Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LEC3KQZZqZ

Overview

General Information

Sample name:LEC3KQZZqZ
renamed because original name is a hash value
Original sample name:6ed466a2a6eeb83d1ff32ba44180352cf0a9ccc72b47e5bd55c1750157c8dc4c
Analysis ID:1615970
MD5:cfb539cb3a6cb0409d3bb289ba151c51
SHA1:cfe92942da955d37844c81870aa705fcc1122b24
SHA256:6ed466a2a6eeb83d1ff32ba44180352cf0a9ccc72b47e5bd55c1750157c8dc4c
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Uses nslookup.exe to query domains
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • LEC3KQZZqZ.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\LEC3KQZZqZ.exe" MD5: CFB539CB3A6CB0409D3BB289BA151C51)
    • svchost.exe (PID: 804 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • backgroundTaskHost.exe (PID: 6764 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)
      • RuntimeBroker.exe (PID: 5528 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • backgroundTaskHost.exe (PID: 6700 cmdline: "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider MD5: DA7063B17DBB8BBB3015351016868006)
      • Music.UI.exe (PID: 3992 cmdline: "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca MD5: F963F75C0AD152437E10D656A00793A3)
      • dllhost.exe (PID: 3028 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • RuntimeBroker.exe (PID: 6448 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • BackgroundTransferHost.exe (PID: 4308 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)
      • backgroundTaskHost.exe (PID: 6972 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXr6cxj2m7qt53ysmsgy75gtey09djqa6k.mca MD5: DA7063B17DBB8BBB3015351016868006)
      • BackgroundTransferHost.exe (PID: 1976 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)
      • BackgroundTransferHost.exe (PID: 3924 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)
      • dllhost.exe (PID: 6568 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • backgroundTaskHost.exe (PID: 4060 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)
      • BackgroundTransferHost.exe (PID: 7024 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)
      • BackgroundTransferHost.exe (PID: 7152 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)
      • rundll32.exe (PID: 1488 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
    • douyin.exe (PID: 5444 cmdline: "C:\Program Files (x86)\Common Files\System\douyin.exe" MD5: 0B2D06172A753DCF8FBAB1FC34FFC8D9)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • nslookup.exe (PID: 2276 cmdline: "C:\Windows\System32\nslookup.exe" MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)
        • conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x15b05a:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x15e8d8:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Common Files\System\mpclient.datWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2541066482.0000000003220000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x4bb08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x4f03e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.1421776629.0000000004D03000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x1362:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\Common Files\System\douyin.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LEC3KQZZqZ.exe, ProcessId: 6856, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyPythonApp
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LEC3KQZZqZ.exe", ParentImage: C:\Users\user\Desktop\LEC3KQZZqZ.exe, ParentProcessId: 6856, ParentProcessName: LEC3KQZZqZ.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, ProcessId: 804, ProcessName: svchost.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LEC3KQZZqZ.exe", ParentImage: C:\Users\user\Desktop\LEC3KQZZqZ.exe, ParentProcessId: 6856, ParentProcessName: LEC3KQZZqZ.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, ProcessId: 804, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-15T19:33:31.981763+010028033053Unknown Traffic192.168.2.1649710183.66.100.32443TCP
2025-02-15T19:33:36.567438+010028033053Unknown Traffic192.168.2.1649724183.66.100.32443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com/sscronet.dllAvira URL Cloud: Label: phishing
Source: http://www40sada-1328031368.cos.ap-guangzhou.myqcloud.comAvira URL Cloud: Label: phishing
Source: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com/tier0.dllAvira URL Cloud: Label: phishing
Source: https://www40sada-1328031368.cos.ap-guangzhou.myqcloud.com/mpclient.datAvira URL Cloud: Label: phishing
Source: https://www40sada-1328031368.cos.ap-guangzhou.myqcloud.comAvira URL Cloud: Label: phishing
Source: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com/douyin.exeAvira URL Cloud: Label: phishing
Source: http://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.comAvira URL Cloud: Label: phishing
Source: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.comAvira URL Cloud: Label: phishing
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Common Files\System\sscronet.dllReversingLabs: Detection: 68%
Source: C:\Program Files (x86)\Common Files\System\tier0.dllReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: LEC3KQZZqZVirustotal: Detection: 69%Perma Link
Source: LEC3KQZZqZReversingLabs: Detection: 63%
Source: unknownHTTPS traffic detected: 183.66.100.32:443 -> 192.168.2.16:49708 version: TLS 1.0
Source: unknownHTTPS traffic detected: 159.75.57.69:443 -> 192.168.2.16:49713 version: TLS 1.0
Source: unknownHTTPS traffic detected: 2.23.244.9:443 -> 192.168.2.16:49908 version: TLS 1.2
Source: LEC3KQZZqZStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\buildslave\l4d2_rel_win32\build\src\utils\hammer_run_map_launcher\Release\hammer_run_map_launcher.pdb@ source: douyin.exe, 0000000C.00000000.1414145087.0000000000E3C000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: c:\buildslave\l4d2_rel_win32\build\src\utils\hammer_run_map_launcher\Release\hammer_run_map_launcher.pdb source: douyin.exe, 0000000C.00000000.1414145087.0000000000E3C000.00000002.00000001.01000000.00000009.sdmp, douyin.exe.0.dr
Source: Binary string: c:\buildslave\l4d2_rel_win32\build\src\utils\hammer_run_map_launcher\Release\hammer_run_map_launcher.pdb@A source: douyin.exe.0.dr
Source: Binary string: C:\Users\Administrator\Desktop\KinndigitDll\x64\Release\KinndigitDll.pdb source: svchost.exe, 00000008.00000000.1367810797.000001E7202F0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2641496491.000001E72030E000.00000040.00000001.00020000.00000000.sdmp, sscronet.dll.0.dr
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EF22C FindFirstFileExW,0_2_00007FFF238EF22C
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalStateJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewyJump to behavior

Networking

barindex
Uses nslookup.exe to query domains
Source: C:\Program Files (x86)\Common Files\System\douyin.exeProcess created: C:\Windows\SysWOW64\nslookup.exe "C:\Windows\System32\nslookup.exe"
Source: C:\Program Files (x86)\Common Files\System\douyin.exeProcess created: C:\Windows\SysWOW64\nslookup.exe "C:\Windows\System32\nslookup.exe"
Source: global trafficHTTP traffic detected: GET /sscronet.dll HTTP/1.1Host: get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /douyin.exe HTTP/1.1Host: get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com
Source: global trafficHTTP traffic detected: GET /mpclient.dat HTTP/1.1Host: www40sada-1328031368.cos.ap-guangzhou.myqcloud.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tier0.dll HTTP/1.1Host: get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com
Source: Joe Sandbox ViewIP Address: 183.66.100.32 183.66.100.32
Source: Joe Sandbox ViewIP Address: 159.75.57.69 159.75.57.69
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.16:49710 -> 183.66.100.32:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.16:49724 -> 183.66.100.32:443
Source: unknownHTTPS traffic detected: 183.66.100.32:443 -> 192.168.2.16:49708 version: TLS 1.0
Source: unknownHTTPS traffic detected: 159.75.57.69:443 -> 192.168.2.16:49713 version: TLS 1.0
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /sscronet.dll HTTP/1.1Host: get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /douyin.exe HTTP/1.1Host: get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com
Source: global trafficHTTP traffic detected: GET /mpclient.dat HTTP/1.1Host: www40sada-1328031368.cos.ap-guangzhou.myqcloud.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tier0.dll HTTP/1.1Host: get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com
Source: global trafficHTTP traffic detected: GET /XBLWinClient/v10_music/configuration.xml HTTP/1.1Accept: */*User-Agent: XBLWIN10.19071Accept-Language: en-CHAccept-Encoding: gzip, deflate, brHost: settings-ssl.xboxlive.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com
Source: global trafficDNS traffic detected: DNS query: www40sada-1328031368.cos.ap-guangzhou.myqcloud.com
Source: global trafficDNS traffic detected: DNS query: 1.1.1.1.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: settings-ssl.xboxlive.com
Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
Source: backgroundTaskHost.exe, 00000009.00000002.2040751054.000002AFE81C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cd.file.myqcloud.com
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: backgroundTaskHost.exe, 00000009.00000002.2040751054.000002AFE81C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: backgroundTaskHost.exe, 00000009.00000002.2084007233.000002AFE8611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: backgroundTaskHost.exe, 00000009.00000002.2040751054.000002AFE81C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gz.file.myqcloud.com
Source: Music.UI.exe, 00000011.00000002.2126897118.0000011FD1413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.a.0
Source: Music.UI.exe, 00000011.00000002.2126897118.0000011FD1413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c.0
Source: Music.UI.exe, 00000011.00000002.2126897118.0000011FD1413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.ho
Source: Music.UI.exe, 00000011.00000002.2126897118.0000011FD1413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adora
Source: Music.UI.exe, 00000011.00000002.2126897118.0000011FD1413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.phX
Source: backgroundTaskHost.exe, 00000009.00000002.2040751054.000002AFE81C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: backgroundTaskHost.exe, 00000009.00000002.2084007233.000002AFE8611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://ocsp.digicert.com0N
Source: backgroundTaskHost.exe, 00000009.00000002.2084007233.000002AFE8611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www40sada-1328031368.cos.ap-guangzhou.myqcloud.com
Source: backgroundTaskHost.exe, 00000016.00000002.2242590137.000001E860E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: Music.UI.exe, 00000011.00000002.2286210205.0000011FD2043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp82hN
Source: BackgroundTransferHost.exe, 00000018.00000002.2062449931.0000023E34D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/ap
Source: backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D891000.00000004.00000020.00020000.00000000.sdmp, 445325b3-79d8-41ea-9a13-3a2fd7d61b0b.ce662765-b572-49a6-8221-6746c6b640b0.down_meta.24.dr, fde2eb7a-b40f-4413-ad59-475540b113df.25646938-9d2d-4437-9657-ab96b3d6c07e.down_meta.24.dr, f03c4bb8-c2a4-4b95-aac4-eabe74c1e366.64da9497-d4db-4bd1-901f-0e309daaef56.down_meta.24.dr, f7b99221-ce7f-4946-80e2-73b3785700eb.25646938-9d2d-4437-9657-ab96b3d6c07e.down_meta.24.dr, a23c2c9d-d930-4807-a925-63a026f47282.1c016d01-c842-4d55-b8f0-b0178463c806.down_meta.24.dr, 916c5f0a-c83b-4d58-9aa5-6a91a2379cae.dd3c0f53-88e9-41d2-b11b-91f31ed13136.down_meta.24.dr, 0de711ec-2171-4413-8966-ee185340f175.64da9497-d4db-4bd1-901f-0e309daaef56.down_meta.24.dr, 2ceada02-9b08-4c99-ba7b-88e5fedcc013.ce662765-b572-49a6-8221-6746c6b640b0.down_meta.24.dr, e579ca37-681f-451c-9c22-4fc74e3cc243.49fe1c41-aee4-4f3c-9d8d-46c18d80229c.down_meta.24.dr, 1b5c1a31-1e08-4ecf-9fd0-c80a83dd3ac3.49fe1c41-aee4-4f3c-9d8d-46c18d80229c.down_meta.24.dr, 2b4cb80d-ffb6-49d2-90fd-cd33e40d7abb.1c016d01-c842-4d55-b8f0-b0178463c806.down_meta.24.dr, dd9f7a7c-dcba-4a13-bf03-402628bd88f7.dd3c0f53-88e9-41d2-b11b-91f31ed13136.down_meta.24.dr, dd9f7a7c-dcba-4a13-bf03-402628bd88f7.a4890f9a-6686-4ea5-882d-71683b903fec.down_meta.24.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE
Source: Music.UI.exe, 00000011.00000002.2079156617.0000011FCF0E8000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2182020311.0000011FD1CA6000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000016.00000002.2242590137.000001E860E59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
Source: Music.UI.exe, 00000011.00000002.2079156617.0000011FCF0E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS.
