Analysis Overview
SHA256
f4951af3a8a40e695932a7e0fe4ecc68ccb4b4e9648388c65f28e61643e4f7ac
Threat Level: Known bad
The file NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-12 12:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-12 12:46
Reported
2023-11-12 12:51
Platform
win7-20231020-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Tinba / TinyBanker
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\8C142DFD = "C:\\Users\\Admin\\AppData\\Roaming\\8C142DFD\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | brureservtestot.cc | udp |
| US | 8.8.8.8:53 | qytufpscigbb.com | udp |
| US | 216.218.185.162:80 | qytufpscigbb.com | tcp |
| US | 8.8.8.8:53 | qytufpscigbb.net | udp |
| US | 216.218.185.162:80 | qytufpscigbb.net | tcp |
Files
memory/1916-0-0x0000000002750000-0x0000000002752000-memory.dmp
memory/1916-2-0x0000000002860000-0x0000000003260000-memory.dmp
memory/1228-1-0x0000000002A00000-0x0000000002A06000-memory.dmp
memory/2072-4-0x0000000000140000-0x0000000000146000-memory.dmp
memory/2072-5-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1228-6-0x0000000002A00000-0x0000000002A06000-memory.dmp
memory/1228-3-0x0000000002A00000-0x0000000002A06000-memory.dmp
memory/2072-7-0x0000000000B00000-0x0000000000B16000-memory.dmp
memory/2072-8-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1228-9-0x00000000774E1000-0x00000000774E2000-memory.dmp
memory/2072-12-0x0000000077690000-0x0000000077691000-memory.dmp
memory/2072-11-0x000000007768F000-0x0000000077691000-memory.dmp
memory/2072-10-0x000000007768F000-0x0000000077690000-memory.dmp
memory/1916-13-0x0000000000400000-0x0000000000DC7000-memory.dmp
memory/1916-14-0x0000000002860000-0x0000000003260000-memory.dmp
memory/1104-16-0x0000000000250000-0x0000000000256000-memory.dmp
memory/1104-18-0x0000000000250000-0x0000000000256000-memory.dmp
memory/1188-21-0x0000000000120000-0x0000000000126000-memory.dmp
memory/1104-20-0x00000000774E1000-0x00000000774E2000-memory.dmp
memory/1188-22-0x0000000000120000-0x0000000000126000-memory.dmp
memory/2072-24-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2072-25-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1228-28-0x0000000077670000-0x0000000077671000-memory.dmp
memory/2072-30-0x0000000000140000-0x0000000000146000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-12 12:46
Reported
2023-11-12 12:51
Platform
win10v2004-20231023-en
Max time kernel
162s
Max time network
180s
Command Line
Signatures
Tinba / TinyBanker
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5D03D106 = "C:\\Users\\Admin\\AppData\\Roaming\\5D03D106\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = 05b6a6b96615da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1c6f353f583621cb2fa46f61353945e0efe1a316010059f3d6fb664ad0a3f383" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = 1451b3b96615da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1657d5fb-29d0-4d5b- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = 647187b96615da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\24aef059f8fa6c725cf54f8d1838c8604e9c232f433a731fb5d44ddd775fba30" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\782583e955e6fc240556a90133d464a58cf3474021294458118301378a30f1a8" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\090b9c510358f3c6268e3d870310e41a834bf51f03d0ade7c8e5b19e232dd816" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5a9e9552-c81b-4b32- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c50c66a9-420d-4ddb- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = 