ryuk | d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d

Analysis

max time kernel
164s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
Size

201KB
MD5

8fb17e62abc491dc6f8e9630d73d935d
SHA1

ed0b184eb9b1e2a8b9f95b79cfcd691d2a4f4084
SHA256

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d
SHA512

ee075b4a368175c773f400424b97e57de84e37d5858e4c938edd6df9cb6e4917f7fdc0a83df3fdf253fe0401f50cc702d307cf33d05898414796fb36f077039e

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

WyEFFCr.exe

pid process

760 WyEFFCr.exe

pid	process
760	WyEFFCr.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exeWyEFFCr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WyEFFCr.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WyEFFCr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\sihost.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4880 2760 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4880	2760	WerFault.exe	DllHost.exe

Modifies registry class 52 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\29c2a255f2ef76869750647900b99eade8d34407b40cc49286f33a67e174c15b"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416- = 552a93a50426d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003ab392a50426d8013ab392a50426d8013ab392a50426d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545455162000323236663639386464356465663165353366313438383361363164643230303061323538316165653735373635613466333161396163376431393863313437340000b20009000400efbe54545516545455162e00000000000000000000000000000000000000000000000000c639c600320032003600660036003900380064006400350064006500660031006500350033006600310034003800380033006100360031006400640032003000300030006100320035003800310061006500650037003500370036003500610034006600330031006100390061006300370064003100390038006300310034003700340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e8c65d001000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32323666363938646435646566316535336631343838336136316464323030306132353831616565373537363561346633316139616337643139386331343734000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60092324a9083ec1182d0de744127ba9bbad9b5dc40371b4eb595e9fc647d27d60092324a9083ec1182d0de744127ba9bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e- = d859a4a40426d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000588c8ba50426d801588c8ba50426d801588c8ba50426d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545455162000326263626631306562626239393162383563353462336264356636623262643937333335393166366233663365356565306639656630313462656666623533650000b20009000400efbe54545516545455162e00000000000000000000000000000000000000000000000000a860cd00320062006300620066003100300065006200620062003900390031006200380035006300350034006200330062006400350066003600620032006200640039003700330033003500390031006600360062003300660033006500350065006500300066003900650066003000310034006200650066006600620035003300650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e8c65d001000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32626362663130656262623939316238356335346233626435663662326264393733333539316636623366336535656530663965663031346265666662353365000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6ff91324a9083ec1182d0de744127ba9bbad9b5dc40371b4eb595e9fc647d27d6ff91324a9083ec1182d0de744127ba9bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\226f698dd5def1e53f14883a61dd2000a2581aee75765a4f31a9ac7d198c1474"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000aec5a5a50426d801aec5a5a50426d801aec5a5a50426d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545455162000323963326132353566326566373638363937353036343739303062393965616465386433343430376234306363343932383666333361363765313734633135620000b20009000400efbe54545516545455162e000000000000000000000000000000000000000000000000005227b300320039006300320061003200350035006600320065006600370036003800360039003700350030003600340037003900300030006200390039006500610064006500380064003300340034003000370062003400300063006300340039003200380036006600330033006100360037006500310037003400630031003500620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e8c65d001000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32396332613235356632656637363836393735303634373930306239396561646538643334343037623430636334393238366633336136376531373463313562000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60192324a9083ec1182d0de744127ba9bbad9b5dc40371b4eb595e9fc647d27d60192324a9083ec1182d0de744127ba9bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2bcbf10ebbb991b85c54b3bd5f6b2bd9733591f6b3f3e5ee0f9ef014beffb53e"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0- = 