Source: backgroundTaskHost.exe, 00000009.00000002.2150496375.000002AFE8CA9000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2516086227.0000014F5FC4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8291000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1741073885.000002AFE8291000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1782869999.000002AFE8291000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1508747636.000002AFE8291000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.1993733380.000002AFE609F000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1474460958.000002AFE61F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400084281&TID=700117803&CID=11600000000027065
Source: backgroundTaskHost.exe, 00000009.00000002.2165992925.000002AFE8DCE000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2173802378.0000014F5D98F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425
Source: backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE812D000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2007905031.000002AFE6113000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425115820&TID=700333385&CID=12800000000162740
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8100000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2007905031.000002AFE6113000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116118&TID=700333392&CID=12800000000162740
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2066751828.000002AFE832C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116119&TID=700333391&CID=12800000000162740
Source: backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2007905031.000002AFE6113000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116120&TID=700333386&CID=12800000000162740
Source: backgroundTaskHost.exe, 00000009.00000003.1474460958.000002AFE61F4000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE828B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116121&TID=700333389&CID=12800000000162740
Source: backgroundTaskHost.exe, 0000001C.00000003.2277680972.0000014F5D9A2000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2419792349.0000014F5D929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116123&TID=1&CID=128000000001627409&BID=18
Source: backgroundTaskHost.exe, 00000009.00000003.1508747636.000002AFE828B000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1741073885.000002AFE8277000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8100000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116215&TID=700333445&CID=12800000000162740
Source: backgroundTaskHost.exe, 0000001C.00000002.2502636903.0000014F5F85D000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2493497059.0000014F5D926000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116216&TID=1&CID=128000000001627409&BID=20
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1741073885.000002AFE8277000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8100000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2492479166.0000014F5D913000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2500306988.0000014F5F81C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=12800000000162740
Source: backgroundTaskHost.exe, 00000009.00000003.1787589604.000002AFE8D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=4251_imp00000001627409
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE8298000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=12800000000437620
Source: backgroundTaskHost.exe, 00000009.00000003.1536081613.000002AFE8299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681888&TID=700342084&CID=1280000000
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681888&TID=700342084&CID=12800000000437618
Source: backgroundTaskHost.exe, 00000009.00000002.2154420920.000002AFE8CFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&
Source: backgroundTaskHost.exe, 00000009.00000002.2012948752.000002AFE6163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=
Source: backgroundTaskHost.exe, 00000009.00000002.2130753526.000002AFE8913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338387&adm=
Source: backgroundTaskHost.exe, 00000009.00000003.1743827560.000002AFE83FF000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1776228245.000002AFE8D03000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338388&adm=
Source: backgroundTaskHost.exe, 00000009.00000003.1743827560.000002AFE83FF000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8156000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2088570749.000002AFE8670000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1885618793.000002AFE6163000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1776228245.000002AFE8D03000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2019946009.000002AFE61BB000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2130753526.000002AFE8913000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2012948752.000002AFE6163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=338389&adm=
Source: backgroundTaskHost.exe, 0000001C.00000003.2258001465.0000014F5D922000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2517329275.0000014F5FC79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&ad
Source: backgroundTaskHost.exe, 0000000B.00000002.1391654894.0000023FD0E41000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000000B.00000002.1391475447.0000023FD0E28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4
Source: svchost.exe, 00000008.00000002.2621112531.000001E71FC7B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1366177627.000001E71FCC2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1365979203.000001E71FC69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2626192614.000001E71FCC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=
Source: backgroundTaskHost.exe, 00000009.00000003.1485299474.000002AFE8834000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
Source: backgroundTaskHost.exe, 00000009.00000002.2163753464.000002AFE8D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g..com/ne
Source: backgroundTaskHost.exe, 00000009.00000002.2163753464.000002AFE8D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.bi
Source: backgroundTaskHost.exe, 0000001C.00000003.2440031840.0000014F60121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.bin
Source: backgroundTaskHost.exe, 0000001C.00000003.2440031840.0000014F60121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.bing.c
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C52000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C0C000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004BF7000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com/douyin.exe
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com/sscronet.dll
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com/tier0.dll
Source: backgroundTaskHost.exe, 00000009.00000002.2031758797.000002AFE8164000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZO?ver=7c98
Source: backgroundTaskHost.exe, 00000009.00000003.1506638174.000002AFE8275000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1509395087.000002AFE8278000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZO?ver=7c98Ti
Source: backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZO?ver=7c98at
Source: backgroundTaskHost.exe, 00000009.00000003.1472351511.000002AFE8703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZO?ver=7c98b5https
Source: backgroundTaskHost.exe, 00000009.00000003.1506638174.000002AFE8275000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1509395087.000002AFE8278000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZO?ver=7c98et
Source: backgroundTaskHost.exe, 00000009.00000003.1506638174.000002AFE8275000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZO?ver=7c98g=https
Source: backgroundTaskHost.exe, 00000009.00000003.1539666820.000002AFE83C5000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1886858639.000002AFE83CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZO?ver=7c98https:/
Source: backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8100000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZP?ver=5e78
Source: backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZP?ver=5e78at
Source: backgroundTaskHost.exe, 00000009.00000003.1886858639.000002AFE83CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18NZP?ver=5e78https:/
Source: backgroundTaskHost.exe, 00000009.00000002.2031758797.000002AFE8164000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18SZK?ver=2175
Source: backgroundTaskHost.exe, 00000009.00000003.1506638174.000002AFE8275000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18SZK?ver=2175WDhttps
Source: backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18SZK?ver=2175at
Source: backgroundTaskHost.exe, 00000009.00000003.1506638174.000002AFE8275000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18SZK?ver=2175cohttps
Source: backgroundTaskHost.exe, 00000009.00000003.1472351511.000002AFE8703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18SZK?ver=2175https:/
Source: backgroundTaskHost.exe, 00000009.00000003.1539666820.000002AFE83C5000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1655233140.000002AFE87BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18SZK?ver=2175ms-appd
Source: backgroundTaskHost.exe, 00000009.00000003.1886858639.000002AFE83B5000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1477045606.000002AFE8362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18VF4?ver=f0b5
Source: backgroundTaskHost.exe, 00000009.00000003.1655233140.000002AFE87BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18VF4?ver=f0b59b
Source: backgroundTaskHost.exe, 00000009.00000003.1539666820.000002AFE83C5000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1472351511.000002AFE8703000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1886858639.000002AFE83B5000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1477045606.000002AFE8362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18VF4?ver=f0b5https:/
Source: backgroundTaskHost.exe, 00000009.00000003.1477045606.000002AFE8362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18VF5?ver=8d01
Source: backgroundTaskHost.exe, 00000009.00000002.2088570749.000002AFE8670000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18VF5?ver=8d01001
Source: backgroundTaskHost.exe, 00000009.00000003.1655233140.000002AFE87BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RW18VF5?ver=8d011696583
Source: backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
Source: Music.UI.exe, 00000011.00000002.2351955837.0000011FD25D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/xsts.auth.xboxlive.com
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
Source: backgroundTaskHost.exe, 0000000B.00000002.1391909552.0000023FD0E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize03
Source: backgroundTaskHost.exe, 0000000B.00000002.1391909552.0000023FD0E57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common1003
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/commonoauth2/authorizeager
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/
Source: backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
Source: backgroundTaskHost.exe, 00000009.00000002.2151718274.000002AFE8CC0000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2246904183.0000011FD1F00000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
Source: backgroundTaskHost.exe, 00000009.00000002.2151718274.000002AFE8CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local6https://login.windows.local
Source: backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000003.1947252502.0000011FD1DA4000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2169308717.0000011FD1C00000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
Source: backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000000B.00000002.1392226258.0000023FD0E82000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2169308717.0000011FD1C00000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
Source: backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.nethttps://xsts.auth.xboxlive.com
Source: Music.UI.exe, 00000011.00000002.2188835156.0000011FD1D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicart.xboxlive.com/9/5c6a4700-0000-0000-0000-000000000002/504/image.jpg
Source: Music.UI.exe, 00000011.00000002.2188835156.0000011FD1D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicart.xboxlive.com/9/e74d4600-0000-0000-0000-000000000002/504/image.jpg
Source: svchost.exe, 00000008.00000000.1369339698.000001E720543000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
Source: backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.comx
Source: backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
Source: backgroundTaskHost.exe, 00000009.00000002.2138567159.000002AFE8C00000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000003.1553025254.000002AFE892F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.ap
Source: backgroundTaskHost.exe, 0000001C.00000003.2172530579.0000014F5D95F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.api
Source: backgroundTaskHost.exe, 00000009.00000003.1523078262.000002AFE816C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2031758797.000002AFE818F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.api.ir
Source: backgroundTaskHost.exe, 00000009.00000003.1523078262.000002AFE816C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.api.ir0$
Source: backgroundTaskHost.exe, 00000009.00000003.1411364307.000002AFE810C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ris.api.iris.micros
Source: Music.UI.exe, 00000011.00000003.1608080445.0000011FD1C89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com
Source: Music.UI.exe, 00000011.00000003.1608080445.0000011FD1C89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/
Source: Music.UI.exe, 00000011.00000003.1608080445.0000011FD1C89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xml
Source: backgroundTaskHost.exe, 00000009.00000002.2163753464.000002AFE8D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.0
Source: backgroundTaskHost.exe, 00000009.00000002.2165209591.000002AFE8DAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bi1696583420
Source: BackgroundTransferHost.exe, 00000018.00000002.2052868120.0000023E32CB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/
Source: backgroundTaskHost.exe, 00000009.00000003.1779648120.000002AFE87A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.102393
Source: backgroundTaskHost.exe, 0000001C.00000002.2517865099.0000014F5FC90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239339388230_1GCYE192JMK1GRK5F
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239339388230_1GCYE192JMK1GRK5F&pi
Source: backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmp, f03c4bb8-c2a4-4b95-aac4-eabe74c1e366.64da9497-d4db-4bd1-901f-0e309daaef56.down_meta.24.dr, 0de711ec-2171-4413-8966-ee185340f175.64da9497-d4db-4bd1-901f-0e309daaef56.down_meta.24.drString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239339388230_1GCYE192JMK1GRK5F&pid=21.2&c=16&roil=0&roit=0&ro
Source: backgroundTaskHost.exe, 0000001C.00000002.2517865099.0000014F5FC90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239339388231_1UY1F8SP8NFGIRB6T
Source: backgroundTaskHost.exe, 0000001C.00000002.2503621029.0000014F5F87F000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2247408139.0000014F5F974000.00000004.00000020.00020000.00000000.sdmp, a23c2c9d-d930-4807-a925-63a026f47282.1c016d01-c842-4d55-b8f0-b0178463c806.down_meta.24.dr, 2b4cb80d-ffb6-49d2-90fd-cd33e40d7abb.1c016d01-c842-4d55-b8f0-b0178463c806.down_meta.24.drString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239339388231_1UY1F8SP8NFGIRB6T&pid=21.2&c=3&w=1080&h=1920&dyn
Source: backgroundTaskHost.exe, 00000009.00000003.1820918262.000002AFE8E02000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2443431005.0000014F5FD02000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2437586038.0000014F60131000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2435243510.0000014F60120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR
Source: BackgroundTransferHost.exe, 00000018.00000002.2052868120.0000023E32CB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&
Source: backgroundTaskHost.exe, 0000001C.00000002.2494213404.0000014F5D937000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2429888850.0000014F5FCC3000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2503621029.0000014F5F87F000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2247408139.0000014F5F974000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8C0000.00000004.00000020.00020000.00000000.sdmp, 916c5f0a-c83b-4d58-9aa5-6a91a2379cae.dd3c0f53-88e9-41d2-b11b-91f31ed13136.down_meta.24.dr, dd9f7a7c-dcba-4a13-bf03-402628bd88f7.dd3c0f53-88e9-41d2-b11b-91f31ed13136.down_meta.24.dr, dd9f7a7c-dcba-4a13-bf03-402628bd88f7.a4890f9a-6686-4ea5-882d-71683b903fec.down_meta.24.drString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239340418581_1PW4UWMX6DVDU64ZR&pid=21.2&c=3&w=1080&h=1920&dyn
Source: backgroundTaskHost.exe, 00000009.00000003.1820918262.000002AFE8E02000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2443431005.0000014F5FD02000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2437586038.0000014F60131000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2435243510.0000014F60120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pi
Source: backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmp, 445325b3-79d8-41ea-9a13-3a2fd7d61b0b.ce662765-b572-49a6-8221-6746c6b640b0.down_meta.24.dr, 2ceada02-9b08-4c99-ba7b-88e5fedcc013.ce662765-b572-49a6-8221-6746c6b640b0.down_meta.24.drString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239340418582_18ZLZW09JZ7BHXRKX&pid=21.2&c=16&roil=0&roit=0&ro
