ryuk | a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd

Analysis

max time kernel
161s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
Size

201KB
MD5

bf39de2f9f4f5070199213161d9d6c05
SHA1

5ce23ef35396f777855f7a3b05e47329cc7226b7
SHA256

a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
SHA512

1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

kuKnEoN.exe

pid process

3716 kuKnEoN.exe

pid	process
3716	kuKnEoN.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exekuKnEoN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	kuKnEoN.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\sihost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kuKnEoN.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4836 2744 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4836	2744	WerFault.exe	DllHost.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbd2237f-ecf3-4603-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df2edde2-581b-47d8-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a2495988d95aab725d53daf974b376eee82c7d3044b3b549e237dbd5a08d00a4"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = 6a09bebf1726d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000046199ebf1726d80146199ebf1726d80146199ebf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe5454ed285454ed282e00000000000000000000000000000000000000000000000000bae1b100390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6052e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6052e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009304aabf1726d8019304aabf1726d8019304aabf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000613234393539383864393561616237323564353364616639373462333736656565383263376433303434623362353439653233376462643561303864303061340000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000006df6a500610032003400390035003900380038006400390035006100610062003700320035006400350033006400610066003900370034006200330037003600650065006500380032006300370064003300300034003400620033006200350034003900650032003300370064006200640035006100300038006400300030006100340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61323439353938386439356161623732356435336461663937346233373665656538326337643330343462336235343965323337646264356130386430306134000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6062e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6062e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3660e7cc-43ca-43e6-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = 7e588abf1726d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f1f0b5bf1726d801f1f0b5bf1726d801f1f0b5bf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000313463626232303731363461383933383363366139636563303831336337616263303832326439393766396533656434643364366639663764366138613061660000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000000f0a9a00310034006300620062003200300037003100360034006100380039003300380033006300360061003900630065006300300038003100330063003700610062006300300038003200320064003900390037006600390065003300650064003400640033006400360066003900660037006400360061003800610030006100660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31346362623230373136346138393338336336613963656330383133633761626330383232643939376639653365643464336436663966376436613861306166000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6072e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6072e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = d37f01bf1726d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c69d04c01726d801a6349dc01726d801a6349dc01726d801ab4a11000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe5454ed285454ed282e00000000000000000000000000000000000000000000000000db07d800330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = 8e44a6bf1726d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\14cbb207164a89383c6a9cec0813c7abc0822d997f9e3ed4d3d6f9f7d6a8a0af"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d11c1386-4f77-4d65-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d1d8ffbf1726d8014bf9a1c01726d8014bf9a1c01726d801cd3412000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ec282000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe5454ec285454ec282e000000000000000000000000000000000000000000000000005c223100370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6102e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6102e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2d9451f8-245c-426a-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a4abedbe1726d801a4abedbe1726d801a4abedbe1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ec282000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe5454ec285454ec282e000000000000000000000000000000000000000000000000005c223100370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6022e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6022e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f1698dbf1726d801f1698dbf1726d801f1698dbf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000000f91c200380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6042e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6042e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = abc1b6bf1726d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = 7c5627c81726d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exekuKnEoN.exesihost.exe

pid	process
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
3716	kuKnEoN.exe
3716	kuKnEoN.exe
2228	sihost.exe
2228	sihost.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
2228	sihost.exe
2228	sihost.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
3716	kuKnEoN.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
3716	kuKnEoN.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
3716	kuKnEoN.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exesihost.exekuKnEoN.exeStartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
Token: SeBackupPrivilege	2228	sihost.exe
Token: SeBackupPrivilege	3716	kuKnEoN.exe
Token: SeBackupPrivilege	2904	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exenet.exenet.exesihost.exekuKnEoN.exenet.exenet.exenet.exenet.execmd.exenet.exenet.exeDllHost.execmd.execmd.exe