79ec9aa50426d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\cc4bb5cee802c84fcb2a576bf16ef1a6bf5f7c5389d3cae94bd254cc6d9f4cf4"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bdffc98e-42c9-4f6c-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000eebf9aa40426d801eebf9aa40426d801eebf9aa40426d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545454162000656466396666303732643766313661613634373436633738306633323235396363323963306662313163613561663532316534633666363532343839353061640000b20009000400efbe54545416545454162e0000000000000000000000000000000000000000000000000012008d00650064006600390066006600300037003200640037006600310036006100610036003400370034003600630037003800300066003300320032003500390063006300320039006300300066006200310031006300610035006100660035003200310065003400630036006600360035003200340038003900350030006100640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e8c65d001000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65646639666630373264376631366161363437343663373830663332323539636332396330666231316361356166353231653463366636353234383935306164000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6fd91324a9083ec1182d0de744127ba9bbad9b5dc40371b4eb595e9fc647d27d6fd91324a9083ec1182d0de744127ba9bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000df50afa50426d801df50afa50426d801df50afa50426d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545455162000636334626235636565383032633834666362326135373662663136656631613662663566376335333839643363616539346264323534636336643966346366340000b20009000400efbe54545516545455162e00000000000000000000000000000000000000000000000000219ca900630063003400620062003500630065006500380030003200630038003400660063006200320061003500370036006200660031003600650066003100610036006200660035006600370063003500330038003900640033006300610065003900340062006400320035003400630063003600640039006600340063006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e8c65d001000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63633462623563656538303263383466636232613537366266313665663161366266356637633533383964336361653934626432353463633664396634636634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60292324a9083ec1182d0de744127ba9bbad9b5dc40371b4eb595e9fc647d27d60292324a9083ec1182d0de744127ba9bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d- = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16ebde02-59ab-42ce-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\20c8d20f07502d808e33233d94a199a641642e56266500e5e90258e50762148a"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006d00dfa50426d8016d00dfa50426d8016d00dfa50426d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545455162000323063386432306630373530326438303865333332333364393461313939613634313634326535363236363530306535653930323538653530373632313438610000b20009000400efbe54545516545455162e0000000000000000000000000000000000000000000000000093ec7900320030006300380064003200300066003000370035003000320064003800300038006500330033003200330033006400390034006100310039003900610036003400310036003400320065003500360032003600360035003000300065003500650039003000320035003800650035003000370036003200310034003800610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000e8c65d001000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32306338643230663037353032643830386533333233336439346131393961363431363432653536323636353030653565393032353865353037363231343861000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60392324a9083ec1182d0de744127ba9bbad9b5dc40371b4eb595e9fc647d27d60392324a9083ec1182d0de744127ba9bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\edf9ff072d7f16aa64746c780f32259cc29c0fb11ca5af521e4c6f65248950ad"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9- = 7243bfa50426d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c- = 0bcdeda50426d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bb3c2eec-5e32-4416- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\19a48a5a-e874-4f6d- = 66baada50426d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a518d21f-d1b9-4cf0- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e27d621-3bc4-48e9-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38058717-9b0b-438c- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ecf81cef-ab64-4e5e- = "0"	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exeWyEFFCr.exesihost.exe

