ryuk | d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd

Analysis

max time kernel
204s
max time network
235s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe
Size

124KB
MD5

4bb18d5e27f9e75b211f8053a1e0fb4f
SHA1

4eb0d5fab83c5a92e442beee4b31a6cd7d05cf4e
SHA256

d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd
SHA512

bdb107f07beb782a1d90857cd3e895c7013ceb8b4dc78285014434214e9c34925e0c6ce8278b48acdcddeb1b430804f5a0c9398f7012f45d68a869dfd51fcaed

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 5036 created 2924 5036 WerFault.exe StartMenuExperienceHost.exe

description	pid	process	target process
PID 5036 created 2924	5036	WerFault.exe	StartMenuExperienceHost.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sihost.exed439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3712 2744 WerFault.exe DllHost.exe
5200 2924 WerFault.exe StartMenuExperienceHost.exe

pid	pid_target	process	target process
3712	2744	WerFault.exe	DllHost.exe
5200	2924	WerFault.exe	StartMenuExperienceHost.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe

Modifies registry class 59 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf- = 7a9c977c0326d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\5dfe6b011aa7f164420ad344e90ceb94833c03df0becdadd0b8b071e6affd3dc"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd- = bc1e35aa0326d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061- = 0d77097c0326d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\cf5d2e78-9cdf-4bf3-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2- = cfa73a8d0326d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bd92d40750db4f42c08c4b94829c8bca93d04a308c2d5e575be4d680d4898109"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\be1ea30834bffcba53c22e9348de3fcffb7c22af69f675cbaa99d5e902d08cc4"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000020f6ef7c0326d8019d7513800326d8019d7513800326d801920b0b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054544b152000393266613066633264313638313065376338613965383933393063316438653361373838636235363836386135313733303137376634393261363037626331360000b20009000400efbe54544b1554544b152e00000000000000000000000000000000000000000000000000d60b8d00390032006600610030006600630032006400310036003800310030006500370063003800610039006500380039003300390030006300310064003800650033006100370038003800630062003500360038003600380061003500310037003300300031003700370066003400390032006100360030003700620063003100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007afed4511000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39326661306663326431363831306537633861396538393339306331643865336137383863623536383638613531373330313737663439326136303762633136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6c4ed64e39083ec1182d0e2b0173f814ebad9b5dc40371b4eb595e9fc647d27d6c4ed64e39083ec1182d0e2b0173f814ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\def70570440199ae46590821d98673f9565dacb195c745b339071c26a16e4c52"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bd92d40750db4f42c08c4b94829c8bca93d04a308c2d5e575be4d680d4898109"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001bac657c0326d8011bac657c0326d8011bac657c0326d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054544c152000646566373035373034343031393961653436353930383231643938363733663935363564616362313935633734356233333930373163323661313665346335320000b20009000400efbe54544c1554544c152e00000000000000000000000000000000000000000000000000e57b1e01640065006600370030003500370030003400340030003100390039006100650034003600350039003000380032003100640039003800360037003300660039003500360035006400610063006200310039003500630037003400350062003300330039003000370031006300320036006100310036006500340063003500320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007afed4511000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64656637303537303434303139396165343635393038323164393836373366393536356461636231393563373435623333393037316332366131366534633532000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6bfed64e39083ec1182d0e2b0173f814ebad9b5dc40371b4eb595e9fc647d27d6bfed64e39083ec1182d0e2b0173f814ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\dc48b296446b1fdf2cd03033b5641c6cd9b6f180125f913cd9feb4ae4f0a036d"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40- = 1d59d18b0326d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e- = 308d149c0326d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000885e2d830326d801005bd9880326d801005bd9880326d801394609000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054544b152000626531656133303833346266666362613533633232653933343864653366636666623763323261663639663637356362616139396435653930326430386363340000b20009000400efbe54544b1554544b152e0000000000000000000000000000000000000000000000000091838300620065003100650061003300300038003300340062006600660063006200610035003300630032003200650039003300340038006400650033006600630066006600620037006300320032006100660036003900660036003700350063006200610061003900390064003500650039003000320064003000380063006300340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007afed4511000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62653165613330383334626666636261353363323265393334386465336663666662376332326166363966363735636261613939643565393032643038636334000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6cced64e39083ec1182d0e2b0173f814ebad9b5dc40371b4eb595e9fc647d27d6cced64e39083ec1182d0e2b0173f814ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\92fa0fc2d16810e7c8a9e89390c1d8e3