description	pid	process	target process
PID 2840 wrote to memory of 3716	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	kuKnEoN.exe
PID 2840 wrote to memory of 3716	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	kuKnEoN.exe
PID 2840 wrote to memory of 2228	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	sihost.exe
PID 2840 wrote to memory of 2244	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	svchost.exe
PID 2840 wrote to memory of 2296	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	taskhostw.exe
PID 2840 wrote to memory of 2528	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	svchost.exe
PID 2840 wrote to memory of 2744	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	DllHost.exe
PID 2840 wrote to memory of 2904	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	StartMenuExperienceHost.exe
PID 2840 wrote to memory of 2984	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	RuntimeBroker.exe
PID 2840 wrote to memory of 3064	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	SearchApp.exe
PID 2840 wrote to memory of 2628	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	RuntimeBroker.exe
PID 2840 wrote to memory of 3324	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	RuntimeBroker.exe
PID 2840 wrote to memory of 2572	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	RuntimeBroker.exe
PID 2840 wrote to memory of 4056	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	backgroundTaskHost.exe
PID 2840 wrote to memory of 1324	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	backgroundTaskHost.exe
PID 2840 wrote to memory of 1580	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 2840 wrote to memory of 1580	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 2840 wrote to memory of 2828	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 2840 wrote to memory of 2828	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 1580 wrote to memory of 1260	1580	net.exe	net1.exe
PID 2828 wrote to memory of 1780	2828	net.exe	net1.exe
PID 1580 wrote to memory of 1260	1580	net.exe	net1.exe
PID 2828 wrote to memory of 1780	2828	net.exe	net1.exe
PID 2228 wrote to memory of 1424	2228	sihost.exe	net.exe
PID 2228 wrote to memory of 1424	2228	sihost.exe	net.exe
PID 3716 wrote to memory of 2144	3716	kuKnEoN.exe	net.exe
PID 3716 wrote to memory of 2144	3716	kuKnEoN.exe	net.exe
PID 2228 wrote to memory of 2504	2228	sihost.exe	cmd.exe
PID 2228 wrote to memory of 2504	2228	sihost.exe	cmd.exe
PID 1424 wrote to memory of 2512	1424	net.exe	net1.exe
PID 1424 wrote to memory of 2512	1424	net.exe	net1.exe
PID 2228 wrote to memory of 428	2228	sihost.exe	net.exe
PID 2228 wrote to memory of 428	2228	sihost.exe	net.exe
PID 3716 wrote to memory of 4320	3716	kuKnEoN.exe	net.exe
PID 3716 wrote to memory of 4320	3716	kuKnEoN.exe	net.exe
PID 2144 wrote to memory of 4332	2144	net.exe	net1.exe
PID 2144 wrote to memory of 4332	2144	net.exe	net1.exe
PID 428 wrote to memory of 4380	428	net.exe	net1.exe
PID 428 wrote to memory of 4380	428	net.exe	net1.exe
PID 4320 wrote to memory of 4452	4320	net.exe	net1.exe
PID 4320 wrote to memory of 4452	4320	net.exe	net1.exe
PID 2504 wrote to memory of 4460	2504	cmd.exe	reg.exe
PID 2504 wrote to memory of 4460	2504	cmd.exe	reg.exe
PID 2840 wrote to memory of 4844	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	cmd.exe
PID 2840 wrote to memory of 4844	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	cmd.exe
PID 2840 wrote to memory of 4852	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 2840 wrote to memory of 4852	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 2840 wrote to memory of 5196	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 2840 wrote to memory of 5196	2840	a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe	net.exe
PID 4852 wrote to memory of 5588	4852	net.exe	net1.exe
PID 4852 wrote to memory of 5588	4852	net.exe	net1.exe
PID 5196 wrote to memory of 5612	5196	net.exe	net1.exe
PID 5196 wrote to memory of 5612	5196	net.exe	net1.exe
PID 2744 wrote to memory of 4836	2744	DllHost.exe	WerFault.exe
PID 2744 wrote to memory of 4836	2744	DllHost.exe	WerFault.exe
PID 4844 wrote to memory of 5864	4844	cmd.exe	reg.exe
PID 4844 wrote to memory of 5864	4844	cmd.exe	reg.exe
PID 3716 wrote to memory of 6008	3716	kuKnEoN.exe	cmd.exe
PID 3716 wrote to memory of 6008	3716	kuKnEoN.exe	cmd.exe
PID 6008 wrote to memory of 6060	6008	cmd.exe	reg.exe
PID 6008 wrote to memory of 6060	6008	cmd.exe	reg.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 1020
2⤵
- Program crash
PID:4836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2984