Source: backgroundTaskHost.exe, 00000009.00000003.1782869999.000002AFE8291000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2493497059.0000014F5D926000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2437586038.0000014F6013C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239400907839_1ZQL244JEBB0HCE6J
Source: backgroundTaskHost.exe, 0000001C.00000002.2500306988.0000014F5F800000.00000004.00000020.00020000.00000000.sdmp, e579ca37-681f-451c-9c22-4fc74e3cc243.49fe1c41-aee4-4f3c-9d8d-46c18d80229c.down_meta.24.dr, 1b5c1a31-1e08-4ecf-9fd0-c80a83dd3ac3.49fe1c41-aee4-4f3c-9d8d-46c18d80229c.down_meta.24.drString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239400907839_1ZQL244JEBB0HCE6J&pid=21.2&c=3&w=1080&h=1920&dyn
Source: backgroundTaskHost.exe, 00000009.00000003.1782869999.000002AFE8291000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2493497059.0000014F5D926000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000003.2437586038.0000014F6013C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239400907840_1FPLTEXP4VV24MYRE
Source: BackgroundTransferHost.exe, 00000018.00000002.2052868120.0000023E32CB5000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000018.00000002.2074312284.0000023E34DF9000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000018.00000002.2065521589.0000023E34D5B000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2494213404.0000014F5D937000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2514176700.0000014F5FC0C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2492479166.0000014F5D913000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2521537238.0000014F6011B000.00000004.00000020.00020000.00000000.sdmp, fde2eb7a-b40f-4413-ad59-475540b113df.25646938-9d2d-4437-9657-ab96b3d6c07e.down_meta.24.dr, f7b99221-ce7f-4946-80e2-73b3785700eb.25646938-9d2d-4437-9657-ab96b3d6c07e.down_meta.24.drString found in binary or memory: https://tse1.mm.bing.net/th?id=OADD2.10239400907840_1FPLTEXP4VV24MYRE&pid=21.2&c=16&roil=0&roit=0&ro
Source: backgroundTaskHost.exe, 00000009.00000002.2165209591.000002AFE8DAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tse1.mm.bing.net/th?id=OADz
Source: Music.UI.exe, 00000011.00000002.2340628917.0000011FD2524000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000016.00000002.2247318330.000001E860E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
Source: backgroundTaskHost.exe, 00000009.00000003.1485299474.000002AFE8834000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2115016135.000002AFE8800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004C36000.00000004.00000800.00020000.00000000.sdmp, LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CBE000.00000004.00000800.00020000.00000000.sdmp, douyin.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www40sada-1328031368.cos.ap-guangzhou.myqcloud.com
Source: LEC3KQZZqZ.exe, 00000000.00000002.1421776629.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www40sada-1328031368.cos.ap-guangzhou.myqcloud.com/mpclient.dat
Source: Music.UI.exe, 00000011.00000003.1947252502.0000011FD1DA4000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2169308717.0000011FD1C00000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
Source: backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2138228121.0000011FD152F000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2485881161.0000014F5D8D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
Source: Music.UI.exe, 00000011.00000003.1941583856.0000011FD24FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com3
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownHTTPS traffic detected: 2.23.244.9:443 -> 192.168.2.16:49908 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2541066482.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1421776629.0000000004D03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Program Files (x86)\Common Files\System\mpclient.dat, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238A16C4 NtQueryInformationProcess,RtlNtStatusToDosError,_invalid_parameter_noinfo_noreturn,0_2_00007FFF238A16C4
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238A1DB8 GetCurrentProcess,NtQueryObject,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FFF238A1DB8
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238A21A4 GetCurrentProcess,NtQueryObject,0_2_00007FFF238A21A4
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238BF3D40_2_00007FFF238BF3D4
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C03C40_2_00007FFF238C03C4
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E039C0_2_00007FFF238E039C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DB3180_2_00007FFF238DB318
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EF22C0_2_00007FFF238EF22C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238F12240_2_00007FFF238F1224
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DC2540_2_00007FFF238DC254
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C92400_2_00007FFF238C9240
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B51AC0_2_00007FFF238B51AC
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EB1D40_2_00007FFF238EB1D4
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DD0B80_2_00007FFF238DD0B8
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DB1140_2_00007FFF238DB114
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238CD7BB0_2_00007FFF238CD7BB
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E27E00_2_00007FFF238E27E0
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EE80C0_2_00007FFF238EE80C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B47380_2_00007FFF238B4738
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238BE7300_2_00007FFF238BE730
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DB7200_2_00007FFF238DB720
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238AA7580_2_00007FFF238AA758
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238ED7580_2_00007FFF238ED758
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B07680_2_00007FFF238B0768
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EA6C00_2_00007FFF238EA6C0
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E363C0_2_00007FFF238E363C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238BC6540_2_00007FFF238BC654
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E46780_2_00007FFF238E4678
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DE6740_2_00007FFF238DE674
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E66800_2_00007FFF238E6680
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DC5EC0_2_00007FFF238DC5EC
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238CC58C0_2_00007FFF238CC58C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E84F80_2_00007FFF238E84F8
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DB51C0_2_00007FFF238DB51C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238BB4740_2_00007FFF238BB474
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238F249C0_2_00007FFF238F249C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238AA49C0_2_00007FFF238AA49C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EAB540_2_00007FFF238EAB54
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C2B400_2_00007FFF238C2B40
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C0AF80_2_00007FFF238C0AF8
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B0A340_2_00007FFF238B0A34
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EEA880_2_00007FFF238EEA88
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C8A140_2_00007FFF238C8A14
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C39200_2_00007FFF238C3920
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238F39400_2_00007FFF238F3940
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B197D0_2_00007FFF238B197D
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E08A80_2_00007FFF238E08A8
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B0FF40_2_00007FFF238B0FF4
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238ACFDF0_2_00007FFF238ACFDF
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B30100_2_00007FFF238B3010
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238CDF500_2_00007FFF238CDF50
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E4EB40_2_00007FFF238E4EB4
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238CEF140_2_00007FFF238CEF14
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238A5F140_2_00007FFF238A5F14
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DAF100_2_00007FFF238DAF10
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238E9F080_2_00007FFF238E9F08
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238CFE300_2_00007FFF238CFE30
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B0D280_2_00007FFF238B0D28
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C7D680_2_00007FFF238C7D68
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DAD0C0_2_00007FFF238DAD0C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DEC5C0_2_00007FFF238DEC5C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238ABC700_2_00007FFF238ABC70
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238C6C880_2_00007FFF238C6C88
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238DCC800_2_00007FFF238DCC80
Source: C:\Windows\SysWOW64\nslookup.exeCode function: 14_2_0327085414_2_03270854
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: String function: 6CE5BFD0 appears 234 times
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: String function: 6CE58110 appears 173 times
Source: LEC3KQZZqZStatic PE information: No import functions for PE file found
Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2541066482.0000000003220000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1421776629.0000000004D03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Program Files (x86)\Common Files\System\mpclient.dat, type: DROPPEDMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engineClassification label: mal100.troj.evad.win@37/71@6/3
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238A7360 FormatMessageA,LocalFree,GetLastError,0_2_00007FFF238A7360
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238A2504 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,0_2_00007FFF238A2504
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeFile created: C:\Program Files (x86)\Common Files\System\sscronet.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\5568940dcb8142b592c703356f6c2bfa_2Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{exeName}_Mutex
Source: LEC3KQZZqZStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LEC3KQZZqZStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: LEC3KQZZqZVirustotal: Detection: 69%
Source: LEC3KQZZqZReversingLabs: Detection: 63%
Source: unknownProcess created: C:\Users\user\Desktop\LEC3KQZZqZ.exe "C:\Users\user\Desktop\LEC3KQZZqZ.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess created: C:\Program Files (x86)\Common Files\System\douyin.exe "C:\Program Files (x86)\Common Files\System\douyin.exe"
Source: C:\Program Files (x86)\Common Files\System\douyin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\System\douyin.exeProcess created: C:\Windows\SysWOW64\nslookup.exe "C:\Windows\System32\nslookup.exe"
Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXr6cxj2m7qt53ysmsgy75gtey09djqa6k.mca
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess created: C:\Program Files (x86)\Common Files\System\douyin.exe "C:\Program Files (x86)\Common Files\System\douyin.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -EmbeddingJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProviderJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -EmbeddingJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXr6cxj2m7qt53ysmsgy75gtey09djqa6k.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingJump to behavior
Source: C:\Program Files (x86)\Common Files\System\douyin.exeProcess created: C:\Windows\SysWOW64\nslookup.exe "C:\Windows\System32\nslookup.exe"
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandbrokerclient.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: biwinrt.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: threadpoolwinrt.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.applicationmodel.background.timebroker.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.applicationmodel.background.systemeventsbroker.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.services.targetedcontent.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: contentdeliverymanager.utilities.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: notificationcontrollerps.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.web.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: aadwamextension.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptowinrt.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncryptprov.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.web.http.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: profext.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: certenroll.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: certca.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dsparse.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.cloudstore.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: installservice.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.networking.hostname.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wosc.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: updatepolicy.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dcntel.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: utcutil.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: appraiser.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wdscore.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: tdh.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.networking.backgroundtransfer.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.security.authentication.onlineid.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.services.targetedcontent.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: appextension.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: mssrch.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: tquery.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: contentdeliverymanager.utilities.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: familysafetyext.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wpc.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wlidprov.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.networking.hostname.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dusmapi.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cryptowinrt.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.cloudstore.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: biwinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wincorlib.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: usermgrproxy.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: vaultcli.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: threadpoolwinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.applicationdata.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.ui.xaml.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dcomp.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: userdeviceregistration.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptowinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Common Files\System\douyin.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Common Files\System\douyin.exeSection loaded: tier0.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: amsi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: sharedui.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: concrt140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: netutils.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: esent.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: logoncli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: profapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.system.profile.retailinfo.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.applicationmodel.lockscreen.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wincorlib.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: lockappbroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp110_win.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.graphics.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.phone.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.playback.mediaplayer.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfplat.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rtworkq.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.mediacontrol.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mmdevapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: devobj.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmediaengine.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: audioses.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.devices.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.playback.proxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: comppkgsup.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.devices.enumeration.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: devdispitemprovider.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ddores.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: defaultdevicemanager.