pid	process
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
760	WyEFFCr.exe
760	WyEFFCr.exe
2256	sihost.exe
2256	sihost.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
760	WyEFFCr.exe
2256	sihost.exe
2256	sihost.exe
760	WyEFFCr.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exeWyEFFCr.exesihost.exeStartMenuExperienceHost.exebackgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
Token: SeBackupPrivilege	760	WyEFFCr.exe
Token: SeBackupPrivilege	2256	sihost.exe
Token: SeBackupPrivilege	2868	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1724	backgroundTaskHost.exe
Token: SeBackupPrivilege	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exesihost.execmd.execmd.exeWyEFFCr.execmd.exeDllHost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3164 wrote to memory of 760	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	WyEFFCr.exe
PID 3164 wrote to memory of 760	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	WyEFFCr.exe
PID 3164 wrote to memory of 2256	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	sihost.exe
PID 3164 wrote to memory of 2284	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	svchost.exe
PID 3164 wrote to memory of 2320	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	taskhostw.exe
PID 3164 wrote to memory of 2564	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	svchost.exe
PID 3164 wrote to memory of 2760	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	DllHost.exe
PID 3164 wrote to memory of 2868	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	StartMenuExperienceHost.exe
PID 3164 wrote to memory of 2936	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	RuntimeBroker.exe
PID 3164 wrote to memory of 3024	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	SearchApp.exe
PID 3164 wrote to memory of 2904	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	RuntimeBroker.exe
PID 3164 wrote to memory of 3428	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	RuntimeBroker.exe
PID 3164 wrote to memory of 3544	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	RuntimeBroker.exe
PID 3164 wrote to memory of 1724	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	backgroundTaskHost.exe
PID 3164 wrote to memory of 2448	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	MusNotifyIcon.exe
PID 2256 wrote to memory of 3704	2256	sihost.exe	cmd.exe
PID 2256 wrote to memory of 3704	2256	sihost.exe	cmd.exe
PID 3704 wrote to memory of 492	3704	cmd.exe	reg.exe
PID 3704 wrote to memory of 492	3704	cmd.exe	reg.exe
PID 3164 wrote to memory of 2932	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	cmd.exe
PID 3164 wrote to memory of 2932	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	cmd.exe
PID 2932 wrote to memory of 4916	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 4916	2932	cmd.exe	reg.exe
PID 3164 wrote to memory of 4760	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 3164 wrote to memory of 4760	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 760 wrote to memory of 4768	760	WyEFFCr.exe	net.exe
PID 760 wrote to memory of 4768	760	WyEFFCr.exe	net.exe
PID 3164 wrote to memory of 4824	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 3164 wrote to memory of 4824	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 2256 wrote to memory of 4904	2256	sihost.exe	net.exe
PID 2256 wrote to memory of 4904	2256	sihost.exe	net.exe
PID 760 wrote to memory of 4856	760	WyEFFCr.exe	net.exe
PID 760 wrote to memory of 4856	760	WyEFFCr.exe	net.exe
PID 3164 wrote to memory of 4908	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 3164 wrote to memory of 4908	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 3164 wrote to memory of 3240	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 3164 wrote to memory of 3240	3164	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 2256 wrote to memory of 4924	2256	sihost.exe	net.exe
PID 2256 wrote to memory of 4924	2256	sihost.exe	net.exe
PID 760 wrote to memory of 5184	760	WyEFFCr.exe	cmd.exe
PID 760 wrote to memory of 5184	760	WyEFFCr.exe	cmd.exe
PID 5184 wrote to memory of 5236	5184	cmd.exe	reg.exe
PID 5184 wrote to memory of 5236	5184	cmd.exe	reg.exe
PID 2760 wrote to memory of 4880	2760	DllHost.exe	WerFault.exe
PID 2760 wrote to memory of 4880	2760	DllHost.exe	WerFault.exe
PID 4824 wrote to memory of 75960	4824	net.exe	net1.exe
PID 4824 wrote to memory of 75960	4824	net.exe	net1.exe
PID 3240 wrote to memory of 78220	3240	net.exe	net1.exe
PID 3240 wrote to memory of 78220	3240	net.exe	net1.exe
PID 4760 wrote to memory of 75968	4760	net.exe	net1.exe
PID 4760 wrote to memory of 75968	4760	net.exe	net1.exe
PID 4768 wrote to memory of 97084	4768	net.exe	net1.exe
PID 4768 wrote to memory of 97084	4768	net.exe	net1.exe
PID 4908 wrote to memory of 76032	4908	net.exe	net1.exe
PID 4908 wrote to memory of 76032	4908	net.exe	net1.exe
PID 4924 wrote to memory of 97076	4924	net.exe	net1.exe
PID 4924 wrote to memory of 97076	4924	net.exe	net1.exe
PID 4856 wrote to memory of 97092	4856	net.exe	net1.exe
PID 4856 wrote to memory of 97092	4856	net.exe	net1.exe
PID 4904 wrote to memory of 97100	4904	net.exe	net1.exe
PID 4904 wrote to memory of 97100	4904	net.exe	net1.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2760 -s 928
2⤵
- Program crash
PID:4880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3544