a788cb56868a51730177f492a607bc16"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000233ed47b0326d801233ed47b0326d801233ed47b0326d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054544b152000626439326434303735306462346634326330386334623934383239633862636139336430346133303863326435653537356265346436383064343839383130390000b20009000400efbe54544b1554544b152e00000000000000000000000000000000000000000000000000ddbc7e00620064003900320064003400300037003500300064006200340066003400320063003000380063003400620039003400380032003900630038006200630061003900330064003000340061003300300038006300320064003500650035003700350062006500340064003600380030006400340038003900380031003000390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007afed4511000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62643932643430373530646234663432633038633462393438323963386263613933643034613330386332643565353735626534643638306434383938313039000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6beed64e39083ec1182d0e2b0173f814ebad9b5dc40371b4eb595e9fc647d27d6beed64e39083ec1182d0e2b0173f814ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009409e47c0326d8016651fb820326d8016651fb820326d801d8221a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054544b152000356466653662303131616137663136343432306164333434653930636562393438333363303364663062656364616464306238623037316536616666643364630000b20009000400efbe54544b1554544b152e00000000000000000000000000000000000000000000000000bdbabc00350064006600650036006200300031003100610061003700660031003600340034003200300061006400330034003400650039003000630065006200390034003800330033006300300033006400660030006200650063006400610064006400300062003800620030003700310065003600610066006600640033006400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007afed4511000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c35646665366230313161613766313634343230616433343465393063656239343833336330336466306265636461646430623862303731653661666664336463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6caed64e39083ec1182d0e2b0173f814ebad9b5dc40371b4eb595e9fc647d27d6caed64e39083ec1182d0e2b0173f814ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1ef8673-fa29-4061-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0840746e-c882-421e- = 025510a40326d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000072ca267d0326d801d73483830326d801d73483830326d80117c414000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054544b152000646334386232393634343662316664663263643033303333623536343163366364396236663138303132356639313363643966656234616534663061303336640000b20009000400efbe54544b1554544b152e000000000000000000000000000000000000000000000000000ece9100640063003400380062003200390036003400340036006200310066006400660032006300640030003300300033003300620035003600340031006300360063006400390062003600660031003800300031003200350066003900310033006300640039006600650062003400610065003400660030006100300033003600640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007afed4511000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64633438623239363434366231666466326364303330333362353634316336636439623666313830313235663931336364396665623461653466306130333664000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6cded64e39083ec1182d0e2b0173f814ebad9b5dc40371b4eb595e9fc647d27d6cded64e39083ec1182d0e2b0173f814ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1b0b0208-e337-49cd- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7e9fbbd9-20c8-47cf- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b2284d93-841a-4f40- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ffd9528c-e519-42b2- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007ff30e7d0326d80107ee14810326d80107ee14810326d80186720a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054544b152000626439326434303735306462346634326330386334623934383239633862636139336430346133303863326435653537356265346436383064343839383130390000b20009000400efbe54544b1554544b152e00000000000000000000000000000000000000000000000000ddbc7e00620064003900320064003400300037003500300064006200340066003400320063003000380063003400620039003400380032003900630038006200630061003900330064003000340061003300300038006300320064003500650035003700350062006500340064003600380030006400340038003900380031003000390000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007afed4511000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62643932643430373530646234663432633038633462393438323963386263613933643034613330386332643565353735626534643638306434383938313039000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6c5ed64e39083ec1182d0e2b0173f814ebad9b5dc40371b4eb595e9fc647d27d6c5ed64e39083ec1182d0e2b0173f814ece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d5da912c-380c-4c1e- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exeWerFault.exeWerFault.exe

pid	process
652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe
652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe
5200	WerFault.exe
5200	WerFault.exe
3712	WerFault.exe
3712	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2440 Explorer.EXE

pid	process
2440	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exesihost.exeStartMenuExperienceHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe
Token: SeBackupPrivilege	2228	sihost.exe
Token: SeBackupPrivilege	2924	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe
Token: SeShutdownPrivilege	2440	Explorer.EXE
Token: SeCreatePagefilePrivilege	2440	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exeDllHost.exeWerFault.exe