7688c1b96615da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\381b6451-9f35-41d6- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c7a279b96615da01c7a279b96615da01c7a279b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000303930623963353130333538663363363236386533643837303331306534316138333462663531663033643061646537633865356231396532333264643831360000b20009000400efbe6c573a666c573a662e000000000000000000000000000000000000000000000000003975fc00300039003000620039006300350031003000330035003800660033006300360032003600380065003300640038003700300033003100300065003400310061003800330034006200660035003100660030003300640030006100640065003700630038006500350062003100390065003200330032006400640038003100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30393062396335313033353866336336323638653364383730333130653431613833346266353166303364306164653763386535623139653233326464383136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d3ec7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d3ec7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\4111bde53dd41ee17abf72377c4a0e7112293fd0b06e8216de61e408f05d2591" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "\\\\?\\Volume{C2D04A06-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\cfc7d9ad22adbba8ffee5551330292bd003d3696cd1de6105ea9797a21b6c064" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000243cb5b96615da01243cb5b96615da01243cb5b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000636663376439616432326164626261386666656535353531333330323932626430303364333639366364316465363130356561393739376132316236633036340000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000dcdbc000630066006300370064003900610064003200320061006400620062006100380066006600650065003500350035003100330033003000320039003200620064003000300033006400330036003900360063006400310064006500360031003000350065006100390037003900370061003200310062003600630030003600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63666337643961643232616462626138666665653535353133333032393262643030336433363936636431646536313035656139373937613231623663303634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d42c7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d42c7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006acb61b96615da016acb61b96615da016acb61b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000323461656630353966386661366337323563663534663864313833386338363034653963323332663433336137333166623564343464646437373566626133300000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000964c1401320034006100650066003000350039006600380066006100360063003700320035006300660035003400660038006400310038003300380063003800360030003400650039006300320033003200660034003300330061003700330031006600620035006400340034006400640064003700370035006600620061003300300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32346165663035396638666136633732356366353466386431383338633836303465396332333266343333613733316662356434346464643737356662613330000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d3dc7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d3dc7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e7c880b96615da01e7c880b96615da01e7c880b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000373832353833653935356536666332343035353661393031333364343634613538636633343734303231323934343538313138333031333738613330663161380000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000194ff500370038003200350038003300650039003500350065003600660063003200340030003500350036006100390030003100330033006400340036003400610035003800630066003300340037003400300032003100320039003400340035003800310031003800330030003100330037003800610033003000660031006100380000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37383235383365393535653666633234303535366139303133336434363461353863663334373430323132393434353831313833303133373861333066316138000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d3fc7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d3fc7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a0482d84-c929-4c23- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d150a9b96615da01d150a9b96615da01d150a9b96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000343131316264653533646434316565313761626637323337376334613065373