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msftedit.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: globinputhost.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msxml6.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wpnapps.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.web.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windowscodecs.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wuceffects.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wininet.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: sspicli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.networking.backgroundtransfer.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: winhttp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mswsock.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: userenv.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: winnsi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: profext.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: biwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dnsapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rasadhlp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: schannel.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: photometadatahandler.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.security.authentication.web.core.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vaultcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: microsoftaccountwamextension.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mskeyprotect.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ntasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ncrypt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ncryptsslp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfsrcsnk.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: appcontracts.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: usermgrproxy.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cdprt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cdp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dsreg.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfps.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmp4srcsnk.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msamrnbsource.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfasfsrcsnk.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfds.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msflacdecoder.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: avrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmpeg2srcsnk.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmkvsrcsnk.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfnetsrc.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfnetcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: gnsdk_fp.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: photometadatahandler.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: windowscodecs.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.applicationmodel.lockscreen.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wincorlib.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: lockappbroker.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.ui.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: inputhost.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: propsys.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: lockcontroller.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dusmapi.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: wldp.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: settingsynccore.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: profapi.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: capauthz.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: userenv.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.fileexplorer.common.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: structuredquery.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: windows.storage.search.dll
Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: apphelp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
Source: LEC3KQZZqZStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LEC3KQZZqZStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: LEC3KQZZqZStatic PE information: Image base 0x140000000 > 0x60000000
Source: LEC3KQZZqZStatic file information: File size 23558144 > 1048576
Source: LEC3KQZZqZStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1675a00
Source: LEC3KQZZqZStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: LEC3KQZZqZStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\buildslave\l4d2_rel_win32\build\src\utils\hammer_run_map_launcher\Release\hammer_run_map_launcher.pdb@ source: douyin.exe, 0000000C.00000000.1414145087.0000000000E3C000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: c:\buildslave\l4d2_rel_win32\build\src\utils\hammer_run_map_launcher\Release\hammer_run_map_launcher.pdb source: douyin.exe, 0000000C.00000000.1414145087.0000000000E3C000.00000002.00000001.01000000.00000009.sdmp, douyin.exe.0.dr
Source: Binary string: c:\buildslave\l4d2_rel_win32\build\src\utils\hammer_run_map_launcher\Release\hammer_run_map_launcher.pdb@A source: douyin.exe.0.dr
Source: Binary string: C:\Users\Administrator\Desktop\KinndigitDll\x64\Release\KinndigitDll.pdb source: svchost.exe, 00000008.00000000.1367810797.000001E7202F0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2641496491.000001E72030E000.00000040.00000001.00020000.00000000.sdmp, sscronet.dll.0.dr
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: 12_2_6CE6FEA0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,12_2_6CE6FEA0
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238B7CD2 push rdx; retn 0008h0_2_00007FFF238B7CD3
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeFile created: C:\Program Files (x86)\Common Files\System\tier0.dllJump to dropped file
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeFile created: C:\Program Files (x86)\Common Files\System\sscronet.dllJump to dropped file
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeFile created: C:\Program Files (x86)\Common Files\System\douyin.exeJump to dropped file
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyPythonAppJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyPythonAppJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeKey value created or modified: HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\dd9f7a7c-dcba-4a13-bf03-402628bd88f7.Response.0 LinkJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\BackgroundTransferHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\BackgroundTransferHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory allocated: 1EE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory allocated: 1CB70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599872Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599761Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599650Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599538Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599426Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599315Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599189Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599063Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598937Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598827Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598715Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598603Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598492Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598380Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598268Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598141Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598014Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597902Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597790Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597678Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597550Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597422Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597310Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597198Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597086Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596974Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596862Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596735Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596607Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596495Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596383Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596272Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596160Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596048Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595920Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595808Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595696Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595584Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595472Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595344Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595233Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595121Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595009Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594897Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594785Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594673Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594545Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594434Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594323Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeWindow / User API: threadDelayed 9854Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\System\sscronet.dllJump to dropped file
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeAPI coverage: 6.5 %
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599872s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7068Thread sleep count: 9854 > 30Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599761s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599650s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599538s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599426s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599315s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599189s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -599063s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598937s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598827s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598715s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598603s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598492s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598380s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598268s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598141s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -598014s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597902s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597790s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597678s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597550s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597422s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597310s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597198s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -597086s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596974s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596862s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596735s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596607s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596495s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596383s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596272s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596160s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -596048s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595920s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595808s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595696s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595584s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595472s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595344s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595233s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595121s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -595009s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -594897s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -594785s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -594673s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -594545s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -594434s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exe TID: 7072Thread sleep time: -594323s >= -30000sJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 3388Thread sleep count: 211 > 30
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 3388Thread sleep time: -18230400000s >= -30000s
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 3388Thread sleep time: -86400000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\backgroundTaskHost.exeFile Volume queried: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EF22C FindFirstFileExW,0_2_00007FFF238EF22C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599872Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599761Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599650Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599538Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599426Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599315Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599189Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 599063Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598937Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598827Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598715Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598603Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598492Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598380Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598268Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598141Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 598014Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597902Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597790Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597678Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597550Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597422Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597310Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597198Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 597086Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596974Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596862Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596735Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596607Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596495Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596383Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596272Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596160Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 596048Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595920Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595808Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595696Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595584Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595472Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595344Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595233Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595121Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 595009Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594897Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594785Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594673Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594545Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594434Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeThread delayed: delay time: 594323Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalStateJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewyJump to behavior
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=128000000001627409&BID=989019293&PG=PC000P0FR5.0000000IRU&TPID=425116219&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T092251&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=78804ba7f6c24e7f9c16472d403ec2aa&BCNT=1&PG=PC000P0FR5.0000000IRU&UNID=338389&MAP_TID=10506DB7-2E55-40A2-B0D3-9ABE368F8F3F&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=936F10CEBAEC48A3BD5396B596ABA39C&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=15&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T092250Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P,