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1324

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f
3⤵
- Adds Run key to start application
PID:4460

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
"C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
"C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" 8 LAN
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:4332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:4452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:6008

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" /f
4⤵
- Adds Run key to start application
PID:6060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f
3⤵
- Adds Run key to start application
PID:5864

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2744 -ip 2744
1⤵
PID:4804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 2904 -ip 2904
1⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
ddde381b9d59d0ecb83d4594e4d85d37

SHA1
62a293f71be844edb870cb4d8641d701b2b8c85e

SHA256
930da77c6ad6e5e9ff3105cb5c2bcdeb23a31485df4eb9ca0d97a32c2fda1497

SHA512
fe858f4b53540f8b71c2127f268861e3658391612500407f98582212ff8f60401dc4be7a1286b7f1a7df425328ae853d2ca807fa06a0312003031ee88228a130

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
fc52c9fdbae51880a7533bfcc0e299e5

SHA1
9b98afb83db15ba5b73822e6d73d044957e79d5e

SHA256
3cfbc30f997461a52917b267665246f12e7df8667b55c7401533a45788701111

SHA512
7b50fb820aae835fddf6495c6b99cdb351c301dab3039b53daada3a06902b085a58dafcc24d39205922dd6e6338f691b814c8b8740ef094e6a37611fdaa71ec7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
c14ac2739541090d8fb4055f8d3179fb

SHA1
3fd89a21a51026d42555e394f4090db4033beaa6

SHA256
b8818e8b17a1f56f66748b04e03fa91a93ec06ed4361ce5f2dd29e5857204694

SHA512
1fbe113c403a268b33e8b9f59014ed3334f45486b91bb3e15c4c020b4d7cdf10ddee0a02cd285ab1c4f4218fe29afa4b8ab20bdd1ed4839cf37eccc12f1355aa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
ee95b77b98e3b679450f0fbefd77d9c6

SHA1
c16e7b2d4d3ac88b8c032cb6e0c42ba35527099d

SHA256
a3d3f9b920c90c8e6af01a8f71006804a9e23b6e24658fe28f2c9f0435f87948

SHA512
64cafb2f75eb8facbee591620462cc1db3e819c1d96c110105babcaf5e178b4f0edc014495e1d720402230466339ef30217641d24c5fc9d99fc6f108efef8ade

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
7af6840984fb27debe3e29121aa7cf76

SHA1
c6b0c98c3196e27a96f36752782e18acf3917166

SHA256
3e6653300396a43d2011bbd56844a00da6b4d882a6d906017b5a2376f31d5614

SHA512
cc14ef94687c83becb967d724657a3cb37a3b8920b26f4535522105b4434fcec9bf6ed640b82344ef5b4408bbfba90e4e097383d4857c733eafc789973ca2613

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
e465141175092b041fad92077ee8fbb8

SHA1
c6543e21d391b95dbe5fafc059f29f954b54dcd7

SHA256
690cba06db57489d6cc80446b96db800e353c95e847d537edf91c686c9819139

SHA512
42b99fe70f3660c47da5c52b8027446c618b738968c795f1638f673a282a2d4dd503c63e52b9679165de02ab7f9070a140a47ac190a13f46bd68d059ba06dc41

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
01947cf2a2fee17cbd0d74fff4170450