131323239336664306230366538323136646536316534303866303564323539310000b20009000400efbe6c573a666c573a662e000000000000000000000000000000000000000000000000002fc7cc00340031003100310062006400650035003300640064003400310065006500310037006100620066003700320033003700370063003400610030006500370031003100320032003900330066006400300062003000360065003800320031003600640065003600310065003400300038006600300035006400320035003900310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34313131626465353364643431656531376162663732333737633461306537313132323933666430623036653832313664653631653430386630356432353931000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d41c7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d41c7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1ed30503-2a68-40ea- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\840ec328-c289-48da- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001b039bb96615da011b039bb96615da011b039bb96615da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000006c573a662000316336663335336635383336323163623266613436663631333533393435653065666531613331363031303035396633643666623636346164306133663338330000b20009000400efbe6c573a666c573a662e00000000000000000000000000000000000000000000000000e514db00310063003600660033003500330066003500380033003600320031006300620032006600610034003600660036003100330035003300390034003500650030006500660065003100610033003100360030003100300030003500390066003300640036006600620036003600340061006400300061003300660033003800330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000006de94b2b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31633666333533663538333632316362326661343666363133353339343565306566653161333136303130303539663364366662363634616430613366333833000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000666575747a6369690000000000000000aa66e0c271c14945b47c5aad1972038d40c7cf97a771ee1192aa4ad554a74236aa66e0c271c14945b47c5aad1972038d40c7cf97a771ee1192aa4ad554a74236ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0033003100320035003600300031003200340032002d003300330031003400340037003500390033002d0031003500310032003800320038003400360035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000064ad0c2000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8e75f3c3-749a-4cd8- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6c740e7c-068f-44f3- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\558bb83e-4a38-442e- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b70d7e95-6935-4ab0- = 69e569b96615da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cd825837-279a-465b- = 83bb81b96615da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a3f4e45e9e12eb439bae0b3c5a5ef560.exe"
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3676 -s 1000
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3244 -s 960
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brureservtestot.cc | udp |
| US | 8.8.8.8:53 | qytufpscigbb.com | udp |
| US | 216.218.185.162:80 | qytufpscigbb.com | tcp |
| US | 8.8.8.8:53 | qytufpscigbb.net | udp |
| US | 8.8.8.8:53 | 162.185.218.216.in-addr.arpa | udp |
| US | 216.218.185.162:80 | qytufpscigbb.net | tcp |
| US | 8.8.8.8:53 | qytufpscigbb.in | udp |
| US | 216.218.185.162:80 | qytufpscigbb.in | tcp |
| US | 8.8.8.8:53 | qytufpscigbb.ru | udp |
| US | 162.249.66.125:80 | qytufpscigbb.ru | tcp |
| US | 8.8.8.8:53 | ghoyvkjbnldc.com | udp |
| US | 216.218.185.162:80 | ghoyvkjbnldc.com | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/1928-0-0x0000000001440000-0x0000000001442000-memory.dmp
memory/1928-1-0x0000000002DF0000-0x00000000037F0000-memory.dmp
memory/1076-3-0x00000000027D0000-0x00000000027D6000-memory.dmp
memory/1076-2-0x00000000004D0000-0x00000000004E2000-memory.dmp
memory/1076-5-0x00000000027D0000-0x00000000027D6000-memory.dmp
memory/1076-7-0x00000000027D0000-0x00000000027D6000-memory.dmp
memory/3100-6-0x00000000030A0000-0x00000000030A6000-memory.dmp
