cd015e0eda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006357796f2000626130333864396332626637343964376666653966313439373039643065363736303334646665613665343962646631613261363366323731663137373063620000b20009000400efbe6357796f6357796f2e0000000000000000000000000000000000000000000000000012cc2401620061003000330038006400390063003200620066003700340039006400370066006600650039006600310034003900370030003900640030006500360037003600300033003400640066006500610036006500340039006200640066003100610032006100360033006600320037003100660031003700370030006300620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000028201eef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62613033386439633262663734396437666665396631343937303964306536373630333464666561366534396264663161326136336632373166313737306362000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d7c47dfb5a271ee1192aa6a5f8f24fa42aa66e0c271c14945b47c5aad1972038d7c47dfb5a271ee1192aa6a5f8f24fa42ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2ea96afe-7d5f-40d9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e9872be5-e731-4ff1- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\522b668d-4d52-4de0- = 74dcb9015e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b8bc8c35-3e4f-47fe- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f2fab91-37a7-48b4- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f4150ad0-1445-4ca9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2ea96afe-7d5f-40d9- = 138ae5015e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cad568f-7fae-4ad9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cad568f-7fae-4ad9- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3a7fd467-9713-42b7- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95114e98-2ded-4de7- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf7d0f43-63af-4adb- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1cf864f675a89971a196219c3b9a344befd70bf4a92112c19c7a379c18a67966" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\522b668d-4d52-4de0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8b7ddf5e-3e05-47f9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e74ed421-521e-4ae8- = 94b7e3055e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\92a3eea9-97d7-4554- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9d0219c0-9f1a-4db4- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\95114e98-2ded-4de7- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e4b139a83e7484024779b5fcc44f4eeb0c768d9a13a1392fa676aa79127b8841" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1671e926-767d-4482- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf7d0f43-63af-4adb- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf7d0f43-63af-4adb- = 111e3f115e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1cf26dc8-8de7-41e1- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2ea96afe-7d5f-40d9- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\83166bfd590c0170d49f06caf7f8041459471de0a0621f712ef9d242244c6525" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4cad568f-7fae-4ad9- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e11d2247-ad49-460f- = c3fc5b095e0eda01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5ab04e28-7330-4965- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1671e926-767d-4482- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0021f7e8-2ee7-4cf9- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\521196a2-1495-4ab6- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