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
PID:2448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2284

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f
3⤵
- Adds Run key to start application
PID:492

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:97100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:97076

C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
"C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\WyEFFCr.exe
"C:\Users\Admin\AppData\Local\Temp\WyEFFCr.exe" 8 LAN
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:97084

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:97092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WyEFFCr.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:5184

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WyEFFCr.exe" /f
4⤵
- Adds Run key to start application
PID:5236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe" /f
3⤵
- Adds Run key to start application
PID:4916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:75960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:75968

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:78220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:76032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
274d6483fb538af0253825057838bd42

SHA1
4a69ea719b13f7d3aa4377d2f24d06a37c12169e

SHA256
9244d316efc6b2d9e68116e8358f6159b8a296799cf3fcd468c0c70604eb9361

SHA512
d70f54145b552a0da6e7e0aa556f980a91da30245c0dc6c08113b942d50d9c906c013cfdcf5e722e283dcbc9afb739157eb73a7cfb9927e54ef6203d063fc286

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
5bc4a73d61da5dad9a7fb291c844a15b

SHA1
c4510727a8d33fb0b804ff36ada010bd0be4a6a3

SHA256
e1bab57cad5a4fe0e5e74c40906038b183b8a16cb7988bb5fb88f97c75f4b17c

SHA512
6d9f30be0df18f97a44a0805b17db19135e83299b9ca04367617234252911aa9a579cad99fe25361db0f370b38a6688cda8581b1c9992690c7b974f87d35804d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
ce9337871020719579a7989577409b62

SHA1
99ba07c02f99a9baf68f44790d89a23ec4c60540

SHA256
9f924f80fbe99b722c81276c40be8212fc648d51d5679098358d07345569ed10

SHA512
557d7118a555bdd8a547b83097279bf0db9e65ae836ce90039a505fc32e42d5b52dcb1ec53ff37e4af6600739a5dcb711bfff055adbe357762e046d385df0856

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
d002816d88dd8be6782a7eceff0c572d

SHA1
bc91b30b176dee5546437ec6a093a40cd3b46d93

SHA256
1ceff22ae4fb788f63ca71ea3ed360d32a43081f971842c0ef5f138a82853348

SHA512
2fdba4cec44c1b13cd5930a3cf6d2df96a2a92da21584642786f8c18b006ef1b285c3c60bac7377bfcc86b1bfe4fbe31bfa17f3266c40768fa492ccd6ae9462c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
374b5ba5c423e9729b0ae9743357c59e

SHA1
5781172d87eafcf61f2c7dbe6962f205a12cde42

SHA256
329f6d29913a22f62700cd4efefb4c84577708c46c9ef9f497911d4a29c32ce6

SHA512
6ed154087d0d37e6ddb291b414cf3dfb33213e7b959f677b1ce4e0d451c0e6ccb9e7e4968118775bfa5b6c664f549a2dba3d9d212db892eefb57ee3d57eb8249

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
d5524b3e9a41b39bd2c0286ebdad8a61

SHA1
8dc7fee1edfea75b2987838654bb44c33e906966

SHA256
96ed9b4accf53f2226595b9cef4d0602850511d7e7c6dfd73fe025d593e501ce

SHA512
0956d870462d6a1a3a7ee523c883441c000aa71ebb28982c97541c0c86b25c377763517d71c4d8502437a4cdc0769842eb3f42b98e1fd1cff5332783b65ce975

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
31e8dd4f9f8fb3d10a31e3994ef5c2f1

SHA1
c8cdd850e4c26bddb43c7366247d9ba69183438b

SHA256
56226f5ada2227f5f0b4596261b1da2e601412b901f07fe3d90c63950e09a94b

SHA512
324a15bf762364aa1bf668795f5031f7a2852696046fe932fc3e334cd6a6898077f5a2594aabfc85796aff3e178a9fbe95a7f4b039dd088ef4dbf224438eca3d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
5ecf475c4c95402bfd87cbb2237a4455