memory/3100-8-0x00007FF914B4D000-0x00007FF914B4E000-memory.dmp
memory/1076-9-0x0000000077592000-0x0000000077593000-memory.dmp
memory/2448-10-0x0000000000230000-0x0000000000236000-memory.dmp
memory/2480-11-0x0000000000290000-0x0000000000296000-memory.dmp
memory/2768-12-0x0000000000850000-0x0000000000856000-memory.dmp
memory/2448-13-0x0000000000230000-0x0000000000236000-memory.dmp
memory/3100-14-0x0000000003090000-0x0000000003096000-memory.dmp
memory/2480-15-0x0000000000290000-0x0000000000296000-memory.dmp
memory/3676-18-0x0000000000530000-0x0000000000536000-memory.dmp
memory/3408-16-0x0000000000C20000-0x0000000000C26000-memory.dmp
memory/2768-17-0x0000000000850000-0x0000000000856000-memory.dmp
memory/3100-19-0x0000000003090000-0x0000000003096000-memory.dmp
memory/3816-20-0x0000000000680000-0x0000000000686000-memory.dmp
memory/3408-22-0x0000000000C20000-0x0000000000C26000-memory.dmp
memory/3884-21-0x0000000000B40000-0x0000000000B46000-memory.dmp
memory/3816-24-0x0000000000680000-0x0000000000686000-memory.dmp
memory/3500-25-0x00000000007E0000-0x00000000007E6000-memory.dmp
memory/4028-23-0x0000000000D20000-0x0000000000D26000-memory.dmp
memory/3884-26-0x0000000000B40000-0x0000000000B46000-memory.dmp
memory/4256-27-0x0000000000010000-0x0000000000016000-memory.dmp
memory/4856-28-0x0000000000910000-0x0000000000916000-memory.dmp
memory/1928-29-0x0000000002DF0000-0x00000000037F0000-memory.dmp
memory/4256-30-0x0000000000010000-0x0000000000016000-memory.dmp
memory/4856-32-0x0000000000910000-0x0000000000916000-memory.dmp
memory/3912-33-0x0000000000960000-0x0000000000966000-memory.dmp
memory/3500-31-0x00000000007E0000-0x00000000007E6000-memory.dmp
memory/3172-34-0x0000000000750000-0x0000000000756000-memory.dmp
memory/4432-35-0x00000000007D0000-0x00000000007D6000-memory.dmp
memory/4432-36-0x00000000007D0000-0x00000000007D6000-memory.dmp
memory/1076-37-0x0000000002C90000-0x0000000002C96000-memory.dmp
memory/1076-38-0x0000000002C90000-0x0000000002C96000-memory.dmp
memory/1928-39-0x0000000000400000-0x0000000000DC7000-memory.dmp
memory/3100-40-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp
memory/5008-42-0x00000000006D0000-0x00000000006D6000-memory.dmp
memory/4432-55-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp
memory/5008-56-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp
memory/3776-57-0x0000000000AC0000-0x0000000000AC6000-memory.dmp
memory/3776-58-0x0000000000AC0000-0x0000000000AC6000-memory.dmp
memory/3776-59-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp
memory/5008-62-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
memory/4432-69-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
memory/4432-71-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp
memory/3816-72-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp
memory/3776-73-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 8a500f668ffcf72023c003373e14905d |
| SHA1 | a437c4ec7ae467ff15f387e207de8a5f108ee84f |
| SHA256 | 41475a965928bf6d532e643c4a07b55099f042887766f638f69c062e902c8580 |
| SHA512 | 0a5e8038c0995d822a7c87ed7dfd4a370f53a98346185e5b4f05ecbc7da6bbd0f5989471d85a65ea61e8a3700d63b46799c1dcc234ba15d8e5b04d57cfca795a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 74ee52a00f03d79c9c0ff6306e81e9a7 |
| SHA1 | 8d5300c915739fe5dc428949acd10b461e6c5581 |
| SHA256 | 7eef6ad2bca45c94e14d1875cecd7b9cfb38f34797fd87117f9618993ddc24a7 |
| SHA512 | 4316dc203ec28f469c047236aaab64f562de753e03468c22cc97aa11f14ccc0575ce73611658fe6e0b19d6c7d0681a26c0161b6ce091be7e343fe6e796761a9c |
memory/4416-90-0x0000000000190000-0x0000000000196000-memory.dmp
memory/3244-89-0x00000000000A0000-0x00000000000A6000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1699793380
| MD5 | e4ef64225f1cebb14817a18fad1d1fac |
| SHA1 | 92ee2bb6f1541b069124c9035b49f1931031a566 |
| SHA256 | 9601b59a5f0f5d99fa341b79d6e5ceba554f1dbe6d070f9384cfd5c0304d4638 |