\521196a2-1495-4ab6- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f4150ad0-1445-4ca9- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1cf864f675a89971a196219c3b9a344befd70bf4a92112c19c7a379c18a67966" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c0ede79d-e3b3-41b6- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2813ee06-d288-4668- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2813ee06-d288-4668- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000368292035e0eda019d6a850f5e0eda01e0445f0f5e0eda01fcf705000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006357796f2000653462313339613833653734383430323437373962356663633434663465656230633736386439613133613133393266613637366161373931323762383834310000b20009000400efbe6357796f6357796f2e00000000000000000000000000000000000000000000000000ca542e01650034006200310033003900610038003300650037003400380034003000320034003700370039006200350066006300630034003400660034006500650062003000630037003600380064003900610031003300610031003300390032006600610036003700360061006100370039003100320037006200380038003400310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000028201eef1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65346231333961383365373438343032343737396235666363343466346565623063373638643961313361313339326661363736616137393132376238383431000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038dba47dfb5a271ee1192aa6a5f8f24fa42aa66e0c271c14945b47c5aad1972038dba47dfb5a271ee1192aa6a5f8f24fa42ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0021f7e8-2ee7-4cf9- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ba038d9c2bf749d7ffe9f149709d0e676034dfea6e49bdf1a2a63f271f1770cb" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\NEAS.3748f49a814add865524c9a8d8d56df0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3748f49a814add865524c9a8d8d56df0.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1192 -s 832
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spaines.pw | udp |
| US | 216.218.185.162:80 | spaines.pw | tcp |
| US | 8.8.8.8:53 | 162.185.218.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/4980-0-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4980-1-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4980-2-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/4980-3-0x0000000002200000-0x0000000002C00000-memory.dmp
memory/2708-4-0x0000000000AD0000-0x0000000000AD6000-memory.dmp
memory/2708-7-0x0000000077822000-0x0000000077823000-memory.dmp
memory/3320-6-0x0000000000ED0000-0x0000000000ED6000-memory.dmp
memory/3320-8-0x00007FF931F8D000-0x00007FF931F8E000-memory.dmp
memory/4980-9-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4980-10-0x0000000002200000-0x0000000002C00000-memory.dmp
memory/3320-11-0x00007FF932110000-0x00007FF932111000-memory.dmp
memory/3320-12-0x00007FF932120000-0x00007FF932121000-memory.dmp
memory/2708-14-0x0000000000AD0000-0x0000000000AD6000-memory.dmp
memory/2896-16-0x0000000000D10000-0x0000000000D16000-memory.dmp
memory/2984-17-0x0000000000810000-0x0000000000816000-memory.dmp
memory/2852-18-0x00000000000C0000-0x00000000000C6000-memory.dmp
memory/2896-20-0x0000000000D10000-0x0000000000D16000-memory.dmp
memory/3320-22-0x0000000000F20000-0x0000000000F26000-memory.dmp
memory/3496-21-0x0000000000E30000-0x0000000000E36000-memory.dmp
memory/2984-24-0x0000000000810000-0x0000000000816000-memory.dmp
memory/3704-23-0x00000000008A0000-0x00000000008A6000-memory.dmp
memory/3828-25-0x0000000000710000-0x0000000000716000-memory.dmp