SHA1
7d731831c9526c30fd44e8e7815246fcc14a2b14

SHA256
34421a9294b2e0828a0bc7328960ca89f67af10af801144e2d71cefb20d20a7c

SHA512
37cf51cb837828991f81010d00eade1cd29cdb4c1a5acd0828dcd0b5e4a14a5a0973442c807d4fad1f84ad30366c78e590e987bcc97eae58539c1b58516a4700

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
03d68def5df8096c289123431913602d

SHA1
612ba61a0dc89b1e5f208fb2e1873e73abcde4aa

SHA256
a9ac709db261d0588fb48273576d55d3082121df54fdd77a54310f0feeb75dbd

SHA512
7f5240264587c93295c87b2138c1b3631764d33b0017689a4af144149d2fc7886628abb2f7c2319015333cdf4e5ebb3e49b0e471c88ce7013c9d84487a50d433

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log.RYK
MD5
8629d11e8a83824149376f80e71e93b9

SHA1
f0e2dc834f3f6e607ce7149a72f486ace04eef87

SHA256
fd45e9cdad450bf85644d81afe120331ff1a889955ac6d4b3a73d798c8dd946c

SHA512
95b8645b9c650ae9d08f44b7945017591f1cde0ea2feb12bcbd256d6f1a0e8fa52b66776be8fb551e76d123f32e28c52fa195e4b797718a745b2db5af248dc88

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
a4c6a43fcc79345164e0cd5e82779da9

SHA1
2cec78808c6cecf30da30279de7a196c4d42c525

SHA256
a1c5ba26e2d3ef189a461a9b4eccf18262194d34fd1e9bfef8c7a6e7578bf74f

SHA512
0e6051c487e16becdbfcae209a0e9cdb0bb1ce3cc7fc6d1ec2f79c62c9f72af4c12f51c25d419a8b0d11e8fadcd68efa839069c04c3460565d8c0e62a511280d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
MD5
666ae765a2e735ab65e0a6e3152508af

SHA1
af58ff00ad8f939ae38c4899febd5e3161045511

SHA256
8b12871430f0ab92f87e3940a68d615a01298a883931ef4b0836fc091af07d47

SHA512
a3654cb034395ec7b43a97a6fcbedd88b3d9c49100aa6e1bb51f38e65af8e8af588cd6cdd7618256464b3c724e6a467f8a611d57ceffef360eab7aa241a472a8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
7b09bbe914ea2f8a2f0a0f93bfc3fc93

SHA1
06e18e29452830b545e7156ae8167ad808e3fefc

SHA256
975de8badea2bfd72a972b71561f525398c71fe165384b36070a76a55478e8d5

SHA512
e13490dc6f118dbe0a89fbe92ea9c9bb368a7436502819669da5355de9be7ee2658cea28dc07b57d292947e4be7993216f585c9ae278e1ab21acfb9f9a96ae05

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
f96ccc9ebacadded1af084d4d9af47f7

SHA1
690252586a1295012a01a8caba27a3120022bf72

SHA256
0322188cee23842241755a1425a8948609282976041c12738acd20ad220fcec6

SHA512
259b02cf18089c7cdf95c4c7d7359c5f7c30948f6134b1baf4f97aa15536ee3102952ed376e7236216776e745d246c96e16e5becf2a0446919e4dc562bb2d95e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
772a4a1431819315bc451d77d597186b

SHA1
6827e21ef2fe06976e17fc4b6e7dc5e6607c3564

SHA256
6fbd30174e73593a1c613f1cbdf002be11a2c6bf1fda603b93e01b319086d296

SHA512
ac2064c91c1fdd0c9aeff692e02cad5a14aa957c11f5c93c90fbb195fb8b15701c6b08535bc7ac6ef1d5dc7755d2f02b9cde5d5b8199aa98681d100216085cf5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
6162d56267c0f4815abbe0450e4c7a4a