description	pid	process	target process
PID 652 wrote to memory of 2228	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	sihost.exe
PID 652 wrote to memory of 2244	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	svchost.exe
PID 652 wrote to memory of 2288	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	taskhostw.exe
PID 652 wrote to memory of 2440	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	Explorer.EXE
PID 652 wrote to memory of 2532	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	svchost.exe
PID 652 wrote to memory of 2744	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	DllHost.exe
PID 652 wrote to memory of 2924	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	StartMenuExperienceHost.exe
PID 652 wrote to memory of 2988	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	RuntimeBroker.exe
PID 652 wrote to memory of 3064	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	SearchApp.exe
PID 652 wrote to memory of 2660	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	RuntimeBroker.exe
PID 652 wrote to memory of 3428	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	RuntimeBroker.exe
PID 652 wrote to memory of 2776	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	RuntimeBroker.exe
PID 652 wrote to memory of 872	652	d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe	backgroundTaskHost.exe
PID 2744 wrote to memory of 3712	2744	DllHost.exe	WerFault.exe
PID 2744 wrote to memory of 3712	2744	DllHost.exe	WerFault.exe
PID 5036 wrote to memory of 2924	5036	WerFault.exe	StartMenuExperienceHost.exe
PID 5036 wrote to memory of 2924	5036	WerFault.exe	StartMenuExperienceHost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2988

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2924 -s 3296
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 1000
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2532

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Local\Temp\d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe
"C:\Users\Admin\AppData\Local\Temp\d439abbc0c204aa869991837e62e7a5ebf30f5214e6f648c78dc812d4ffd62dd.exe"
2⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2924 -ip 2924
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
19792d0a17c3d21aecfc9137421f93a4

SHA1
2844c12936c1d6f0ab62c7516a87d27675a1bce1

SHA256
9db1ef52b8a69fda51042511aafd429de0bc91fcd32ecc102c7f988b428d18d7

SHA512
06c785e2e5b218e0236c76ee70228c218f3fdc8bd67508a246815e97d4d01bc73584d30198771d809f2ef065a351f9d616ac44e1b38a5f5f449abc2588a60317

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
bd828bcca5d657c4d57b2330535f9ba2

SHA1
fa88f5608cc9c7eabc075d04841696bddf89075d

SHA256
7043144b80231a13d18d7e51e8eaaa9352e7abacb5d4ed93b9158b757cb29cde

SHA512
caa6e7ea7447566b2aa70a27b20f898bd6b79e24ee311c98962e857f8e5387ef859093298151257f2ee64b2f6bfc59f06bb01189d38ff2b28f21dac478358bb0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
6b70d1ef2a1277ef179de564d99fbf0e

SHA1
89367e52d3f29b2e645f0e89a638784d74abac2e

SHA256
79c0807ca06b486fe2a52146ddc92bd4c31590114b57ea51249ece6125d560aa

SHA512
e7f65147b5faf33b195222d5f4005881774143aaa8b04b48d5620ba26c770c02c8249c969021655f8608ebb25b91baf97b22aa1e01dc8e9ddabce5454067627b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.binRYK.RYK
MD5
b67d7cae265ae26d8ce58263f81d6e06

SHA1
f3072dbed0cee19a5d357607d75e69d1a422008c

SHA256
16dc1e7fa7fb782b990bbf280f47728704bcfc427edb3f3c13d8570591508dc3

SHA512
24789e0c913b2c29ff454351e4f3d2433a01d5fa36602b35a6ce2787398da5b4595bb60bad387fa5cb84031f9c4ce9e7c798a1cc32dfce2b86f4ecd26d79a758

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
a64390b71364b2a15d1a58d911bbed37

SHA1
ed67caf4b55a124d1a24021707be01bbf71d83a4

SHA256
26bd46efb229a00b1587323c45c5d93ad3e43396498d397b9efa445a7188b02b

SHA512
2f9cdf5b4068b0f3fdf8dc3972cae70c00287228d8bda0175a63b5f789bd9a3259d950a7957c2c489f6bdb136eaf4bfc3c2bcb3511f58cb51712ab0529da648e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
254b74a01262cb2e4d2b3c0c3cdf047e

SHA1
c55c6a14e915c87530b660de373df0521d474d1c

SHA256
4d88c1b7bbafc3926ea1ade9289e13acab2c9a34d46635712ab9c6214655fc3c

SHA512
8631d608413b984ca7bbbf4fb19d55ff2d0af8d38ebf1d7fd51338ef19972492b369a9d8eb9cf138a7c37bd7bc8d2cba79df0b874737dfe6c5950504f114c83e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
d7ce518446ebbf87ec54b526fb66f34c