memory/3320-19-0x0000000000F20000-0x0000000000F26000-memory.dmp
memory/3496-26-0x0000000000E30000-0x0000000000E36000-memory.dmp
memory/3828-28-0x0000000000710000-0x0000000000716000-memory.dmp
memory/3908-27-0x0000000000130000-0x0000000000136000-memory.dmp
memory/3908-29-0x0000000000130000-0x0000000000136000-memory.dmp
memory/4004-30-0x0000000000340000-0x0000000000346000-memory.dmp
memory/3568-31-0x0000000000B70000-0x0000000000B76000-memory.dmp
memory/4868-32-0x0000000000240000-0x0000000000246000-memory.dmp
memory/3568-34-0x0000000000B70000-0x0000000000B76000-memory.dmp
memory/3456-33-0x00000000000B0000-0x00000000000B6000-memory.dmp
memory/4868-35-0x0000000000240000-0x0000000000246000-memory.dmp
memory/3456-36-0x00000000000B0000-0x00000000000B6000-memory.dmp
memory/4668-37-0x0000000000D40000-0x0000000000D46000-memory.dmp
memory/1816-38-0x0000000000B10000-0x0000000000B16000-memory.dmp
memory/2180-39-0x0000000000F10000-0x0000000000F16000-memory.dmp
memory/3276-40-0x0000000000C10000-0x0000000000C16000-memory.dmp
memory/2180-41-0x0000000000F10000-0x0000000000F16000-memory.dmp
memory/3276-42-0x0000000000C10000-0x0000000000C16000-memory.dmp
memory/3844-56-0x0000000000170000-0x0000000000176000-memory.dmp
memory/3844-57-0x00007FF931F8D000-0x00007FF931F8E000-memory.dmp
memory/3844-58-0x00007FF931F8D000-0x00007FF931F8E000-memory.dmp
memory/3844-59-0x00007FF932120000-0x00007FF932121000-memory.dmp
memory/3844-60-0x00007FF932110000-0x00007FF932111000-memory.dmp
memory/3828-61-0x00007FF932100000-0x00007FF932101000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\a620097a1fae45a59581c0b82daa2ba1_1
| MD5 | b3d0c123893eea6835f97da3064decb0 |
| SHA1 | 755b870c154bb30b2dceb32f6c0f701f5a46b973 |
| SHA256 | 2425979698b9abde115b33aa29a85b173c107115e478cbbaafa3a366f20d3400 |
| SHA512 | d16b8b0f6196eda914d12d5157a88711166ca4a681378f37e197d5800cbc8cafd80cf0dc8a1cf01f07b2a9fe615dd77fb4c827d348e7f6624efddff73066d2e1 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\19e37f7b0618437fac8f24ccf9fefd2a_1
| MD5 | 0c9d67aae4b0f6a811c1abc1f2b314f4 |
| SHA1 | 5c764149ff58af412d5ee3d4f5a54dcb1f1ba160 |
| SHA256 | 14b667fba7125eed4fc8a4b12ef627514a8c34ee3e091dc80853a0b2525afa0e |
| SHA512 | eca5958561d11f2bc62b9a6df59dbdc915c1b6815b5f1fcb0b8852cd7ee9f962899b29439b1d082192c00fdac52da0ba56202f4cdac5bc6f9b7c81e596810ee7 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1699019983
| MD5 | 85020d51a75151b5687cd4bc71a1da46 |
| SHA1 | ce0fd9f8474e29ac1bbe5a2f702948cdc09b2e70 |
| SHA256 | 7d72378fabaa357ccea364210645abe6b0944279e05599fce3f366c231fbb806 |
| SHA512 | 377dfcb80b84bc52b3ba146e87c5e5bb4960155a7c57e5ae36115c031289bd5aa1a0c205ae93900bf3cdb03aaa6f12d522469c98704b5f7615e88f7d8fec31ef |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1699019984
| MD5 | 3ba1489ea94bd91d3d35eb8c2b20438a |
| SHA1 | 03bdc897a9eade4b57a6b48655f201ec2c1bd246 |
| SHA256 | 8b94a537eaf0e4d57367d02754871b076eba5d6ecadb191dec16a996d8d2d933 |
| SHA512 | 56883bda6be08dd584d26cefbe4d0bddf7692d855afe040a96507015dc7497684f7a3868015286c54b0713fc9fad448758823fdc29736e473c3721492dfd8a6d |
memory/1636-82-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
memory/2584-84-0x0000000000BC0000-0x0000000000BC6000-memory.dmp
memory/1636-85-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
memory/2812-83-0x0000000000DA0000-0x0000000000DA6000-memory.dmp
memory/1636-86-0x00007FF932110000-0x00007FF932111000-memory.dmp
memory/1636-87-0x00007FF932120000-0x00007FF932121000-memory.dmp