SHA1
29710db1b0f48650d0337c1e6655c5b746fef983

SHA256
e869060abe42129563d2e71286b17e517c185e3fc9afb3ddc47b0837b056224e

SHA512
a75cc8cb78f4b83b59b4fbd67f459392017fd79427bbd566b6dcd4e385931ac98f907ca458bbe666ac40fdd840ceeeb01763584257b74ef0308e3aed8caf7494

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log.RYK
MD5
e71e4781b183c8aca424f12666447ffa

SHA1
10e51bdcad9b1002e268cdae78b6093067681658

SHA256
6a177a92729b1a304df701863d06c791a1887f6d9078fca59e14f54721f763a3

SHA512
690a1846ba3724dfab1ae0b54f01412675baf8eab40e08f91c5d6a57f50588b3cab20b00288d7edfa2392c6ad80b13296b6b0acc2cdb1b1e4a218a874f01b879

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
9088178f8823fb1bdbc29eb99883b103

SHA1
3464adc51296e0d5ded9b2e8cf05f142189617ab

SHA256
2d176e4e196a98e43f990616a6749962752bdbe67407600ba93c3eecb21500fd

SHA512
f1ed373423233f75f0f223d6742ae41b24eec0034b13644d80727d8af8b3213b5313fecc2b0f4c5bdcebf2b0e9a728616164d09eb5a026afaafb022d8b7a39c3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
MD5
a43a4e5faf961301421337f0f376b3ab

SHA1
b1fb754638a9a6c20c51e051f34fe47a51f0ee9b

SHA256
f84f9249a238209358f4fc3b7c1eabc9abf339fec3f01344f3545d164bcdf40a

SHA512
6595665b96a082876eca4712d440a0351f08c9d4031ecf4432af992dba8cec35c7bdd7211b64e4761950b2f00c9656d9031c3ba24c9e927d6f61a0fe6d326266

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\StructuredQuery.log
MD5
898256526368102c00ea41ec02c9c711

SHA1
d94d2b732af1301f2bf6d5a56738932f2d862230

SHA256
d2ee5502495e48367b4a18398d922d428385e0cc1bdae48b1120505472fad811

SHA512
12e0ac6a6d74b7e465ad205c20079da1dffd73fa484b47bde163f792a20976056e1319b541d6198fbcc23ff5deaf2aa04d72d37a323b487806a61f426d2ca47d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
3fe1e20bc7ce085174518c6c27428b31

SHA1
b2aaee20cbe8ddf936a88a1475fdd15428169129

SHA256
f056ac48541d2a1bec44c7ed57a888b0850b7dbb2ab524e24b32479c9500db1c

SHA512
aee0398eb5c0758a4ed68493a3accb429840ea5b1887b70a530e3e10d66b0d500d4e765c402d850bfbe6da3e4c623274bda29dc84f75ff906b25100cc5d4a093

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
d43b43392a338d328990e554331d2c08

SHA1
138e2269b0f82d5bf93b52dfb79541dd7c63bdf9

SHA256
a812a35fb8c1f48e5c3574d1258958e43b8b549c2e2345886268ec9a4f0c5e83

SHA512
f6e32f71991a8a7d0b611bebf585c9d052cea368f08567b259b019e5f62828a50fda6b76fd81c37ac4743e14625b9bebcf297cc40f6e6b026f9b4813992fb1b4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
88deb3428ccc2f0b43770acae5f34e2d

SHA1
5efb5c6566cabb4f5866cc7084b62406b28bba0d

SHA256
5c9233f4ecf25901a7982f6e447b99ef8481f14b0d72828aa9eb72e81f9fda5b

SHA512
668b34b05d9869a2c415ca28427d7bc592a018d6833440e31a319eefb92da1bae181bb46e07677a3ff0d805621ae3e3a95969a6553e20edebd246526e80b7e7c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
03013800ff050e049e799aa72113aba8

SHA1
fcbd1635abb1164cc2f0a16a94c0b7ab38db1583

SHA256
15c6a59baf39e84de9bb051425e2f1341a2f53adae4e68af7f2ed18ab11cafac

SHA512
d5dc6da957279372aa6055067081ec7d2095222bce1698a8429ff69ef3a9868467069372239565d163424c64cb0ebe58b9a2d707e8d342b0b8fbd9b62920edff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
MD5
12a92336a1f2ae5a2b355415135ccb61