SHA1
cbe178363b1e76bae6e74e92664c1ae1feabab7a

SHA256
1620c843c267f42bcb94911c43d9aafd74361f176f33b7de3c8291a2fd48a39f

SHA512
20a834519f20d6f14533f385fa7f5d2d78d7c7fa27fdec36392b640ebc5c5132367223271ac75041642327aab4d467dd6c2da9a8669f1e97d68defb1fca0c6cc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
fa53d94c7cc4a6a769086ed116255b3a

SHA1
e3978fa23025b83fc5f9e29eedca2a8667e5935f

SHA256
7f028f48f13fd13f71575e2a87a27b13f69d796f6107bcb78fe087f6c45ed961

SHA512
7f1c279762a1d9e017165deb07a376a18ec534678abddbda78c52c1ba73cb61b29e0942d16cd9d09ce095486be5ddfb43e64fd3057d6297ab2f308c3a4426765

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
652714980ba6485a9b9de98eee6139b1

SHA1
a744e22c5a7d0667e5189f604feb376e76f5a5da

SHA256
5a40224520dc098940d5879aab710e2c0dd188bd5e5266f601eeae651ec0a29a

SHA512
e5bc36f5a16455b7802884bea7594393b2aaa19551094a15ec26704d7adfb867857749ead9313b0d4c436286d19955129d7c6bc2b9f612bd37c43e2372f8a583

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
371f977d019232767f42b0f6f3d26545

SHA1
012860ab213c8a04370ac3588a6a8bb6b3eb943e

SHA256
2ac592db94caa7d29ed65452e4a4bbc7c5f5e58461a0918d3bd542814cd6c1b3

SHA512
d6d13971148b1c2afb11825a29daae91f1a85316f7fdce5540b00abc418e6615c38751aff25c7e0cbf31a5d806f37333fe4fc359647cbe59cf52d08afce79c65

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
6ebc559e0ec23ca3bd7bf52501ad7165

SHA1
4994267bf29bf593168039d39cffd456f16f13ca

SHA256
b32750e1d2c33b4b8ed3789803ff6f267eeba5b1add6a6d598de8b6eeb6ad0c4

SHA512
d62d79d2fae6b0467712b9467980864633e44bef1442fd80033c0e29f62225e6e1cdb4bef8a325f1f633e579ccfafd609be315d9bc9913894ace4a30d0e4b9fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
1e9230aa84b2622447c55b3136e8d5cf

SHA1
ba7e3e40055124ea9620245ca854b6d7d4acac55

SHA256
fb70486ddf0568a61708d816477aa32bd738aeb629b4c148048515c7062acbc6

SHA512
5396d1facb305be1185f0ac2283983cac2d22917f787456df7a8ea9c62f278be2a8e9aa2beeb09b0bc8e90074ac95a5ad85c37a41eb25d07e5d9b04c263935bd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
50bd72f675f6bf02d67840bfa26c302a

SHA1
d64d68062eb5897170c87d750c1e1d214050527b

SHA256
c840325348caf4d0c697bf95b8a29d691b6141042177b6107f705d0d7c9e15d3

SHA512
bde1eaef00ab16972d9e6c57110b873bfd111c1af9f6ee8b04aedb423bb00edf27dbf479d09317a759acd511860fcac8c2c503b5e2e34663c8bb5aabe3e3df6f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
991b5f38dab05d6bec6b15159b3704d6

SHA1
5ce93ee160ea652af41009b56d035379831ea518

SHA256
39a2354a66d6597d7671f5206eb9a3ccaed4e03b10ddc726347143970617da37

SHA512
6a08232c6f908f5a5baefc2825cbb4d2827bac58210ca1f61cce3227453461243040cba81115c6c736b76e73b77b8b8ddcc511befd4c4ddbcf52468e09b38b24

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
029f823e875077a94a2a64b730996eeb

SHA1
f5d61abe85323a1443bfa3f8964b2b2bb987e224

SHA256
f09dec29f0c26645bb4c1d2d94d523d7244e555fd9d990ebe279661d3b62dd96

SHA512
0c35821f2ed8f66dce55ac5f3d6c526367693490bf893c4131d17ab04e7fd5bda06865d227d8ade30233b66081b9746c69de8bef98db38cdc37d5f11369b2f87