memory/3844-89-0x0000000000170000-0x0000000000176000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1699019984
| MD5 | 51964719af723371bbee832b486a493e |
| SHA1 | 22dc3d80635a690e60fc7d0c4c935775c46a35be |
| SHA256 | 640deb67577d3a1af65271f8d270f6b3474cc205a93693e63ef61ae6bf5e1d73 |
| SHA512 | b0ed2c6b7da2454eef27822683c79c695ffa9afbb0ddf95c720907620a08472112bd142f2937a7887731ef6963036678ca5f3758859235967c7f48a1c8c44960 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\f26a2b147f4e4bdc992e5d1f29b52a0e_1
| MD5 | 7124b69529d6a27d5dcbfd2c3e6ae0d5 |
| SHA1 | 08aa38d09bdaf73d0745bdee8585701446db0ffe |
| SHA256 | 1548553c689c880a8fe1162a620aae658bd99719714e55e9c17bb8987faa6dfc |
| SHA512 | 5100bce02e279cf0b6348be72482ab06fbe05deb7cbfa5979fffd0e387ea9f213d252c46323672a8e135ee1e95c9d13b63efdace8f988938431a72ffb1ba1897 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 90f6b2d67cef8d42b89531fc874237d7 |
| SHA1 | 1968b906ee18f9a28915302dfdcfb80d35904959 |
| SHA256 | 26c7a2a8e8aa3394b7d7fe5545da24fb7a3ef5f891388be1a3f4ae140bd681ec |
| SHA512 | ae1e2d4e526e2d19e950c9c383edaadde24c8d2e20bd89613d889fc74f7d0608ac0c12f2d05db7d375e290ea9865d0a7d7a40d84c1beecd9bd20d5de60f10440 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | d0e5076143a421d08e9d1a3a98813d4f |
| SHA1 | 2fecb77ae89e48a970e2c2b172dbbdad90adfcea |
| SHA256 | 69eae066fe456449b8ca828d4a3e13ee4900e5a8a39b1e635539cdfd9c9967ba |
| SHA512 | 238a99742048da20279b0ce22647aa8546799532b45d08d17e30c14bbe64e9735b96594fea5f51b8e46c34e712bd151c9b5bbe311e980761d40bce3da4cbd09c |
memory/2852-140-0x00007FF932110000-0x00007FF932111000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 1742dba2c4fd1766066d4619d781af17 |
| SHA1 | ebae32a74cca5d3ed1cfbdae5740522805d2c17d |
| SHA256 | cadce029d31a00bccd5773be28b19b1beee2cf32ed66d218709242106236f332 |
| SHA512 | 6cbaa312ff5060d4e65189d5e4b6b99481b3622d23f4508036e9b756fdc7a4efb6325fdcf2d0280d6db14a2131e2e938dfc37a76f92191860a0fa5f46f1d56e4 |
memory/3908-152-0x00007FF932100000-0x00007FF932101000-memory.dmp
memory/3908-153-0x00007FF932120000-0x00007FF932121000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\19e37f7b0618437fac8f24ccf9fefd2a_1
| MD5 | 0c9d67aae4b0f6a811c1abc1f2b314f4 |
| SHA1 | 5c764149ff58af412d5ee3d4f5a54dcb1f1ba160 |
| SHA256 | 14b667fba7125eed4fc8a4b12ef627514a8c34ee3e091dc80853a0b2525afa0e |
| SHA512 | eca5958561d11f2bc62b9a6df59dbdc915c1b6815b5f1fcb0b8852cd7ee9f962899b29439b1d082192c00fdac52da0ba56202f4cdac5bc6f9b7c81e596810ee7 |
memory/3828-155-0x00007FF932110000-0x00007FF932111000-memory.dmp
memory/3144-161-0x0000000000900000-0x0000000000906000-memory.dmp
memory/3824-162-0x0000000000DF0000-0x0000000000DF6000-memory.dmp
memory/2548-175-0x0000000000BE0000-0x0000000000BE6000-memory.dmp
memory/3628-177-0x0000000000EE0000-0x0000000000EE6000-memory.dmp
memory/3976-178-0x0000000000A80000-0x0000000000A86000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\9d0219c0-9f1a-4db4-9e37-2051e58edb64.up_meta_secure
| MD5 | 2e2a056c7488ed63a58926e5133e1017 |
| SHA1 | 47c732b56c9316c78ba6fce320b91c938feabfdf |
| SHA256 | 250e38bc3de5032e99ae82f6020a6751dcda721759aa1fd084a9e77b7e441594 |
| SHA512 | c593a97a47488f389f3548c576fb1d4289855cd4f0a2101a693c99c93da4fef5fd1697787e7997bc69212491ad04295d8ec373387a5f446b52966fa28c1aa26c |
memory/3976-181-0x00007FF932120000-0x00007FF932121000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\24a65a36-c5aa-4bb6-abab-033a220a97cb.up_meta_secure
| MD5 | b541aca23e53ac7e76ffdf66847191b6 |
| SHA1 | a26dd7070de1b676035877e3191f1cd0a6088974 |