Source: backgroundTaskHost.exe, 00000009.00000002.2109817596.000002AFE87A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1696583420`128000000001627409`0pertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{},"action":"noOp"}},"tracking":{"events":[{"id":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=CH&lang=EN-CH%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425116119&UIT=P-&TargetID=700333391&AN=361376621&PG=IRIS000001.0000000165&REQASID=0E43F0B737E9431FA6B21006BD17954F&UNID=88000165&ID=10F81E789E319D42EC4AA1453D7F2A1F&ASID={ASID}&REQT=20231006T091020&TIME={DATETIME}&RV=&RS=&DEVOSVER=10.0.19045.2006&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&WFIDS=&ER_AC=&ARCRAS=&CLR=CDM"}]},"triggers":[{"action":"noOp","trigger":"render","intent":"opportunity"}]}],"name":"EmptyCreative","properties":{},"propertyManifest":{},"tracking":{"events":[],"parameterized":[]},"triggers":[]}&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}D17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.
Source: svchost.exe, 00000008.00000000.1364824351.000001E71F438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat
Source: backgroundTaskHost.exe, 00000009.00000003.1741073885.000002AFE8277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P7&ASI
Source: backgroundTaskHost.exe, 00000009.00000002.2109817596.000002AFE87A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1696583420`128000000001627409`0/Impression=&PID=425116119&TID=700333391&CID=128000000001627409&BID=361376621&PG=IRIS000001.0000000165&TPID=425116119&REQASID=0E43F0B737E9431FA6B21006BD17954F&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091020&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P"ASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}NjIwMTQ3NjEjMjMzNjgwNTgwNzM0MzYyOQ==","properties":{"template":{"text":"infoHotspot"},"showFeedback":{"bool":true},"onClick":{"event":"click","parameters":{"uri":"https
Source: backgroundTaskHost.exe, 00000009.00000003.1534950262.000002AFE8292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","entityId":"B_9WZDNCRF0083","skuId":"0010","productId":"9WZDNCRF0083","applicationId":"Facebook.317180B0BB486_8xx8rvfyw5nnt!App","options":4,"packageRelativeAppId":"App","properties":{"storeCampaignId":{"text":"msft_1"},"installApp":{"bool":true},"installDelay":{"text":"onDemand"},"swapStartTile":{"event":"pin","parameters":{},"action":"swapStartTile"},"displayName":{"text":"Messenger"},"phoneticName":{"text":"Messenger"},"packageSize":{"number":105447242},"launchStore":{"event":"click","parameters":{"uri":"ms-windows-store://pdp/?productid=9wzdncrf0083&ocid=ems.dco.startprogrammable&ccid=65f1831940ec4ce59e7f2a623ff57673&cid=msft_1"},"action":"launchUri"},"onRender":{"event":"opportunity","parameters":{},"action":"noOp"},"showNameOnMediumTile":{"bool":true},"showNameOnWideTile":{"bool":true},"showNameOnLargeTile":{"bool":true},"smallTile":{"image":"https://store-images.s-microsoft.com/image/apps.35401.9007199266726596.9588152f-e20d-432b-9843-ea6d09be8cbc.05b45524-fd0c-4256-8204-33fab6467a23?format=source","width":150,"height":150,"sha256":"SYpdFh81gljBPW95fSoTFLRY9W7RhYJrVdbVK53iIv4=","fileSize":4398},"collection":{"number":2},"mediumTile":{"image":"https://store-images.s-microsoft.com/image/apps.35401.9007199266726596.9588152f-e20d-432b-9843-ea6d09be8cbc.05b45524-fd0c-4256-8204-33fab6467a23?format=source","width":150,"height":150,"sha256":"SYpdFh81gljBPW95fSoTFLRY9W7RhYJrVdbVK53iIv4=","fileSize":4398},"backgroundColor":{"text":"transparent"}},"tracking":59&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}@&
Source: backgroundTaskHost.exe, 0000001C.00000002.2500306988.0000014F5F81C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=128000000001627409&BID=989019293&PG=PC000P0FR5.0000000IRU&TPID=425116219&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T092251&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=78804ba7f6c24e7f9c16472d403ec2aa&BCNT=1&PG=PC000P0FR5.0000000IRU&UNID=338389&MAP_TID=10506DB7-2E55-40A2-B0D3-9ABE368F8F3F&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=936F10CEBAEC48A3BD5396B596ABA39C&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=15&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T092250Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P"
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE8148000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"_id":"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083","startTime":"2023-07-31T22:25:16","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}7
Source: backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P=1
Source: backgroundTaskHost.exe, 00000009.00000003.1513136333.000002AFE8292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .t&asid={ASID}&time={DATETIME}"}]},"triggers":[{"action":"swapStartTile","trigger":"appTileCreated"},{"action":"swapStartTile","trigger":"appInstallComplete"},{"action":"onRender","trigger":"render","intent":"opportunity"}]},I3vSOnsWyibTVgl5X6OpLU8iVh0=","fileSize":4423},"collection":{"number":1},"mediumTile":{"image":"https://store-images.s-microsoft.com/image/apps.35241.9007199266246761.cb02291f-d0d9-48a7-8735-9a5e71951992.54ca4f7d-1700-43d3-b1b7-47a153dae957?format=source","width":300,"height":300,"sha256":"qYkEUzMmwP11I3b0G71EHNYNTuBQ6NEdAwQoKgfzZjg=","fileSize":6180},"backgroundColor":{"text":"#0078D4"}},"tracking":IC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}@&
Source: backgroundTaskHost.exe, 00000009.00000003.1508747636.000002AFE8286000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PV@
Source: LEC3KQZZqZ.exe, 00000000.00000002.1416892017.000000000204E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681888&TID=700342084&CID=128000000004376189&BID=1193781875&PG=PC000P0FR5.0000000IQ8&TPID=425681888&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PpV
Source: backgroundTaskHost.exe, 00000009.00000003.1639775672.000002AFE8299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "name\":\"DynamicLayouts\"},\"prm\":{\"_id\":\"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083\",\"startTime\":\"2023-07-31T22:25:16\",\"_imp\":\"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASREQ
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,!post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=128000000001627409&BID=989019293&PG=PC000P0FR5.0000000IRU&TPID=425116219&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T092251&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=78804ba7f6c24e7f9c16472d403ec2aa&BCNT=1&PG=PC000P0FR5.0000000IRU&UNID=338389&MAP_TID=10506DB7-2E55-40A2-B0D3-9ABE368F8F3F&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=936F10CEBAEC48A3BD5396B596ABA39C&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=15&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T092250Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE812D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116119&TID=700333391&CID=128000000001627409&BID=361376621&PG=IRIS000001.0000000165&TPID=425116119&REQASID=0E43F0B737E9431FA6B21006BD17954F&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091020&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PING=&S
Source: backgroundTaskHost.exe, 00000009.00000002.1993733380.000002AFE609F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400084281&TID=700117803&CID=116000000000270658&BID=206136082&PG=PC000P0FR5.0000000G4I&TPID=400084281&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091013&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=84126941c81948e4bd09125dff710c0a&BCNT=1&PG=PC000P0FR5.0000000G4I&UNID=202914&MAP_TID=BF551C98-B2F1-4020-AC4E-97A41C25A6D3&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091013Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-202914&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PDM"
Source: backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE8100000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=128000000001627409&BID=989019293&PG=PC000P0FR5.0000000IRU&TPID=425116219&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T092251&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=78804ba7f6c24e7f9c16472d403ec2aa&BCNT=1&PG=PC000P0FR5.0000000IRU&UNID=338389&MAP_TID=10506DB7-2E55-40A2-B0D3-9ABE368F8F3F&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=936F10CEBAEC48A3BD5396B596ABA39C&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=15&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T092250Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PF
Source: backgroundTaskHost.exe, 00000009.00000003.1807858351.000002AFE87EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3735cdb3c857e3c8700604b10320ca444dbee96d28639fb85db01977d58bd8b9FDE47-23DE-02FE-688D-BE7C12504230&deviceId=6825823808502225&anid=","eventName":"dislike"}]},"triggers":[{"action":"onRender","intent":"opportunity","trigger":"render"}]}]}":[{"action":"onRender","intent":"opportunity","trigger":"render"}]}]},"prm":{"_id":"99999999","startTime":"2025-02-15T18:34:19","expireTime":"2025-03-01T18:34:19","rotationPeriod":21600,"requiresNetwork":0,"reuseCount":-1,"_imp":"https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=995cef2e4c2e40afa16f87b62b51d664&louserd=w:72AFDE47-23DE-02FE-688D-BE7C12504230&deviceId=6825823808502225&anid="}}"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=128000000001627409&BID=989019293&PG=PC000P0FR5.0000000IRU&TPID=425116219&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T092251&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=78804ba7f6c24e7f9c16472d403ec2aa&BCNT=1&PG=PC000P0FR5.0000000IRU&UNID=338389&MAP_TID=10506DB7-2E55-40A2-B0D3-9ABE368F8F3F&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=936F10CEBAEC48A3BD5396B596ABA39C&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=15&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T092250Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P"ASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:41","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}
Source: svchost.exe, 00000008.00000000.1365833590.000001E71FC3D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000-06f
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE8156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ick\"},{\"id\":\"install\"},{\"id\":\"installComplete\"},{\"id\":\"uninstall\"},{\"id\":\"conversion\"},{\"id\":\"pin\"},{\"id\":\"opportunity\"}],\"parameterized\":[{\"uri\":\"https:\/\/ris.api.iris.microsoft.com\/v1\/a\/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=314559&placementType=PostOOBE&app=&pid=425681886&cid=128000000004376209&tid=700341298&reqasid=65f1831940ec4ce59e7f2a623ff57673&region=CH&lang=EN-CH&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&auid=&anid=&muid=&persid=10F81E789E319D42EC4AA1453D7F2A1F&itemId=9WZDNCRF0083&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid={ASID}&time={DATETIME}\"}]},\"triggers\":[{\"action\":\"swapStartTile\",\"trigger\":\"appTileCreated\"},{\"action\":\"swapStartTile\",\"trigger\":\"appInstallComplete\"},{\"action\":\"onRender\",\"trigger\":\"render\",\"intent\":\"opportunity\"}]}],\"name\":\"DynamicLayouts\"},\"prm\":{\"_id\":\"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083\",\"startTime\":\"2023-07-31T22:25:16\",\"_imp\":\"post:https:\/\/arc.msn.com\/v3\/Delivery\/Events\/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2024-10-06T09:07:27\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2023-10-13T09:07:27"}}
Source: backgroundTaskHost.exe, 00000009.00000003.1465903812.000002AFE8292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RFHVN5_9NBLGGH5L9XT_9WZDNCRF0083","startTime":"2023-07-31T22:25:16","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000} CreativeId: B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083
Source: backgroundTaskHost.exe, 00000009.00000003.1536081613.000002AFE8299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}}S
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116215&TID=700333445&CID=128000000001627409&BID=826951724&PG=PC000P0FR5.0000000ITM&TPID=425116215&REQASID=151BD7834EBA4C2280C8D354CCC62C58&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091017&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=63e30391c6464c7aa6233e90bd9799fc&BCNT=1&PG=PC000P0FR5.0000000ITM&UNID=353698&MAP_TID=ACE1175D-0352-4969-AF83-9EB833043FA6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=151BD7834EBA4C2280C8D354CCC62C58&REQASID=151BD7834EBA4C2280C8D354CCC62C58&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091018Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-353698&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425115820&TID=700333385&CID=128000000001627409&BID=1149481079&PG=IRIS000001.0000000163&TPID=425115820&REQASID=3B90A9B8054A407A8EAD18B71029D664&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091019&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=205ae0e5fdae4134876b80ee2a819ec3&BCNT=1&PG=IRIS000001.0000000163&UNID=88000163&MAP_TID=4D8EEF8B-D747-4572-863A-FB39C5027AFC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=3B90A9B8054A407A8EAD18B71029D664&REQASID=3B90A9B8054A407A8EAD18B71029D664&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091019Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000163&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\"}],
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}
Source: backgroundTaskHost.exe, 00000009.00000003.1498519604.000002AFE8797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2024-10-06T09:07:27\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2023-10-13T09:07:27"}":{\"type\":\"text\"},\"phoneticName\":{\"type\":\"text\"},\"packageSize\":{\"type\":\"numeric\"},\"launchStore\":{\"type\":\"action\"},\"onRender\":{\"type\":\"action\"},\"showNameOnMediumTile\":{\"type\":\"boolean\"},\"showNameOnWideTile\":{\"type\":\"boolean\"},\"showNameOnLargeTile\":{\"type\":\"boolean\"},\"smallTile\":{\"type\":\"image\"},\"collection\":{\"type\":\"numeric\"},\"mediumTile\":{\"type\":\"image\"},\"backgroundColor\":{\"type\":\"text\"}},\"propertyManifest\":{},\"properties\":{},\"tracking\":{\"events\":[{\"id\":\"impression\"}],\"parameterized\":[{\"uri\":\"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000004376189&region=CH&lang=EN-CH%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425681888&UIT=P-&TargetID=700342084&AN=1193781875&PG=PC000P0FR5.0000000IQ8&REQASID=E14D79EE86654789902121065147F0F4&UNID=314559&ID=10F81E789E319D42EC4AA1453D7F2A1F&ASID={ASID}&REQT=20231006T090726&TIME={DATETIME}&RV=&RS=&DEVOSVER=10.0.19045.2006&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&WFIDS=&ER_AC=&ARCRAS=&CLR=CDM\"}]},\"class\":\"content\",\"items\":[{\"appPackageFamilyName\":\"7EE7776C.LinkedInforWindows_w1wdnht996qgy\",\"entityId\":\"B_9WZDNCRFJ4Q7\",\"skuId\":\"0010\",\"productId\":\"9WZDNCRFJ4Q7\",\"applicationId\":\"7EE7776C.LinkedInforWindows_w1wdnht996qgy!App\",\"options\":4,\"packageRelativeAppId\":\"App\",\"properties\":{\"storeCampaignId\":{\"text\":\"msft_1\"},\"installApp\":{\"bool\":true},\"installDelay\":{\"text\":\"onDemand\"},\"swapStartTile\":{\"event\":\"pin\",\
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PV@
Source: RuntimeBroker.exe, 0000000A.00000003.2344471378.000002C485416000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: svchost.exe, 00000008.00000000.1365621621.000001E71FC00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ps://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P9Q
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116119&TID=700333391&CID=128000000001627409&BID=361376621&PG=IRIS000001.0000000165&TPID=425116119&REQASID=0E43F0B737E9431FA6B21006BD17954F&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091020&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P7&ASI
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE828B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1.0","items":[{"item":"{\"f\":\"raf\",\"v\":\"1.0\",\"rdr\":[{\"c\":\"CDM\",\"u\":\"SubscribedContent\"}],\"ad\":{\"class\":\"content\",\"collections\":[],\"itemPropertyManifest\":{\"noOp\":{\"type\":\"action\"}},\"items\":[{\"properties\":{\"noOp\":{\"event\":\"none\",\"parameters\":{},\"action\":\"noOp\"}},\"tracking\":{\"events\":[{\"id\":\"impression\"}],\"parameterized\":[{\"uri\":\"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=CH&lang=EN-CH%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425116119&UIT=P-&TargetID=700333391&AN=361376621&PG=IRIS000001.0000000165&REQASID=0E43F0B737E9431FA6B21006BD17954F&UNID=88000165&ID=10F81E789E319D42EC4AA1453D7F2A1F&ASID={ASID}&REQT=20231006T091020&TIME={DATETIME}&RV=&RS=&DEVOSVER=10.0.19045.2006&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&WFIDS=&ER_AC=&ARCRAS=&CLR=CDM\"}]},\"triggers\":[{\"action\":\"noOp\",\"trigger\":\"render\",\"intent\":\"opportunity\"}]}],\"name\":\"EmptyCreative\",\"properties\":{},\"propertyManifest\":{},\"tracking\":{\"events\":[],\"parameterized\":[]},\"triggers\":[]},\"prm\":{\"_id\":\"128000000001627409\",\"_imp\":\"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116119&TID=700333391&CID=128000000001627409&BID=361376621&PG=IRIS000001.0000000165&TPID=425116119&REQASID=0E43F0B737E9431FA6B21006BD17954F&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091020&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFER
Source: svchost.exe, 00000008.00000002.2618290555.000001E71FC41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000-06f
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE8156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ick\"},{\"id\":\"install\"},{\"id\":\"installComplete\"},{\"id\":\"uninstall\"},{\"id\":\"conversion\"},{\"id\":\"pin\"},{\"id\":\"opportunity\"}],\"parameterized\":[{\"uri\":\"https:\/\/ris.api.iris.microsoft.com\/v1\/a\/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=314559&placementType=PostOOBE&app=&pid=425681886&cid=128000000004376209&tid=700341298&reqasid=65f1831940ec4ce59e7f2a623ff57673&region=CH&lang=EN-CH&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&auid=&anid=&muid=&persid=10F81E789E319D42EC4AA1453D7F2A1F&itemId=9WZDNCRF0083&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid={ASID}&time={DATETIME}\"}]},\"triggers\":[{\"action\":\"swapStartTile\",\"trigger\":\"appTileCreated\"},{\"action\":\"swapStartTile\",\"trigger\":\"appInstallComplete\"},{\"action\":\"onRender\",\"trigger\":\"render\",\"intent\":\"opportunity\"}]}],\"name\":\"DynamicLayouts\"},\"prm\":{\"_id\":\"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083\",\"startTime\":\"2023-07-31T22:25:16\",\"_imp\":\"post:https:\/\/arc.msn.com\/v3\/Delivery\/Events\/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2024-10-06T09:07:27\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2023-10-13T09:07:27"}}