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
42ee4843f0ee696ab0e6e1567c406797

SHA1
fd37f5ed8a33d29febb528ae1b739974137f9ded

SHA256
6cac27fe7b1f2753adccc9820b5042a2034115dcbf02bce8ca3980296aacb777

SHA512
79caf8ee5b429d1480c745a30a83959298b6d74f02d9ef8df214318596c696bb35cee50e0eab908b6dc732ed3ce557c37ce7e5afc8e45f328cda7364c0db2ab0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline
MD5
6344140ecd4fe105cffb62b877cb671e

SHA1
5deecd4a3b7ab9ee6eeca1f611182ed3d39f3cae

SHA256
d06b1f60f18e2f12d506b95703ba9803fb94d1b4109f38a2f2519596d25cf151

SHA512
e20733a1043ccadb0f46080db80ca9c256ee617a9048f66fde1f1b9855220918b93bc1272e73e1f97960140ffdefb12c45e74ef179ccd7efa00e0cdc30bdcef8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64
MD5
60fc63455db6d4dd6182ecee536f18bc

SHA1
ea6b23fe3a3dd34319b5e509d5491fa803344114

SHA256
0be9412e9e05a3f7959b19d5309bec281a4b07d687e0417ee39cb5eba91551d5

SHA512
576c546a52fb59c3e3a1c30015a14770b1326ddf3f0097ddd08aea3ea39373d9c4351c0608b173e2f0e4c8298fefaef4a75bbcc660de24b878157e2f7aca31b7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp
MD5
1853dec212cb0752a771a4850805c570

SHA1
3a782aac718a3f0daef313a55b0e234ed14c29de

SHA256
d20e6863ab816720092ba538ad738774bbe9ebf5c9d61042d48d67e74949205c

SHA512
d1a953c0255e39426f43f23ad22a14981b6c73a032a60d6b7ea801f83a4dd911e6fac72ae53a21937a644e22e850dfdd52ce7766eb9e0df5792fefd3cf51389b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp
MD5
23fe6ae16786e856657037a3f0bd271b

SHA1
576a3489c03d27bc246275bc4a4f6cc754943763

SHA256
6b726e9cc86117c2e477353541aaf425d81bade6c7b097595dd8ae0e70b67fd4

SHA512
95783df38ea30c1f9a9896322573f41aadf581c567ec7638323377c6e8436c66fad943b2d6c00b0b7d2aeecb35350c1b57e4afe8718ad98af5e0e9240e23bd91

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp
MD5
110a02386786ad7a6d453fd7e414f59b

SHA1
50f57ad20f47e17efc4dca4fa90ccd92258ff7a3

SHA256
fdc2946ee598c4e7ba59893ddd60fd7ac7547eacde60125b2c99c221f682e1ce

SHA512
f73649ec4921928ca4a3d1fa1ed4f961e202b089b15562f36e19c7599a802dd7b5fad958617ba4d03807370da58d80dabfe402d2f3d0185261ae0246a8913eba

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp
MD5
d655a3078ac63077ba77c68d1557f56a

SHA1
586130c668af786fe88e4cc73d6a194663c1f603

SHA256
4452bf30741258f46d461ac45082c7c78be51b92a995580cfd9fff0776f0f5ca

SHA512
49894c6a3a23b04e4eb62367e4ab12f55f56381299111aedb9f13b20ee249beb49dc91dd07f0c7b0432ad4fac88500384c1619599463c7db3afffdc8a87ee272

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp
MD5
bbe15286c4c2d09594fba563cb50b80d

SHA1
6cfcd1676e846073d878e47c657338aaad6c0588

SHA256
1220035180f8da256a593219cfed1caee53861a1f52143154a2d90ecc77f00a3

SHA512
d42fd2f5da7f9701899a631aff9bb4f028a145ec5f2b02c59fb888eb40f5ef78692e7c1bdcd12cd0004d4c4a6fd7de7d51c7e1a766d41cb5a677b3c39531904b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
06063184833898b62c43957d0627e662