| SHA256 | b7197ac81d4ba43dfabc002c32a957931b32e2e4e83846ecef78da4e10cb8375 |
| SHA512 | 0efb9ee9eaf67e055846290a681f84138faf066933c0b7ad8047f5a05c076c4a9bbca05d0fff293b678631b7755745cd84bf1877e25ffd7543ce2878b569c4dc |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\f4150ad0-1445-4ca9-b45f-8dd86595bd73.up_meta_secure
| MD5 | 52e997dc27af7de5db70395744cda6a3 |
| SHA1 | 737dc15397d11d09809f99ed10965cc1f59507b9 |
| SHA256 | 5bc4f6ffd1f6c8b757a2f17b2ea5c4c08ecc5b47680c4119cae6c75a7a1edc42 |
| SHA512 | 67e6b6b25c2752c08e5d065663f5235fa1c497e1b95765819a8af9dd4416ecec23fc26f895f4590a6dc466c85193256950e54806d0f425fbe5507eb74ca7022b |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\522b668d-4d52-4de0-bc16-e122645b30a0.up_meta_secure
| MD5 | 7b1afc470beb9f270045742e8b4c3d70 |
| SHA1 | 1b8ecd119bd712c0d2ed87c9b2f2ae724a09d463 |
| SHA256 | 1c6ea7343a1dff6a238695d448dbab26463b5bf9079a436f9ebeeb92979ab263 |
| SHA512 | 97e26405cab8c9abe3114eb4946d5382664a5501ce3c52f063fb422e45902dd47dd3454db499e6d65138a5457997315d09c8f8f6ea52dae40ad0ec41ca22bbde |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\c0ede79d-e3b3-41b6-98a3-966aa2f61d55.up_meta_secure
| MD5 | b748153530a61da95a6a3a7d70612033 |
| SHA1 | 1127bef8e46ff3210e514d0352c27bb3cbc35c6d |
| SHA256 | 381bee55a34142cf4dab807bd71816b3c4660d3d4875f23bda1ed1cea2005af3 |
| SHA512 | cd6e46009208d7dd9529264d6f965e1566b854aab66d4b5c27aed09397fc67c9b07f6cd63fde8ff9078327aaccc07b17f931ebdbe14784be2ac39383b1bb7aaa |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\2ea96afe-7d5f-40d9-a86a-d405f6410638.up_meta_secure
| MD5 | 5270123b733c232c06e0376d95c27d6c |
| SHA1 | a6f8c12429b5ca8d92d59229b99fb3d032e416bd |
| SHA256 | 8ecf1d845247d0d1fe694e53f20892753694572b2e09b11437760a0d051327d4 |
| SHA512 | 8a4e5dd20d057f1290c5ac4d698dcc3119b8d08a643a451c9aa8f70385231ffa3a32ab5b7e3a904d98addf7a0764d5d1a0f400df362a479d22229f2e3654abb1 |
memory/3052-197-0x0000000000070000-0x0000000000076000-memory.dmp
memory/2140-198-0x0000000000860000-0x0000000000866000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2ea96afe-7d5f-40d9-a86a-d405f6410638.down_data
| MD5 | f90cdc0e3343573cd2b4da0fdd33a1c1 |
| SHA1 | 4ab0517cfc0af8c6da75b838436a06cd42c594cf |
| SHA256 | ccd8f98101dd279640c7297320b25a2c070bc15649292be9439d32237d12d4a4 |
| SHA512 | e77f5f89f58a14a7800ec33d59dd06c09ca033cd668e82655ea0f3de87b1081c0e84708bac9075ad4b28e8f50cddbde8e2697b69bdaf06b22ee0fd6ed4963346 |
memory/3396-216-0x0000000000330000-0x0000000000336000-memory.dmp
memory/2620-217-0x0000000000E90000-0x0000000000E96000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\9d0219c0-9f1a-4db4-9e37-2051e58edb64.down_data
| MD5 | 599eef7b84ff38227330ff9d5cef2897 |
| SHA1 | 05a2f7782b4679b791a36cd1095be68d1e125161 |
| SHA256 | 90a550a5cc968f68d395adaad841e94873463ac169e8e8f2cfff25f8ca8393c1 |
| SHA512 | a2800be4ef480073876015d620030713667a61545f2f4ecb8cdaabfd6afdb1a5186747c59005c761214174b241a1f85e5932cca40635863203886488e804636c |
memory/3976-231-0x0000000000A80000-0x0000000000A86000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\c0ede79d-e3b3-41b6-98a3-966aa2f61d55.down_data
| MD5 | 9d71a526ba28fb9c9775300210bda85e |
| SHA1 | e0e1065609d670ef238e84891835790f3fbd3db0 |
| SHA256 | 9090583af0692046b9bf104a3e2215e490b1fa0d4e8a07bea9a7d20d02635e43 |
| SHA512 | 36c057ee94f73216b48be399306c80132330a4a8f936aa113477b78565398517d34469fd55caef33458112c3a019f9b24a8e2b46e0bfaf474703bf2086a52be6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\24a65a36-c5aa-4bb6-abab-033a220a97cb.down_data