SHA1
7f86898c903e06670f3c11cb8c903e183717334d

SHA256
5e163da2cf398a1db44db6cc96251729b1449b0d99c75c8c3ce997b3d565792c

SHA512
1830827470ccc34c71554edba823d73316d7be020a1db7110a3befdfcfb433024cec4f0f6850e7c7e5484ad4992432006830b39c87d16d2989cbc7d986f36a01

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
5671449599ead16225850bb31d9f930a

SHA1
73fc9723904bfa97e261e4662ecbfb32459c7853

SHA256
bc2bc24475544ea794ba6adb948fe76fcc4226210d95148c76846b48f04ff5f1

SHA512
cdf0e13834319f4b1e7be10f1a6ff8fa192083ca56aaaee82c471e0c39b4b6f49276a2abefb280dba94ed4e9e477698d2e743957c9ba06637c4c091306a730b6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.RYK
MD5
ff10ad009d8f74ed0a115817a2caa7ed

SHA1
a9591d83ee3401afa8d6a6d486818d59731f474d

SHA256
eb873e93a1d2e63602c4f62b12d2fd8be07e7322231832baac0c451a78ab6709

SHA512
cd3cc4727b63af68d63ba3b2e78ba43bc8e362029488de05fda35ea22b2007e2ff3723b7135f2ec40745c10358fc3665866f010033a3c6db9f36c7df7310eeff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64.RYK
MD5
9ab6655dfae8a8d98532044202a1b5ea

SHA1
090ba80bfd9e8a2cad36adb070dddd0594a2ce3d

SHA256
719d8490d22909cd87fbe0322b83475cdaa47323602d9c3c420db05586b56276

SHA512
43dcadd35d5562644ec046314197c0d8a36ced9bb10e96231954f65cbd00532746e311c0713476c8e8601772d398594680e0c77a5b272335147b3a67ab94f299

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp
MD5
1e886a6715ff67ac75e83225e0d743b6

SHA1
23df79da1fe4ca627be66a7b6bab3b83eb73f6b7

SHA256
66d178f9e5038aa176da9060fa346b588152c4521d35eef76760e9dac90f5b1e

SHA512
6c0c03e147b538abbd1f6c5b3a60905a4eaa1f6ec33d10801f633b33dfcbef5d3e8e23dcf8d59785f45e1d7adc905fe963ff35db8fafdc1a97986fbe6bede10c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp.RYK
MD5
52993bb1bf2dca0f5652b79c7e5a099a

SHA1
4c99e76b1e016e32f3ef32a9352726d3f6f1e215

SHA256
2f35cd2d1b6a5dea479d6502cafd0047cb6209466e311b171300c5a5a3660275

SHA512
b2f0b302e4eeec81d5944097beda7aec7b6d007a7e770ede3ca95d43222660ad56a13a0d73d2342380e0e119f5954fca093dcbdbc10d1253f0d5a4412b413fa8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp.RYK
MD5
6a4b13a10fe70e86b02a0ebac5f973db

SHA1
06b67f81cd37435c614dcc1dd356e655d9eb871d

SHA256
894fbb44e0c18aaffaa9ee54ee54ef203f30f7748ba9609cf2bc9be52f584552

SHA512
a26db72bd0cc0fa1b1115d660a4fd10430b82e4b213e544f0d8d3b1f47ecfcfbd05ec8e6260b92bdea9fc28ef85f70cf6b34ef0ed578268bc8c17cb7d9c0ce03

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp.RYK
MD5
6b05b94c89f1f36e90c33eb08e95e6fc

SHA1
4ec8cf84e910ccfa9ccbe3ef64a9a797082e8aec

SHA256
9f7c3cfd81972584b93bedc8e026774d2f09b985eb4b914665e732096cd50390

SHA512
2efdb8dfd1732c1a809c2209a206295493f0838e8807fc4841c2a47e7efa50aaee084a645cce5c62f7657bee944b88c352a720db02312764ec3c97cfacfc9da9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp.RYK
MD5
e1222d58675c83c838359794b1429331