SHA1
5e3b8efa176cfc8996bb5610d298a4c4b1eb78f8

SHA256
9c0af2e5de43a51a21c4a86443b08971ee2e8097fc45681218427be1f98868da

SHA512
e2988a8ae619983f9998cfcee529314ba34ebbf25e48b70c81e46fedbe544657b88ce1e463fdeaa5627a4e6ff1d799ec160af691c742e9de7869797dbffeaf89

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
fad1dcf1d45fef3dd93c8d0fdc163c65

SHA1
83fc44cfa49c938be4ebe09dc420a373078f3076

SHA256
724b7ca7d1ec7393d1dceeb648a20e4e16b7229f3bea93d3bf74ec40778bdbd2

SHA512
0401484b4a111d5c9c96d9a73dff8a398f35403d447bb3a60d0aaebc8d15d4c629232833d75e22fb1b7edff72b5e8b58c81a5303d4443a4cf8dc669f08887758

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
6ce57600da7b4296a8de0b1badabb4a0

SHA1
cf1c191862a37938f6856caee39f965899432097

SHA256
2e90967de43c688f34a03570938a4b88ad8becd84cef1ca6e30857525b086ef9

SHA512
d16c052a526323cdb65a3edc0f4c7fa0298659c9f3f04ab765c8a3aad3378b34a7345ccf4213e550404a9f590efe173cb7ebac3d6ea27811758ac836bafd19cf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
MD5
26d43e33cd8e704498bdf7a0a4be3588

SHA1
f623e624dd818b6d6d4e6b148c4f78f0709447af

SHA256
fed8af071602bf82434921382cee08b8b541ddea6a320406d5a6f6838ef05cb5

SHA512
2175f66c61e4e564ff578eb7838bc3b49deed646410b2dc77cdcebfa758482371322b2e0c027c07bb51f2e68e1357106f28621ebd8ef0c7b6acf36ad5dd63198

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
d13ff1f3aa46cadb010f2bc8bb03c421

SHA1
fd3dc397b75bdfcd887313d6cd5b1a03ba9abfc0

SHA256
b4c8a5ea09d3ebc4048b33f0bb86f75c47a269f821584a819cffea106aa9ce2f

SHA512
dea4d5f3568834f38de0f348c326a50394ee21f2d8a4ef4848ab847fbffdb4740b4cb1cd96572dbe04feda1c9fa1be604897fa80522162e7d6f6f797c420aed1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
0d69de48dff6e82dd395697388e91698

SHA1
35f702ed1add10b792abf538d9c3dc31a3c4dc7d

SHA256
c21076ea8b24b245d958a5afff62591d27d20ac852367bc6d1effa9a736df333

SHA512
5e25a56aae153c612018f0e2e56384bb330b8dd63dd1ca29f33579996aca7a7bb3b713c59246e12368f997d87a58d03136d8e1912de2c772722ea65102962407

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
42ac10b17dec8f69e4407d67f609d31e

SHA1
1b34d8da6ae28878631afa6e9061c03bfbe4272c

SHA256
0dbe2464ba83217256bfb9831a18d04111439f1330a5a53812e7c9e89a2443dc

SHA512
930462579bb90693c0eb0a8d63dac01f23f2d02eb2ae7d87ea3a368857926a8b9a60fb7e501e0995309fe115e79668a19c56a7bb1e6ea500e6ab407b6c56ec0e

Download Submit
memory/872-132-0x00007FF686140000-0x00007FF6864C1000-memory.dmp

Filesize
3.5MB

Download
memory/2228-130-0x00007FF686140000-0x00007FF6864C1000-memory.dmp

Filesize
3.5MB

Download
memory/2660-131-0x00007FF686140000-0x00007FF6864C1000-memory.dmp

Filesize
3.5MB

Download
memory/2744-134-0x000001D9915C0000-0x000001D9915C1000-memory.dmp

Filesize
4KB

Download
memory/2744-133-0x000001D9915F0000-0x000001D9915F8000-memory.dmp

Filesize
32KB

Download
memory/2744-160-0x000001D991430000-0x000001D991438000-memory.dmp

Filesize
32KB

Download
memory/2744-161-0x000001D9913C0000-0x000001D9913C1000-memory.dmp

Filesize
4KB

Download
memory/2744-201-0x000001D991430000-0x000001D991438000-memory.dmp

Filesize
32KB

Download
memory/2744-202-0x000001D9913C0000-0x000001D9913C1000-memory.dmp

Filesize
4KB

Download