| MD5 | 89526b955721626da7e22caaccccaba5 |
| SHA1 | 4e42e7133e08f7af25601a8259c704362b42153e |
| SHA256 | 0084d5f5c1fc6a25c82013770e722aa86cd2abb96777d9970e5980d7e0636249 |
| SHA512 | 23cab08ef5307ac63a5e0cbcc0c8d5fe59682658bd3faf4f8d44c0f0e16bc8e853f44b6c6975e100519f8f48584642812d9ea8aa721c873ae9ec6b3ba6568a73 |
memory/4612-272-0x00000000008D0000-0x00000000008D6000-memory.dmp
memory/4800-273-0x0000000000BD0000-0x0000000000BD6000-memory.dmp
memory/1124-280-0x0000000000AE0000-0x0000000000AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\4cad568f-7fae-4ad9-b2b2-7cdafcf7e9a9.up_meta_secure
| MD5 | 5270123b733c232c06e0376d95c27d6c |
| SHA1 | a6f8c12429b5ca8d92d59229b99fb3d032e416bd |
| SHA256 | 8ecf1d845247d0d1fe694e53f20892753694572b2e09b11437760a0d051327d4 |
| SHA512 | 8a4e5dd20d057f1290c5ac4d698dcc3119b8d08a643a451c9aa8f70385231ffa3a32ab5b7e3a904d98addf7a0764d5d1a0f400df362a479d22229f2e3654abb1 |
memory/1124-291-0x00007FF932110000-0x00007FF932111000-memory.dmp
memory/1124-292-0x00007FF932100000-0x00007FF932101000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\95114e98-2ded-4de7-990c-e0cfbc5772fb.up_meta_secure
| MD5 | b748153530a61da95a6a3a7d70612033 |
| SHA1 | 1127bef8e46ff3210e514d0352c27bb3cbc35c6d |
| SHA256 | 381bee55a34142cf4dab807bd71816b3c4660d3d4875f23bda1ed1cea2005af3 |
| SHA512 | cd6e46009208d7dd9529264d6f965e1566b854aab66d4b5c27aed09397fc67c9b07f6cd63fde8ff9078327aaccc07b17f931ebdbe14784be2ac39383b1bb7aaa |
memory/1124-304-0x0000000000AE0000-0x0000000000AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\2627c808a0ba18432cf5bae23894f1892c0a1efce0a5f1ebd5e3e310ea89f456
| MD5 | 599eef7b84ff38227330ff9d5cef2897 |
| SHA1 | 05a2f7782b4679b791a36cd1095be68d1e125161 |
| SHA256 | 90a550a5cc968f68d395adaad841e94873463ac169e8e8f2cfff25f8ca8393c1 |
| SHA512 | a2800be4ef480073876015d620030713667a61545f2f4ecb8cdaabfd6afdb1a5186747c59005c761214174b241a1f85e5932cca40635863203886488e804636c |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\e4b139a83e7484024779b5fcc44f4eeb0c768d9a13a1392fa676aa79127b8841
| MD5 | 9d71a526ba28fb9c9775300210bda85e |
| SHA1 | e0e1065609d670ef238e84891835790f3fbd3db0 |
| SHA256 | 9090583af0692046b9bf104a3e2215e490b1fa0d4e8a07bea9a7d20d02635e43 |
| SHA512 | 36c057ee94f73216b48be399306c80132330a4a8f936aa113477b78565398517d34469fd55caef33458112c3a019f9b24a8e2b46e0bfaf474703bf2086a52be6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\ba038d9c2bf749d7ffe9f149709d0e676034dfea6e49bdf1a2a63f271f1770cb
| MD5 | 89526b955721626da7e22caaccccaba5 |
| SHA1 | 4e42e7133e08f7af25601a8259c704362b42153e |
| SHA256 | 0084d5f5c1fc6a25c82013770e722aa86cd2abb96777d9970e5980d7e0636249 |
| SHA512 | 23cab08ef5307ac63a5e0cbcc0c8d5fe59682658bd3faf4f8d44c0f0e16bc8e853f44b6c6975e100519f8f48584642812d9ea8aa721c873ae9ec6b3ba6568a73 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\f4150ad0-1445-4ca9-b45f-8dd86595bd73.down_data
| MD5 | 03a6b52ec28fcfa747e1a99dedc0d4b4 |
| SHA1 | ea48c2ec6506f83d237e305a5fbfcd04f176d9bf |
| SHA256 | 74e45e1b4c031a99ac7eed5cad34069241cf5edb644177cf89bf76bbc1f0aaf6 |
| SHA512 | 2d704a243573152e198df8261574d721508b510e9e2c40c147520912130070f26713f85fb9f386ad54f96671dbc820f05b4f2ad27c1ca6ce98963c9309f7f883 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\522b668d-4d52-4de0-bc16-e122645b30a0.down_data
| MD5 | abefa91acbad9c72b8c3ec8e3569fc7b |
| SHA1 | 589c2a451cf74fdd86a2fac189fff264b5bb897d |
| SHA256 | 2778c147b16644a1e417ab69a512efaa73c24d576923d75f1e224602b56824cd |