Source: backgroundTaskHost.exe, 00000009.00000003.1411364307.000002AFE810C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=Pd"
Source: RuntimeBroker.exe, 0000000A.00000003.2007907569.000002C484B04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 0000000A.00000003.2344471431.000002C484B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: backgroundTaskHost.exe, 00000009.00000003.1539087100.000002AFE8C7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: N=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2024-10-06T09:07:27\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2023-10-13T09:07:27"}
Source: RuntimeBroker.exe, 0000000A.00000003.1960046041.000002C48547D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5508901e80_1
Source: backgroundTaskHost.exe, 00000009.00000002.2007905031.000002AFE6113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116120&TID=700333386&CID=128000000001627409&BID=1718890691&PG=PC000P0FR5.0000000INI&TPID=425116120&REQASID=0ABAFAD7807F449C8703CC708181FCF8&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091016&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=89ce5068168e4f6d918430347bcab987&BCNT=1&PG=PC000P0FR5.0000000INI&UNID=280811&MAP_TID=F6E45352-9E00-4999-9332-6E7F2B493233&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0ABAFAD7807F449C8703CC708181FCF8&REQASID=0ABAFAD7807F449C8703CC708181FCF8&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091016Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-280811&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"_id":"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083","startTime":"2023-07-31T22:25:16","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}o
Source: backgroundTaskHost.exe, 00000009.00000002.2007905031.000002AFE6113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: E=VMWARE%2C%20INEMID=PU
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: D=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}
Source: backgroundTaskHost.exe, 00000009.00000003.1508747636.000002AFE8291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400084281&TID=700117803&CID=116000000000270658&BID=206136082&PG=PC000P0FR5.0000000G4I&TPID=400084281&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091013&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=84126941c81948e4bd09125dff710c0a&BCNT=1&PG=PC000P0FR5.0000000G4I&UNID=202914&MAP_TID=BF551C98-B2F1-4020-AC4E-97A41C25A6D3&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091013Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-202914&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PB&'
Source: backgroundTaskHost.exe, 00000009.00000003.1782869999.000002AFE8291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400084281&TID=700117803&CID=116000000000270658&BID=206136082&PG=PC000P0FR5.0000000G4I&TPID=400084281&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091013&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=84126941c81948e4bd09125dff710c0a&BCNT=1&PG=PC000P0FR5.0000000G4I&UNID=202914&MAP_TID=BF551C98-B2F1-4020-AC4E-97A41C25A6D3&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091013Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-202914&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PB&(
Source: backgroundTaskHost.exe, 00000009.00000002.2007905031.000002AFE6113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,#post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116118&TID=700333392&CID=128000000001627409&BID=1063591175&PG=IRIS000001.0000000161&TPID=425116118&REQASID=8712A4C508E64BF9B3B27EC823541E54&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091018&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=90805ad2f4e147d9a7d4e0e0f935521e&BCNT=1&PG=IRIS000001.0000000161&UNID=88000161&MAP_TID=A8203B71-EA2B-4340-9A52-E390A48C1642&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=8712A4C508E64BF9B3B27EC823541E54&REQASID=8712A4C508E64BF9B3B27EC823541E54&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091018Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000161&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PC7&A
Source: RuntimeBroker.exe, 0000000A.00000003.2359478317.000002C485415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0)
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400084281&TID=700117803&CID=116000000000270658&BID=206136082&PG=PC000P0FR5.0000000G4I&TPID=400084281&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091013&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=84126941c81948e4bd09125dff710c0a&BCNT=1&PG=PC000P0FR5.0000000G4I&UNID=202914&MAP_TID=BF551C98-B2F1-4020-AC4E-97A41C25A6D3&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&REQASID=A7D4CEFA9FC5425BBA17DA5C38D6A20A&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091013Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-202914&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PB&$
Source: RuntimeBroker.exe, 0000000A.00000003.2319033261.000002C48551E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PP
Source: backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE812D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681888&TID=700342084&CID=128000000004376189&BID=1193781875&PG=PC000P0FR5.0000000IQ8&TPID=425681888&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PSE
Source: svchost.exe, 00000008.00000000.1364824351.000001E71F438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicheartbeat
Source: backgroundTaskHost.exe, 00000009.00000003.1411364307.000002AFE810C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=Pka
Source: backgroundTaskHost.exe, 00000009.00000002.2109817596.000002AFE87A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"class":"content","collections":[],"itemPropertyManifest":{"noOp":{"type":"action"}},"items":[{"properties":{"noOp":{"event":"none","parameters":{},"action":"noOp"}},"tracking":{"events":[{"id":"impression"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?CID=128000000001627409&region=CH&lang=EN-CH%2CEN-GB&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&EID={EID}&&PID=425116119&UIT=P-&TargetID=700333391&AN=361376621&PG=IRIS000001.0000000165&REQASID=0E43F0B737E9431FA6B21006BD17954F&UNID=88000165&ID=10F81E789E319D42EC4AA1453D7F2A1F&ASID={ASID}&REQT=20231006T091020&TIME={DATETIME}&RV=&RS=&DEVOSVER=10.0.19045.2006&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&WFIDS=&ER_AC=&ARCRAS=&CLR=CDM"}]},"triggers":[{"action":"noOp","trigger":"render","intent":"opportunity"}]}],"name":"EmptyCreative","properties":{},"propertyManifest":{},"tracking":{"events":[],"parameterized":[]},"triggers":[]}CHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P"ASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}}
Source: backgroundTaskHost.exe, 00000009.00000003.1649213249.000002AFE8C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2024-10-06T09:07:27\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2023-10-13T09:07:27"}}
Source: backgroundTaskHost.exe, 00000009.00000003.1536026468.000002AFE829A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 04376189&BID=1193781875&PG=PC000P0FR5.0000000IQ8&TPID=425681888&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}@&
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116215&TID=700333445&CID=128000000001627409&BID=826951724&PG=PC000P0FR5.0000000ITM&TPID=425116215&REQASID=151BD7834EBA4C2280C8D354CCC62C58&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091017&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=63e30391c6464c7aa6233e90bd9799fc&BCNT=1&PG=PC000P0FR5.0000000ITM&UNID=353698&MAP_TID=ACE1175D-0352-4969-AF83-9EB833043FA6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=151BD7834EBA4C2280C8D354CCC62C58&REQASID=151BD7834EBA4C2280C8D354CCC62C58&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091018Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-353698&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PDe
Source: backgroundTaskHost.exe, 0000001C.00000002.2492479166.0000014F5D913000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=128000000001627409&BID=989019293&PG=PC000P0FR5.0000000IRU&TPID=425116219&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T092251&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=78804ba7f6c24e7f9c16472d403ec2aa&BCNT=1&PG=PC000P0FR5.0000000IRU&UNID=338389&MAP_TID=10506DB7-2E55-40A2-B0D3-9ABE368F8F3F&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=936F10CEBAEC48A3BD5396B596ABA39C&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=15&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T092250Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000003.1741073885.000002AFE8277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0} CreativeId: 1696583420`128000000001627409`0`b22f80958c8d4329aac8765508901e80`604800`88000165`137271744000000000iod\" v
Source: backgroundTaskHost.exe, 0000001C.00000002.2500306988.0000014F5F81C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P"
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116118&TID=700333392&CID=128000000001627409&BID=1063591175&PG=IRIS000001.0000000161&TPID=425116118&REQASID=8712A4C508E64BF9B3B27EC823541E54&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091018&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=90805ad2f4e147d9a7d4e0e0f935521e&BCNT=1&PG=IRIS000001.0000000161&UNID=88000161&MAP_TID=A8203B71-EA2B-4340-9A52-E390A48C1642&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=8712A4C508E64BF9B3B27EC823541E54&REQASID=8712A4C508E64BF9B3B27EC823541E54&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091018Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000161&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P37637
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116219&TID=700333446&CID=128000000001627409&BID=989019293&PG=PC000P0FR5.0000000IRU&TPID=425116219&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T092251&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=78804ba7f6c24e7f9c16472d403ec2aa&BCNT=1&PG=PC000P0FR5.0000000IRU&UNID=338389&MAP_TID=10506DB7-2E55-40A2-B0D3-9ABE368F8F3F&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=936F10CEBAEC48A3BD5396B596ABA39C&REQASID=936F10CEBAEC48A3BD5396B596ABA39C&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=15&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T092250Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PQ8:
Source: backgroundTaskHost.exe, 00000009.00000003.1408417257.000002AFE828C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 70.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000} CreativeId: B_9WZDNCRFJ4Q7_9NCBCSZSJRSB_9NKSQGP7F2NH_9WZDNCRFJ3P2_9WZDNCRFHWD2
Source: backgroundTaskHost.exe, 00000009.00000003.1535772146.000002AFE8299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kageFamilyName":"Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe","entityId":"B_9WZDNCRFHWD2","skuId":"0010","productId":"9WZDNCRFHWD2","applicationId":"Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe!App","options":4,"packageRelativeAppId":"App","properties":{"storeCampaignId":{"text":"msft_1"},"installApp":{"bool":true},"installDelay":{"text":"onDemand"},"swapStartTile":{"event":"pin","parameters":{},"action":"swapStartTile"},"displayName":{"text":"Microsoft Solitaire Collection"},"phoneticName":{"text":"Microsoft Solitaire Collection"},"packageSize":{"number":125859988},"launchStore":{"event":"click","parameters":{"uri":"ms-windows-store://pdp/?productid=9wzdncrfhwd2&ocid=ems.dco.startprogrammable&ccid=2eacf0775d9c4c4db4b286210a11d809&cid=msft_1"},"action":"launchUri"},"onRender":{"event":"opportunity","parameters":{},"action":"noOp"},"showNameOnMediumTile":{"bool":true},"showNameOnWideTile":{"bool":true},"showNameOnLargeTile":{"bool":true},"smallTile":{"image":"https://store-images.s-microsoft.com/image/apps.54402.9007199266246761.cb02291f-d0d9-48a7-8735-9a5e71951992.a18a1828-648d-4dfb-9c86-86cad9bb142a?format=source","width":142,"height":142,"sha256":"gtQTMfBnMmIEZq37I3vSOnsWyibTVgl5X6OpLU8iVh0=","fileSize":4423},"collection":{"number":1},"mediumTile":{"image":"https://store-images.s-microsoft.com/image/apps.35241.9007199266246761.cb02291f-d0d9-48a7-8735-9a5e71951992.54ca4f7d-1700-43d3-b1b7-47a153dae957?format=source","width":300,"height":300,"sha256":"qYkEUzMmwP11I3b0G71EHNYNTuBQ6NEdAwQoKgfzZjg=","fileSize":6180},"backgroundColor":{"text":"#0078D4"}},"tracking":IC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}@&
Source: backgroundTaskHost.exe, 00000009.00000003.1407875615.000002AFE8133000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2024-10-06T09:07:27\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2023-10-13T09:07:27"}}
Source: RuntimeBroker.exe, 0000000A.00000002.2620874454.000002C485413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b5e766f_1
Source: backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116121&TID=700333389&CID=128000000001627409&BID=1818156105&PG=PC000P0FR5.0000000INH&TPID=425116121&REQASID=C26D53C2215E439E913ACA8C5AA9CECD&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091015&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2fdbb276dd1142879d63650ef26d42f7&BCNT=1&PG=PC000P0FR5.0000000INH&UNID=280810&MAP_TID=02AC5744-156B-47F3-87FF-ABD843E4C365&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=C26D53C2215E439E913ACA8C5AA9CECD&REQASID=C26D53C2215E439E913ACA8C5AA9CECD&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091015Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-280810&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P&
Source: svchost.exe, 00000008.00000000.1364824351.000001E71F438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicshutdownge
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE828B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116121&TID=700333389&CID=128000000001627409&BID=1818156105&PG=PC000P0FR5.0000000INH&TPID=425116121&REQASID=C26D53C2215E439E913ACA8C5AA9CECD&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091015&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2fdbb276dd1142879d63650ef26d42f7&BCNT=1&PG=PC000P0FR5.0000000INH&UNID=280810&MAP_TID=02AC5744-156B-47F3-87FF-ABD843E4C365&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=C26D53C2215E439E913ACA8C5AA9CECD&REQASID=C26D53C2215E439E913ACA8C5AA9CECD&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091015Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-280810&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200
Source: backgroundTaskHost.exe, 00000009.00000003.1535972506.000002AFE829A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TIME={DATETIME}&SLOT=1&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P"@&
Source: backgroundTaskHost.exe, 00000009.00000003.1741073885.000002AFE8277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116215&TID=700333445&CID=128000000001627409&BID=826951724&PG=PC000P0FR5.0000000ITM&TPID=425116215&REQASID=151BD7834EBA4C2280C8D354CCC62C58&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091017&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=63e30391c6464c7aa6233e90bd9799fc&BCNT=1&PG=PC000P0FR5.0000000ITM&UNID=353698&MAP_TID=ACE1175D-0352-4969-AF83-9EB833043FA6&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=151BD7834EBA4C2280C8D354CCC62C58&REQASID=151BD7834EBA4C2280C8D354CCC62C58&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091018Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-353698&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PP
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681888&TID=700342084&CID=128000000004376189&BID=1193781875&PG=PC000P0FR5.0000000IQ8&TPID=425681888&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116121&TID=700333389&CID=128000000001627409&BID=1818156105&PG=PC000P0FR5.0000000INH&TPID=425116121&REQASID=C26D53C2215E439E913ACA8C5AA9CECD&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091015&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2fdbb276dd1142879d63650ef26d42f7&BCNT=1&PG=PC000P0FR5.0000000INH&UNID=280810&MAP_TID=02AC5744-156B-47F3-87FF-ABD843E4C365&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=C26D53C2215E439E913ACA8C5AA9CECD&REQASID=C26D53C2215E439E913ACA8C5AA9CECD&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091015Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-280810&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000002.2007905031.000002AFE6113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425115820&TID=700333385&CID=128000000001627409&BID=1149481079&PG=IRIS000001.0000000163&TPID=425115820&REQASID=3B90A9B8054A407A8EAD18B71029D664&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091019&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=205ae0e5fdae4134876b80ee2a819ec3&BCNT=1&PG=IRIS000001.0000000163&UNID=88000163&MAP_TID=4D8EEF8B-D747-4572-863A-FB39C5027AFC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=3B90A9B8054A407A8EAD18B71029D664&REQASID=3B90A9B8054A407A8EAD18B71029D664&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091019Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000163&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PAASR!