SHA1
061bb293acb5ae93e5bc13aebaaaf324427fec66

SHA256
d00b5941bf8d1e5711da15b51bec54f3c4ffd1ca94eb5f90838712bfc680b4dd

SHA512
32d05dd9382a765307a3aa5b8f62c8ffe59060908849fbe3f76be58a3468b40084793e195e8b980e30cd562de7208db73dfe89174773c9e79f7f0c1290c9be52

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp.RYK
MD5
a601085179353a33c4823530498fdced

SHA1
77ab144302c8674b185f8519c027933743e6321e

SHA256
519487d167e87b4da47f377dca2935a9c4d7b652f850e13d58e87d6130de07b8

SHA512
23ffa4c6c4e65d90eefabf52790f8744001d67d4b43e3e582b8541ba873a9278026f7f8aebdfd61b967c0cdcc2e9d04d1bae2736dfa93939feecda018467469d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp.RYK
MD5
59991043e6a2d9ef757f73db6980f557

SHA1
ff6beb8e1335c06c19af67cb6dae2f6571ff7fdf

SHA256
6e0723f556be7de52620c0db6e90ff54b4ea12c579098c16aec5cf8cba3eaadb

SHA512
5e6e58e1f54de42c74601de079a7b0b99a384308c5cf5fbd23a6692fa13b216f3873a1648e50df9c9e5118e584ae13d0462eceeedd9afad7338f936d1ad237df

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
89aad1ae9aadc2d637450c69f4acfd12

SHA1
53c90c9d4f8fe0c9a850bb2b9eeaa3d9e07c006d

SHA256
154cd22e01389b0bb6950c5bfccca5e2985d18117b4b29613af362ee1d14e6a1

SHA512
620ef6ef2c11dd32e9113cb0027fc87eec2e4c53ff217ff0f1fe71c94731b58a104fb9ed991e5f9961c25a9c22c33236747fa5e1b892db35e151125f4ade02dd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK
MD5
acc3006ee8921cabb7be3e27a042ecc2

SHA1
a1db04e7fa664e90bb688a3605550ca0a858eab8

SHA256
00a66f50266a8d37b9cc9aac14c148ea82694fa3890440eda118bafd86bc7566

SHA512
94efacc76c58ad601d4a5bffa42fed84a87b7d0a85e77716a2bc2d9187a52f03cb70f2dd00acc5b405bd6ede2de907e82909b95d34b539560fead8a64240526f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\WyEFFCr.exe
MD5
8fb17e62abc491dc6f8e9630d73d935d

SHA1
ed0b184eb9b1e2a8b9f95b79cfcd691d2a4f4084

SHA256
d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d

SHA512
ee075b4a368175c773f400424b97e57de84e37d5858e4c938edd6df9cb6e4917f7fdc0a83df3fdf253fe0401f50cc702d307cf33d05898414796fb36f077039e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WyEFFCr.exe
MD5
8fb17e62abc491dc6f8e9630d73d935d

SHA1
ed0b184eb9b1e2a8b9f95b79cfcd691d2a4f4084

SHA256
d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d

SHA512
ee075b4a368175c773f400424b97e57de84e37d5858e4c938edd6df9cb6e4917f7fdc0a83df3fdf253fe0401f50cc702d307cf33d05898414796fb36f077039e

Download Submit
memory/2256-132-0x00007FF68AEB0000-0x00007FF68B025000-memory.dmp

Filesize
1.5MB

Download
memory/2760-196-0x00000179E75E0000-0x00000179E75E8000-memory.dmp

Filesize
32KB

Download
memory/2760-197-0x00000179E7590000-0x00000179E7591000-memory.dmp

Filesize
4KB

Download
memory/2868-133-0x00007FF68AEB0000-0x00007FF68B025000-memory.dmp

Filesize
1.5MB

Download