| SHA512 | 2ddb4a368d736a1bd107309c0b3f881144c679e2d7010783f4d197dc7cc60a9d4a516b47e02878179c95351ec9a2608c41d8dc308370d3b3b4f9e88cf20d6b23 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\c0ede79d-e3b3-41b6-98a3-966aa2f61d55.down_data
| MD5 | 9d71a526ba28fb9c9775300210bda85e |
| SHA1 | e0e1065609d670ef238e84891835790f3fbd3db0 |
| SHA256 | 9090583af0692046b9bf104a3e2215e490b1fa0d4e8a07bea9a7d20d02635e43 |
| SHA512 | 36c057ee94f73216b48be399306c80132330a4a8f936aa113477b78565398517d34469fd55caef33458112c3a019f9b24a8e2b46e0bfaf474703bf2086a52be6 |
memory/3320-332-0x00007FF932100000-0x00007FF932101000-memory.dmp
memory/3320-334-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-336-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-339-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-342-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-344-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-345-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-346-0x00000000085A0000-0x00000000085B0000-memory.dmp
memory/3320-349-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-353-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-350-0x00000000085A0000-0x00000000085B0000-memory.dmp
memory/3320-355-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-357-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-359-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-360-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-362-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-364-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-367-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-368-0x0000000002D20000-0x0000000002D30000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\24a65a36-c5aa-4bb6-abab-033a220a97cb.down_data
| MD5 | 89526b955721626da7e22caaccccaba5 |
| SHA1 | 4e42e7133e08f7af25601a8259c704362b42153e |
| SHA256 | 0084d5f5c1fc6a25c82013770e722aa86cd2abb96777d9970e5980d7e0636249 |
| SHA512 | 23cab08ef5307ac63a5e0cbcc0c8d5fe59682658bd3faf4f8d44c0f0e16bc8e853f44b6c6975e100519f8f48584642812d9ea8aa721c873ae9ec6b3ba6568a73 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2813ee06-d288-4668-845c-faa1761af056.up_meta_secure
| MD5 | b748153530a61da95a6a3a7d70612033 |
| SHA1 | 1127bef8e46ff3210e514d0352c27bb3cbc35c6d |
| SHA256 | 381bee55a34142cf4dab807bd71816b3c4660d3d4875f23bda1ed1cea2005af3 |
| SHA512 | cd6e46009208d7dd9529264d6f965e1566b854aab66d4b5c27aed09397fc67c9b07f6cd63fde8ff9078327aaccc07b17f931ebdbe14784be2ac39383b1bb7aaa |
memory/3320-373-0x00000000085A0000-0x00000000085B0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\522b668d-4d52-4de0-bc16-e122645b30a0.down_data
| MD5 | abefa91acbad9c72b8c3ec8e3569fc7b |
| SHA1 | 589c2a451cf74fdd86a2fac189fff264b5bb897d |
| SHA256 | 2778c147b16644a1e417ab69a512efaa73c24d576923d75f1e224602b56824cd |
| SHA512 | 2ddb4a368d736a1bd107309c0b3f881144c679e2d7010783f4d197dc7cc60a9d4a516b47e02878179c95351ec9a2608c41d8dc308370d3b3b4f9e88cf20d6b23 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\f4150ad0-1445-4ca9-b45f-8dd86595bd73.873e514d-7a5c-42a2-bbfa-20b4d755214f.down_meta
| MD5 | bc2a9c5fa0067906b8ab45f3a90fb7b2 |
| SHA1 | 5447478e052b923c723b0c9148d8ac1f6b14bb2c |
| SHA256 | 8f51e39d59c7538decc00fe8541f32735299671490ff79716a9d43ab4e914305 |
| SHA512 | 46a12020f4e54c628b4c8f577f9afc1d2439cfa7d204036cde544887d8ceba55a42b120304c359e9435f2cc9c6f8d5002521def6c95ecb582dc65c104098fc75 |
memory/1124-377-0x00007FF932120000-0x00007FF932121000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\0021f7e8-2ee7-4cf9-a50a-0e786c07232d.up_meta_secure