SHA1
12943dc2e488d2d14586d937017d2cbf797910b6

SHA256
0fe65a463816710c2828430e84844208af038d9f66868c260f2f39c74b00794c

SHA512
3e3c525bae27d18f079febd90001bd630c982ccf5a7a8a9af2ffa103f835ded48f533a1129d2e981f18ab2f7bf5e7871f3a3b50d5b98fd274bc993da825fa327

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
MD5
74284426f0aad31ee00508968d50d947

SHA1
cbbb8e41887c2ab7e7b36701185293021f153ba3

SHA256
c7d7b82a9a355b791148f934d2958aa1f441af8e6b93ba3ad6bad1b2373f857b

SHA512
6bfce3c1fe5b63e45623eff2e572b699ed1545c04872d685920988d66c3ac257b15f6ea0a7b25cd0f33663324d7b9570a9fd650b1246b4d56b66236ce3d8950d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
511afeec9125b8ffa946d5e34ea0b8e6

SHA1
e1451c2ed9485dee2c1be6cb4654e0782eb12ddd

SHA256
1c9d263d6b2431f4cc8add1481af3d9591d4e0c4b3dd1ec08805f80deb778ef3

SHA512
143955eec904472f756cee52ca268676d1b8d0aaf74b0ccbd6f4e3424cdbf31f0ff47d004247016a9555909794ceb659e6d997bd0326873e4590375d3949bc8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.RYK
MD5
b38207e02b1384006cc1c9e83931d059

SHA1
f92907d9e7a236db58fca346aec666bab20cd025

SHA256
6687abe889fa188eb5c9c40e71b0eaaf7717e1b628e5324148aee42819a6cf8c

SHA512
16b311f78a24ddf43358e24a5cf730ac759c3e270dc787ef9956f2977bdf821b712656d4b71c545893835c12617bdac57d6981912ed8bddaabecf070a4d9a5bc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64.RYK
MD5
cfc819a77b468f0d901716d8848088e2

SHA1
70f0e9352199d9510b312f7f2c90392aa4affbaa

SHA256
ad9cb00f453e2e066a95394c43cd1df7bacc056dbf4463895b8d014fe6ceec2e

SHA512
43a8cd99ff0d9e506468c0dc86e280534ada00f0b6c3f561d0694c192334c18b1f5aab75ba0dc719191656ff778757875acd0130047458f278bf8a8bc323f59b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp.RYK
MD5
ac45355c821e3eb16e6e2dbd06ec5219

SHA1
30e40b96a547809191f1e3f2b29a266ffbea3275

SHA256
91c26386d265c8e3f156f7d0f2a3abd3e2d54861eb480861f88ae1fc5c73366f

SHA512
3a4d36dd00f5de3925e790279837ac66e369177e9fac12cc0d967c564fcd049af7cdf648855fd6f74eba529d824071b719ad6b7005a958ed92a1bbea174221a3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp.RYK
MD5
0c28081fe4c89fd760e620de1bb1dfa0

SHA1
9dbb5bf424e1ffe792640837dd1914960cb1c48d

SHA256
d4fd7092e3eea445f2dbc87c07ec14391bd4bf5145a9f577099ba7f978741029

SHA512
c3a46bf414a994f050892efb8c43b0d03bd551bf3d297922867a16513205b91020e5a09f27a60981c988ac6d0aac231ac6bcfe6db4cefa599ff262970ff87ec4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp.RYK
MD5
61c8e4f7b852938c801b0d1601ed7402

SHA1
18fa616d0d93bd53bb75a3f6d492022f72601e75

SHA256
140f0e5302b554ad239a34acce06d164056e04452ece5d1bc3a69ec0876985d8

SHA512
ab825da31bcd004516ec5fd0aaeb3396bf515b17479370c47e69f82b99560b7e88056333377cd709a42eb773d3fbd7ca06b3973dcb20877b43aaa0ec8795597d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp.RYK
MD5
b1e701d9da48310ce7d05a4efe080e9a