Source: svchost.exe, 00000008.00000000.1365621621.000001E71FC00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
Source: backgroundTaskHost.exe, 00000009.00000002.2109817596.000002AFE87A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ContentDeliveryManager.Background.SubscribedContent-338387.HandleNewCreativesTask_ManualCleanupD=700333391&CID=128000000001627409&BID=361376621&PG=IRIS000001.0000000165&TPID=425116119&REQASID=0E43F0B737E9431FA6B21006BD17954F&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091020&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2
Source: svchost.exe, 00000008.00000000.1364824351.000001E71F438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
Source: backgroundTaskHost.exe, 00000009.00000002.1998194573.000002AFE60A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116120&TID=700333386&CID=128000000001627409&BID=1718890691&PG=PC000P0FR5.0000000INI&TPID=425116120&REQASID=0ABAFAD7807F449C8703CC708181FCF8&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091016&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=89ce5068168e4f6d918430347bcab987&BCNT=1&PG=PC000P0FR5.0000000INI&UNID=280811&MAP_TID=F6E45352-9E00-4999-9332-6E7F2B493233&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0ABAFAD7807F449C8703CC708181FCF8&REQASID=0ABAFAD7807F449C8703CC708181FCF8&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091016Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-280811&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116118&TID=700333392&CID=128000000001627409&BID=1063591175&PG=IRIS000001.0000000161&TPID=425116118&REQASID=8712A4C508E64BF9B3B27EC823541E54&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091018&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=90805ad2f4e147d9a7d4e0e0f935521e&BCNT=1&PG=IRIS000001.0000000161&UNID=88000161&MAP_TID=A8203B71-EA2B-4340-9A52-E390A48C1642&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=8712A4C508E64BF9B3B27EC823541E54&REQASID=8712A4C508E64BF9B3B27EC823541E54&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091018Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000161&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PC7&A
Source: backgroundTaskHost.exe, 00000009.00000003.1741073885.000002AFE8277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-338389&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=15&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:41","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}meters":{},"action":"publishToast"},"button1_content":{"text":"Shop Now"},"button2_content":{"text":"Dismiss"},"onButton1Click":{"event":"click","parameters":{"uri":"https://www.m
Source: backgroundTaskHost.exe, 00000009.00000003.1482209595.000002AFE829A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000} CreativeId: B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083
Source: svchost.exe, 00000008.00000000.1364824351.000001E71F438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicshutdown
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE8298000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083","startTime":"2023-07-31T22:25:16","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}@&
Source: backgroundTaskHost.exe, 00000009.00000002.2053210175.000002AFE8273000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116119&TID=700333391&CID=128000000001627409&BID=361376621&PG=IRIS000001.0000000165&TPID=425116119&REQASID=0E43F0B737E9431FA6B21006BD17954F&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091020&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P09","
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PVT
Source: backgroundTaskHost.exe, 00000009.00000003.1508747636.000002AFE827E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ps://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681888&TID=700342084&CID=128000000004376189&BID=1193781875&PG=PC000P0FR5.0000000IQ8&TPID=425681888&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE8148000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-280811&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:41","expireTime":"2035-12-31T08:00:00","reuseCount":0,"rotationPeriod":604800,"requiresNetwork":0}}
Source: backgroundTaskHost.exe, 00000009.00000003.1407875615.000002AFE8143000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P\",\"reuseCount\":-1,\"requiresNetwork\":0,\"expireTime\":\"2024-10-06T09:07:27\",\"rotationPeriod\":31536000}}"}],"refreshtime":"2023-10-13T09:07:27"}}
Source: backgroundTaskHost.exe, 00000009.00000002.2024561341.000002AFE812D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425115820&TID=700333385&CID=128000000001627409&BID=1149481079&PG=IRIS000001.0000000163&TPID=425115820&REQASID=3B90A9B8054A407A8EAD18B71029D664&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091019&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=205ae0e5fdae4134876b80ee2a819ec3&BCNT=1&PG=IRIS000001.0000000163&UNID=88000163&MAP_TID=4D8EEF8B-D747-4572-863A-FB39C5027AFC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=3B90A9B8054A407A8EAD18B71029D664&REQASID=3B90A9B8054A407A8EAD18B71029D664&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091019Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000163&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PTNG=2
Source: backgroundTaskHost.exe, 00000009.00000002.2088570749.000002AFE86A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","startTime":"2019-10-11T21:05:44","p
Source: backgroundTaskHost.exe, 00000009.00000003.1485791814.000002AFE82F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 50,"sha256":"SYpdFh81gljBPW95fSoTFLRY9W7RhYJrVdbVK53iIv4=","fileSize":4398},"backgroundColor":{"text":"transparent"}},"tracking":{"events":[{"id":"impression"},{"id":"click"},{"id":"install"},{"id":"installComplete"},{"id":"uninstall"},{"id":"conversion"},{"id":"pin"},{"id":"opportunity"}],"parameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=314559&placementType=PostOOBE&app=&pid=425681886&cid=128000000004376209&tid=700341298&reqasid=65f1831940ec4ce59e7f2a623ff57673&region=CH&lang=EN-CH&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&auid=&anid=&muid=&persid=10F81E789E319D42EC4AA1453D7F2A1F&itemId=9WZDNCRF0083&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid={ASID}&time={DATETIME}"}]},"triggers":[{"action":"swapStartTile","trigger":"appTileCreated"},{"action":"swapStartTile","trigger":"appInstallComplete"},{"action":"onRender","trigger":"render","intent":"opportunity"}]}],"name":"DynamicLayouts"} prmNode: {"_id":"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083","startTime":"2023-07-31T22:25:16","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000} CreativeId: 1696583249`B_9P1J8S7CCWWT_9NBLGGH5R558
Source: RuntimeBroker.exe, 0000000A.00000003.2009328102.000002C485475000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: backgroundTaskHost.exe, 00000009.00000003.1523078262.000002AFE816C000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000009.00000002.2031758797.000002AFE81B5000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000000E.00000002.2529286189.00000000030E8000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000003.1942737472.0000011FD15EB000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000018.00000002.2047178768.0000023E32C57000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000001C.00000002.2514176700.0000014F5FC0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: backgroundTaskHost.exe, 00000009.00000003.1411364307.000002AFE810C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681888&TID=700342084&CID=128000000004376189&BID=1193781875&PG=PC000P0FR5.0000000IQ8&TPID=425681888&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=2eacf0775d9c4c4db4b286210a11d809&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PFa
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE826C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425115820&TID=700333385&CID=128000000001627409&BID=1149481079&PG=IRIS000001.0000000163&TPID=425115820&REQASID=3B90A9B8054A407A8EAD18B71029D664&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091019&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=205ae0e5fdae4134876b80ee2a819ec3&BCNT=1&PG=IRIS000001.0000000163&UNID=88000163&MAP_TID=4D8EEF8B-D747-4572-863A-FB39C5027AFC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=3B90A9B8054A407A8EAD18B71029D664&REQASID=3B90A9B8054A407A8EAD18B71029D664&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091019Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000163&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=PC7&A
Source: backgroundTaskHost.exe, 00000009.00000003.1504609231.000002AFE8298000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rameterized":[{"uri":"https://ris.api.iris.microsoft.com/v1/a/{ACTION}?pg=PC000P0FR5.0000000IQ8&unid=314559&placementType=PostOOBE&app=&pid=425681886&cid=128000000004376209&tid=700341298&reqasid=65f1831940ec4ce59e7f2a623ff57673&region=CH&lang=EN-CH&oem=&devFam=WINDOWS.DESKTOP&ossku=PROFESSIONAL&cmdVer=10.0.19041.1023&mo=&cap=&auid=&anid=&muid=&persid=10F81E789E319D42EC4AA1453D7F2A1F&itemId=9WZDNCRF0083&skuId=0010&installKind=RedirectTile&ctid=store-curated-postoobe&bSrc=i.t&asid={ASID}&time={DATETIME}"}]},"triggers":[{"action":"swapStartTile","trigger":"appTileCreated"},{"action":"swapStartTile","trigger":"appInstallComplete"},{"action":"onRender","trigger":"render","intent":"opportunity"}]}],"name":"DynamicLayouts"}"trigger":"render","intent":"opportunity"}]}],"name":"DynamicLayouts"},"prm":{"_id":"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083","startTime":"2023-07-31T22:25:16","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}}={ASID}&time={DATETIME}"}]},"triggers":[{"action":"swapStartTile","trigger":"appTileCreated"},{"action":"swapStartTile","trigger":"appInstallComplete"},{"action":"onRender","trigger":"render","intent":"opportunity"}],"itemAppInstallState":"notInstalled","state":{"shouldDisplay
Source: backgroundTaskHost.exe, 00000009.00000003.1411364307.000002AFE810C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"_id":"B_9P1J8S7CCWWT_9NBLGGH5R558_9WZDNCRFHVN5_9NBLGGH5L9XT_9WZDNCRF0083","startTime":"2023-07-31T22:25:16","_imp":"post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425681886&TID=700341298&CID=128000000004376209&BID=1359425077&PG=PC000P0FR5.0000000IQ8&TPID=425681886&REQASID=E14D79EE86654789902121065147F0F4&ASID={ASID}&TIME={DATETIME}&SLOT=2&REQT=20231006T090726&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=65f1831940ec4ce59e7f2a623ff57673&BCNT=1&PG=PC000P0FR5.0000000IQ8&UNID=314559&MAP_TID=9965740B-3904-4036-8329-14EE764FA697&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=E14D79EE86654789902121065147F0F4&REQASID=E14D79EE86654789902121065147F0F4&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=0&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}
Source: backgroundTaskHost.exe, 00000009.00000003.1536723660.000002AFE8299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WPX=1&HPX=1&TIME=20231006T090727Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-314559&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=0&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P","reuseCount":-1,"requiresNetwork":0,"expireTime":"2024-10-06T09:07:27","rotationPeriod":31536000}}S
Source: svchost.exe, 00000008.00000000.1364824351.000001E71F438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
Source: backgroundTaskHost.exe, 00000009.00000003.1470226638.000002AFE811C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: post:https://arc.msn.com/v3/Delivery/Events/Impression=&PID=425116119&TID=700333391&CID=128000000001627409&BID=361376621&PG=IRIS000001.0000000165&TPID=425116119&REQASID=0E43F0B737E9431FA6B21006BD17954F&ASID={ASID}&TIME={DATETIME}&SLOT=1&REQT=20231006T091020&MA_Score=2&PERSID=10F81E789E319D42EC4AA1453D7F2A1F&GLOBALDEVICEID=6825823808502225&LOuserD=w:FE1B96A2-259B-5869-454D-D5537637F7CC&DS_EVTID=af267b8d26f84aa785349cbf1df5d33a&BCNT=1&PG=IRIS000001.0000000165&UNID=88000165&MAP_TID=1990AA59-C18C-4E6E-AE46-2711852A95FC&NCT=1&PN=DA63DF93-3DBC-42AE-A505-B34988683AC7&ASID=0E43F0B737E9431FA6B21006BD17954F&REQASID=0E43F0B737E9431FA6B21006BD17954F&ARC=1&EMS=1&AUTH=1&LOCALE=EN-CH&COUNTRY=CH&HTD=-1&LANG=4096&DEVLANG=EN&CIP=184.170.240.238&ID=10F81E789E319D42EC4AA1453D7F2A1F&OPTOUTSTATE=256&HTTPS=1&PRODID=00000000-0000-0000-0000-000000000000&DVTP=2&DEVOSVER=10.0.19045.2006&DEVOSMAJ=10&DEVOSMIN=0&DEVOSBLD=19045&DEVOSMINBLD=2006&LOD=0&LOH=0&LO=3&RAFB=0&MARKETBASEDCOUNTRY=CH&CLR=CDM&CFMT=TEXT%2CIMAGE&SFT=JPEG%2CPNG%2CGIF%2CJPG&H=1&W=1&TP=1&FESVER=1.3&CACHE_CHS=0&CACHE_IMP=0&CACHE_CHF=0&CACHE_DS=50543&CACHE_FS=25234&CACHE_SC=6&WPX=1&HPX=1&TIME=20231006T091020Z&PL=EN-CH%2CEN-GB&CTMODE=MULTISESSION&ARCH=X64&BETAEDGEVER=0.0.0.0&CANEDGEVER=0.0.0.0&CDMVER=10.0.19041.1023&DEVEDGEVER=0.0.0.0&DEVFAM=WINDOWS.DESKTOP&DEVFORM=UNKNOWN&DISPHORZRES=1280&DISPSIZE=17.1&DISPVERTRES=1024&ISU=0&METERED=FALSE&NETTYPE=ETHERNET&NPID=SC-88000165&OEMNAME=VMWARE%2C%20INC.&OEMID=PUBLIC&OSSKU=PROFESSIONAL&SC-MSA=7&SCMID=PUBLIC&SMBIOSDM=VMWARE20%2C1&STABEDGEVER=117.0.2045.47&SVCMPT=RED&SVGTNG=2&SVTMEXP=1699747200&SVTMUPD=1696583123&TL=2&TSU=3&WAASBLDFLT=1&WAASCFGEXP=1&WAASCFGSET=1&WAASRETAIL=1&WAASRING=&SVOFFERED=2&CHNL=CFD&UIT=P