| MD5 | b541aca23e53ac7e76ffdf66847191b6 |
| SHA1 | a26dd7070de1b676035877e3191f1cd0a6088974 |
| SHA256 | b7197ac81d4ba43dfabc002c32a957931b32e2e4e83846ecef78da4e10cb8375 |
| SHA512 | 0efb9ee9eaf67e055846290a681f84138faf066933c0b7ad8047f5a05c076c4a9bbca05d0fff293b678631b7755745cd84bf1877e25ffd7543ce2878b569c4dc |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\f4150ad0-1445-4ca9-b45f-8dd86595bd73.259e0a53-833b-46a5-bc8d-2fa9f9e19412.down_meta
| MD5 | 854beba95c6a559fe02a8cd4a6b5df34 |
| SHA1 | 2d5855af8cc507a656ca902237978607408c40d5 |
| SHA256 | 4c9e3ab490e8fbd155c848a2fc16e8af8460280ffeed529112021b9a7dace0f8 |
| SHA512 | 9f6e884e588fb9ac29fcb76b9600b82e1a454fe9ce741c60fcf980a44aa252713a202711800228c38ffc5adf0aa68aa2786c5412a5bef64e96501af1ce146d60 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\83166bfd590c0170d49f06caf7f8041459471de0a0621f712ef9d242244c6525
| MD5 | f90cdc0e3343573cd2b4da0fdd33a1c1 |
| SHA1 | 4ab0517cfc0af8c6da75b838436a06cd42c594cf |
| SHA256 | ccd8f98101dd279640c7297320b25a2c070bc15649292be9439d32237d12d4a4 |
| SHA512 | e77f5f89f58a14a7800ec33d59dd06c09ca033cd668e82655ea0f3de87b1081c0e84708bac9075ad4b28e8f50cddbde8e2697b69bdaf06b22ee0fd6ed4963346 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\2ea96afe-7d5f-40d9-a86a-d405f6410638.35e5f91d-ff0a-40ce-88e9-5e00c8b03e3f.down_meta
| MD5 | fbb11d3651107cc2bc03519f8d0c1fcd |
| SHA1 | 964dfd0b68c1c392e53c833eeff436aa7ecf28c8 |
| SHA256 | 3c28a77747dbb540c2c52622049a8beafbe1a741f6d7e8d78e92b3abc173a5f6 |
| SHA512 | e8d877ccf9efdfb4a23272107c359f664795b4f3b28bee1dbfb86de00e1ea472c77426f35ce3c3da28740950e9f3a80e7f966f22300d0aaf9a4a4cab963343f5 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1699019984
| MD5 | 51964719af723371bbee832b486a493e |
| SHA1 | 22dc3d80635a690e60fc7d0c4c935775c46a35be |
| SHA256 | 640deb67577d3a1af65271f8d270f6b3474cc205a93693e63ef61ae6bf5e1d73 |
| SHA512 | b0ed2c6b7da2454eef27822683c79c695ffa9afbb0ddf95c720907620a08472112bd142f2937a7887731ef6963036678ca5f3758859235967c7f48a1c8c44960 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1699019983
| MD5 | 85020d51a75151b5687cd4bc71a1da46 |
| SHA1 | ce0fd9f8474e29ac1bbe5a2f702948cdc09b2e70 |
| SHA256 | 7d72378fabaa357ccea364210645abe6b0944279e05599fce3f366c231fbb806 |
| SHA512 | 377dfcb80b84bc52b3ba146e87c5e5bb4960155a7c57e5ae36115c031289bd5aa1a0c205ae93900bf3cdb03aaa6f12d522469c98704b5f7615e88f7d8fec31ef |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045\41d9ca6073cc4ef3afefdc34c3d76718_1
| MD5 | 4e710b31adddf8a35004de1ac80b0a2a |
| SHA1 | e1b9f50c088ef61e09c20c46ad7e99600b46d37d |
| SHA256 | 32b0cc64938e6bff30222672f48d4e22ec8d07e1e0f687e10a6d9f4f381406f5 |
| SHA512 | 42ab8a4d88e8be736e75474359f7a4a862f7922c1719ff9a96a36b89aef91c26e633c277d6eb45798c11a57539dd4e0fb14b53cb40c5a462c14212c3f0345ebf |
memory/1652-435-0x0000000000AD0000-0x0000000000AD6000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\9fa93637ca2e4bc4b588a4a8a5a3cbd0_1
| MD5 | 2d251beaeeedcf188577756b0ee7a6cc |
| SHA1 | fb0ce1a66ebcd1460e66a9a8360e39047945a213 |
| SHA256 | c30aa7e50de64cf54701989b560623c904353cf5c8b2d79d4d9093132f242c12 |
| SHA512 | 81f2cacb3d3e365619b93ae72bcf6a7fce89a7c06f038e03e7c00340f078331034f7e833950b812f4f4e8e298852696a97a95a3dfa9d1b1ed144874236158a7a |
memory/1652-438-0x0000000000AD0000-0x0000000000AD6000-memory.dmp
memory/3320-441-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3320-442-0x0000000000F40000-0x0000000000F50000-memory.dmp