SHA1
1dc5589f218676242b4e2d96e276ff95edbd1316

SHA256
1ce91284c63638a448431a7088129db9480308c76b4d012d265ae92e10ca9f0b

SHA512
e35daad556738e6142f175b4cd01072b0407c5f25f30a285bf5751686c91e96cf658a0f3feee60f9b589e4ec72c0fc3d01b095c093b706e118c2dd74c453762e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
c98b812421babbda1b182f442ac80c5a

SHA1
d3ad1b9e65cf58a27fb35e01d11affa09cd413f0

SHA256
2e7c80429da672344a0b262d378e4f3cdcb898293d397706fca528c5f9b965e0

SHA512
d2af18ef6e3cf4a870b465f430cf74bbf8f2abab3ebe5935573bddf947693a447bfa241e4921eba8ce71930d83005582b6df87c45d777626fedbca1364c91f1e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp.RYK
MD5
0fc960afaceea8e7ff40c4096e2b949a

SHA1
42416a3fccdd3088dbde4e7e96b83d3ca8e785d3

SHA256
10261cbe3020dba52ebb0070302f8de393c10630aeac446d26019622085f002b

SHA512
a56ffe5ffbebde92fe68fe829b358b01234145218382d84c20cac62a7596f8873a3239c62875e78c212240cf203f692df222e9e323be7ae51d23ce81215faaf7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx.RYK
MD5
e94855c6d0d2e9a1484c92a935cf28f3

SHA1
671cb793b07bdc0542202e2e1f5da9f4a437b34f

SHA256
c2fe10ab426efe7eddd48d6b07755ae7d6cb64d62b2e057be7d73e67e3c7dc75

SHA512
1e2b775a20716ec0dc764e3af178403dd4ee3d011a1228bd71f0399b392fb6df2d6113cd0cd4f32bf9b5bae03f23b3d2ebe152b5ea292f8b80a411be180ee21e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK
MD5
b4c0b01591fc08d0298762f1cc8c9391

SHA1
9c305f208546f0a837f9988da6ca0cecb3e9e1fa

SHA256
aa74a926bed6b5e0dd0b80054163e72f1e961c3475dcf14c1aefbd1b7bc75543

SHA512
982d7e6cf81444c36c5c2398545def291d0ae306ac573d2aa0b1cf0fbeddea4ac6e088ea923500c59d6940f0f97007ebe27c315b901ed8a0b8a4497088be43b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp.RYK
MD5
3e30e3348701151a422e888c242e531f

SHA1
a570c04f334c71add3afcb8afbb54db009663cff

SHA256
44c741fca649169368181dafc144b64192397fd9bfe83306fd68640bf1bd51c4

SHA512
0d9fa1e7c5959dc4f9b3769cc7e1e033597e2bf5e734c22c4e86cfa288811675d42fe7130a0b8b4448854d6be7e6351c86506a3b302c572e2f6c4bd141fbe322

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
6f70bd719ac455e38eedebeee08cb8fd

SHA1
96cd971b86074d3defd677ee952256a4048d6949

SHA256
541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f

SHA512
1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
MD5
bf39de2f9f4f5070199213161d9d6c05

SHA1
5ce23ef35396f777855f7a3b05e47329cc7226b7

SHA256
a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd

SHA512
1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
MD5
bf39de2f9f4f5070199213161d9d6c05

SHA1
5ce23ef35396f777855f7a3b05e47329cc7226b7

SHA256
a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd

SHA512
1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

Download Submit
memory/2228-132-0x00007FF6B4F60000-0x00007FF6B50D5000-memory.dmp

Filesize
1.5MB

Download
memory/2744-195-0x00000265DB370000-0x00000265DB378000-memory.dmp

Filesize
32KB

Download
memory/2744-196-0x00000265DAEF0000-0x00000265DAEF1000-memory.dmp

Filesize
4KB

Download
memory/2744-197-0x00000265DB1F0000-0x00000265DB1F8000-memory.dmp

Filesize
32KB

Download
memory/2744-198-0x00000265DB040000-0x00000265DB041000-memory.dmp

Filesize
4KB

Download