Source: C:\Program Files (x86)\Common Files\System\douyin.exeAPI call chain: ExitProcess graph end nodegraph_12-21928
Source: C:\Program Files (x86)\Common Files\System\douyin.exeAPI call chain: ExitProcess graph end nodegraph_12-23150
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\svchost.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\svchost.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\svchost.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238D2810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFF238D2810
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: 12_2_6CE66732 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__errno,__errno,__strftime_l,__errno,__invoke_watson_if_oneof,__errno,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__errno,__errno,__errno,__invoke_watson_if_oneof,__errno,_wcscpy_s,__invoke_watson_if_error,__cftoe,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__cftoe,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,Process32NextW,12_2_6CE66732
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: 12_2_6CE6FEA0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,12_2_6CE6FEA0
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238D4AB0 TlsGetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,TlsSetValue,GetProcessHeap,HeapFree,0_2_00007FFF238D4AB0
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238D2810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFF238D2810
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238D2554 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FFF238D2554
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238D9918 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FFF238D9918
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: 12_2_6CE581A0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_6CE581A0
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: 12_2_6CE57350 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_6CE57350
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E7202F0000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E720320000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E720330000 protect: page read and writeJump to behavior
Source: C:\Program Files (x86)\Common Files\System\douyin.exeMemory allocated: C:\Windows\SysWOW64\nslookup.exe base: 3220000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: 12_2_6CE51C17 _memset,CreateProcessW,GetLastError,WaitForSingleObject,new,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,std::ios_base::_Ios_base_dtor,LoadLibraryW,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,GetProcAddress,FreeLibrary,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,VirtualAllocEx,FreeLibrary,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,std::exception::exception,__CxxThrowException@8,12_2_6CE51C17
Contains functionality to inject threads in other processes
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: 12_2_6CE51C17 _memset,CreateProcessW,GetLastError,WaitForSingleObject,new,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,std::ios_base::_Ios_base_dtor,LoadLibraryW,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,GetProcAddress,FreeLibrary,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,VirtualAllocEx,FreeLibrary,CloseHandle,CloseHandle,CloseHandle,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,std::_Lockit::_Lockit,std::_Lockit::~_Lockit,delete,std::exception::exception,__CxxThrowException@8,12_2_6CE51C17
Creates a thread in another existing process (thread injection)
Source: C:\Program Files (x86)\Common Files\System\douyin.exeThread created: C:\Windows\SysWOW64\nslookup.exe EIP: 3220000
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory written: C:\Windows\System32\svchost.exe base: 1E7202F0000 value starts with: 4D5AJump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory written: C:\Windows\System32\svchost.exe base: 1E7202F0000Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory written: C:\Windows\System32\svchost.exe base: 1E720320000Jump to behavior
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeMemory written: C:\Windows\System32\svchost.exe base: 1E720330000Jump to behavior
Source: C:\Program Files (x86)\Common Files\System\douyin.exeMemory written: C:\Windows\SysWOW64\nslookup.exe base: 3220000
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeProcess created: C:\Program Files (x86)\Common Files\System\douyin.exe "C:\Program Files (x86)\Common Files\System\douyin.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -EmbeddingJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProviderJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\RuntimeBroker.exe C:\Windows\System32\RuntimeBroker.exe -EmbeddingJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXr6cxj2m7qt53ysmsgy75gtey09djqa6k.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
Source: RuntimeBroker.exe, 0000000A.00000003.1391617626.000002C482EC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cpShowColorGroupButtonSharePointViewDivWindowShellFileSearchControlubATL Shell EmbeddingUserEventWindowProgmanWOACnslFontPreviewLink Window
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238F8E20 cpuid 0_2_00007FFF238F8E20
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: GetLocaleInfoW,0_2_00007FFF238F3340
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FFF238F3290
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: GetLocaleInfoW,0_2_00007FFF238F3138
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: GetLocaleInfoW,0_2_00007FFF238EC17C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FFF238F3474
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FFF238F2A2C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: GetLocaleInfoEx,0_2_00007FFF238D0FF0
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FFF238F2EF0
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: EnumSystemLocalesW,0_2_00007FFF238F2E58
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: EnumSystemLocalesW,0_2_00007FFF238F2D88
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: EnumSystemLocalesW,0_2_00007FFF238EBC3C
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,12_2_6CE74CD0
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__nh_malloc_dbg,___crtGetLocaleInfoA,__nh_malloc_dbg,_strncpy_s,__invoke_watson_if_error,GetLocaleInfoW,__nh_malloc_dbg,GetLocaleInfoW,GetLocaleInfoW,12_2_6CE68C40
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,InterlockedDecrement,InterlockedDecrement,12_2_6CE6BD60
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultCountry,12_2_6CE6E570
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: _strlen,EnumSystemLocalesA,12_2_6CE6E520
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: GetLocaleInfoW,_malloc,__MarkAllocaS,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,__freea,12_2_6CE74D20
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,GetLocaleInfoA,__stricmp,__strnicmp,_strlen,_TestDefaultCountry,GetLocaleInfoA,__stricmp,_strlen,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,12_2_6CE6DEC0
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: GetLocaleInfoW,GetACP,GetLocaleInfoW,12_2_6CE6E6B0
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_6CE6DE00
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,12_2_6CE6E7B0
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: ___getlocaleinfo,__malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,GetCPInfo,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement,12_2_6CE5F770
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,InterlockedDecrement,InterlockedDecrement,12_2_6CE6C140
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: _GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,__invoke_watson_if_error,GetLocaleInfoA,GetLocaleInfoA,__itow_s,12_2_6CE6DAC0
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,12_2_6CE6AAB0
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,12_2_6CE6E380
Source: C:\Program Files (x86)\Common Files\System\douyin.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_6CE6E300
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeQueries volume information: C:\Users\user\Desktop\LEC3KQZZqZ.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\5568940dcb8142b592c703356f6c2bfa_2 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559\92c9f215516f479ba38311a3fb26c60b_2 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\1739644458 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\1739644459 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1739644459 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\1739644459 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\a7a99e2e2fabf0113cde99cb05a8fa0da15e4b2186318ca7b062b99b0b6600c1 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\72e68889bc448c25b739361b79467a3302e132b017a5b650b8b02e541859887e VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\9fae976a24d3c81653af2722976b7c7b5a1e852dcb314a1a8883827f5888cfb5 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\c80fef782de1ef5b7cc6762e6c9ce6d7ddd3627e83b4d0d52dee0ac4db544d33 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\f64b47027e6fdec549d7b5c49c2ec17937e7ff621235f81a14d59d8e52746889 VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\StagedAssets\174d9f11476d28a97068102f6d175c5f2bec2aa8042b532501837142d2d6c04c VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\MobilityExperience\ImageCache VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState VolumeInformationJump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Favicons VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1742582040.txt VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\backstack.json VolumeInformation
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\RuntimeBroker.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\2ffff3f4ae064050ad0c09ebfb5e766f_1 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\4203a2a297f74399b50e1c7e24d93c47_1 VolumeInformation
Source: C:\Windows\System32\backgroundTaskHost.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\1739644512 VolumeInformation
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238D2958 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FFF238D2958
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeCode function: 0_2_00007FFF238EE80C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FFF238EE80C
Source: C:\Users\user\Desktop\LEC3KQZZqZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: sscronet.dll.0.drBinary or memory string: 360Safe.exe
Source: backgroundTaskHost.exe, 0000001C.00000003.2193830267.0000014F5FC54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: sscronet.dll.0.drBinary or memory string: 360tray.exe
Source: sscronet.dll.0.drBinary or memory string: 360Tray.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
Registry Run Keys / Startup Folder		612
Process Injection		2
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Modify Registry		LSASS Memory161
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Disable or Modify Tools		Security Account Manager51
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook51
Virtualization/Sandbox Evasion		NTDS3
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script612
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Rundll32		Proc Filesystem44
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615970 Sample: LEC3KQZZqZ Startdate: 15/02/2025 Architecture: WINDOWS Score: 100 40 www40sada-1328031368.cos.ap-guangzhou.myqcloud.com 2->40 42 get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com 2->42 44 9 other IPs or domains 2->44 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 4 other signatures 2->60 9 LEC3KQZZqZ.exe 15 7 2->9         started        signatures3 process4 dnsIp5 48 1.1.1.1.in-addr.arpa 9->48 50 gz.file.myqcloud.com 159.75.57.69, 443, 49713 TELE2EU China 9->50 52 cd.file.myqcloud.com 183.66.100.32, 443, 49708, 49710 CHINATELECOM-CHONGQING-IDCChongqingTelecomCN China 9->52 34 C:\Program Files (x86)\...\tier0.dll, PE32 9->34 dropped 36 C:\Program Files (x86)\...\sscronet.dll, PE32+ 9->36 dropped 38 C:\Program Files (x86)\...\douyin.exe, PE32 9->38 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Injects a PE file into a foreign processes 9->66 14 douyin.exe 9->14         started        17 svchost.exe 501 4 9->17 injected file6 signatures7 process8 signatures9 68 Uses nslookup.exe to query domains 14->68 70 Writes to foreign memory regions 14->70 72 Allocates memory in foreign processes 14->72 74 Creates a thread in another existing process (thread injection) 14->74 19 nslookup.exe 14->19         started        21 conhost.exe 14->21         started        23 Music.UI.exe 17->23         started        26 RuntimeBroker.exe 86 16 17->26         started        28 backgroundTaskHost.exe 76 64 17->28         started        30 12 other processes 17->30 process10 dnsIp11 32 conhost.exe 19->32         started        46 e87.dspb.akamaiedge.net 2.23.244.9, 443, 49908 QA-ISPQA European Union 23->46 process12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.