| SHA512 | 632fdbfea24a5d6084f1bd352487e98696b28404bec9817c23d7506ba4c45d41b70307d03744923260ff5bd5187dbbd55756ca9b039e9e3ae8d1c004c526642e |
memory/3696-112-0x0000000000E70000-0x0000000000E76000-memory.dmp
memory/3696-113-0x0000000000E70000-0x0000000000E76000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1699793380
| MD5 | 250a04505ca31df1d7998c202862318e |
| SHA1 | ce96d060d0f42eca05f1e26857211389275d7273 |
| SHA256 | c76003040ca8647bfa26d90e9b9284d94a409f1f70b47483a1cb808be0c39d63 |
| SHA512 | 533221d0f99521b98dfdf60010e66310a07119450d8b69fcaaa04a6f43046f10928d00c368647f27ed5282d2a85f0562f72ec76a31c76238178d80425d587b2a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338389\b659a045c9bb4c4fa13f1a7687f968b7_1
| MD5 | b0a070916145e1eb2d59ce9dd68f82f8 |
| SHA1 | 20efa315bc32e81185786128511e5fb500e03e7b |
| SHA256 | 1c2d46c1ff3585a74c48408318b5dd91ccddc9e25377dde4378c34a82ec96651 |
| SHA512 | 114f99585084d37fdeea018dbc1396a0118089d987115defed15a7098259b815e8dc1beb92c1ab96775c99fd70d36dedc6434599b476ffa39d16c05c5cb7f742 |
memory/3696-131-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp
memory/3696-134-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
| MD5 | 40bf8fd54bf4b33dd5831e97a07fb1c4 |
| SHA1 | d9639bb5e182c65e09bbbd88236eeffaead1606b |
| SHA256 | a601d4220f99cf811cc0b61b7861f1466758ca062b69cdb855111419b7e07a2f |
| SHA512 | 5164ab75d63ef715f63e9b0e04c6a482ef93ed73566eb520603e69bcd24daea713f5165a265b420c0c7b190227b8b7401a3b25db4b0a8fcd0c6fbb1e9bdd8306 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1699793380
| MD5 | 638512b43d2d91b6e468034c8bc873a5 |
| SHA1 | 01704fbe3748bc6c437ac45e13cbcd54f02a6575 |
| SHA256 | 31394914e1f8509d9a831143bbd522669b04bcd757053442180bb744dcbab853 |
| SHA512 | cf21a61cc91e5b256b2927870450386abd95ae3de57aa9c2c9ea23a5d679ab23466938c2e68c2bc742e27aa02833a7707f5db263f60494595d53292c1e9d1c42 |
memory/3884-160-0x00007FF914CC0000-0x00007FF914CC1000-memory.dmp
memory/3884-161-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp
memory/3884-162-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
memory/3816-163-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
memory/2448-164-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
memory/1120-165-0x0000000000B10000-0x0000000000B16000-memory.dmp
memory/4824-166-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
memory/4244-169-0x0000000000860000-0x0000000000866000-memory.dmp
memory/4244-170-0x0000000000860000-0x0000000000866000-memory.dmp
memory/1552-186-0x0000000000A00000-0x0000000000A06000-memory.dmp
memory/2176-187-0x0000000000E80000-0x0000000000E86000-memory.dmp
memory/1648-190-0x0000000000BD0000-0x0000000000BD6000-memory.dmp
memory/1648-191-0x0000000000BD0000-0x0000000000BD6000-memory.dmp
memory/2524-193-0x0000000000B00000-0x0000000000B06000-memory.dmp
memory/1036-194-0x00000000008A0000-0x00000000008A6000-memory.dmp
memory/3100-198-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
memory/2816-199-0x0000000000460000-0x0000000000466000-memory.dmp
memory/2816-200-0x0000000000460000-0x0000000000466000-memory.dmp
memory/2816-201-0x00007FF914CE0000-0x00007FF914CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1699793380
| MD5 | 250a04505ca31df1d7998c202862318e |
| SHA1 | ce96d060d0f42eca05f1e26857211389275d7273 |
| SHA256 | c76003040ca8647bfa26d90e9b9284d94a409f1f70b47483a1cb808be0c39d63 |
| SHA512 | 533221d0f99521b98dfdf60010e66310a07119450d8b69fcaaa04a6f43046f10928d00c368647f27ed5282d2a85f0562f72ec76a31c76238178d80425d587b2a |
memory/2816-203-0x00007FF914CD0000-0x00007FF914CD1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1699793380
| MD5 | e4ef64225f1cebb14817a18fad1d1fac |
| SHA1 | 92ee2bb6f1541b069124c9035b49f1931031a566 |
| SHA256 | 9601b59a5f0f5d99fa341b79d6e5ceba554f1dbe6d070f9384cfd5c0304d4638 |
| SHA512 | 632fdbfea24a5d6084f1bd352487e98696b28404bec9817c23d7506ba4c45d41b70307d03744923260ff5bd5187dbbd55756ca9b039e9e3ae8d1c004c526642e |