Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-ehe8qagdf6
Target a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
SHA256 a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd

Threat Level: Known bad

The file a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 03:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 03:56

Reported

2022-02-20 04:09

Platform

win7-en-20211208

Max time kernel

158s

Max time network

59s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YJIvUXj.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe
PID 1716 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe
PID 1716 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe
PID 1716 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\taskhost.exe
PID 1716 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\Dwm.exe
PID 1248 wrote to memory of 1824 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1248 wrote to memory of 1824 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1248 wrote to memory of 1824 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 872 wrote to memory of 896 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 872 wrote to memory of 896 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 872 wrote to memory of 896 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1716 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\cmd.exe
PID 1716 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\cmd.exe
PID 1716 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\cmd.exe
PID 1256 wrote to memory of 1064 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 1064 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 1064 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 2040 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1256 wrote to memory of 2040 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1256 wrote to memory of 2040 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1980 wrote to memory of 1072 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1980 wrote to memory of 1072 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1980 wrote to memory of 1072 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1064 wrote to memory of 988 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1064 wrote to memory of 988 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1064 wrote to memory of 988 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 576 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe C:\Windows\System32\net.exe
PID 1356 wrote to memory of 2012 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1356 wrote to memory of 2012 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1356 wrote to memory of 2012 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2040 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1056 wrote to memory of 1764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2040 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2040 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1056 wrote to memory of 1764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1056 wrote to memory of 1764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 576 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe C:\Windows\System32\cmd.exe
PID 576 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe C:\Windows\System32\cmd.exe
PID 576 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe C:\Windows\System32\cmd.exe
PID 3864 wrote to memory of 3888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3864 wrote to memory of 3888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3864 wrote to memory of 3888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe

"C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe"

C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe

"C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe" /f

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1716-55-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

\Users\Admin\AppData\Local\Temp\YJIvUXj.exe

MD5 bf39de2f9f4f5070199213161d9d6c05
SHA1 5ce23ef35396f777855f7a3b05e47329cc7226b7
SHA256 a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
SHA512 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

\Users\Admin\AppData\Local\Temp\YJIvUXj.exe

MD5 bf39de2f9f4f5070199213161d9d6c05
SHA1 5ce23ef35396f777855f7a3b05e47329cc7226b7
SHA256 a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
SHA512 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe

MD5 bf39de2f9f4f5070199213161d9d6c05
SHA1 5ce23ef35396f777855f7a3b05e47329cc7226b7
SHA256 a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
SHA512 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

memory/1256-59-0x000000013FEA0000-0x0000000140015000-memory.dmp

memory/1256-61-0x000000013FEA0000-0x0000000140015000-memory.dmp

memory/1360-62-0x000000013FEA0000-0x0000000140015000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5 c9c0f27945c7be39727b1d0475ea9eb7
SHA1 f584355467b106e8fee27f4af6d6a1994a9f7e04
SHA256 2d346078a4131dc1ca3504b5e7c1ce2ed037d817bd6075ef9720560aa3dfe6f3
SHA512 87dd29fcdc972bcf647754fa9523a9d3d1db815e13cec3ebdd57664ac06d26b30437958f6cc5d37d24f28757d8196a93949da8669febd42eb8a62ae4cc2f89c8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 57f8d2e78630dbcfb777ce32ff02e0f1
SHA1 b2f12da1d934e3c15e2fb3bf1ff7f6329ce3f1e1
SHA256 5d28efe7a336af345fb5e6185785b7abb683aca9cdd9d03eb70f118c1ca8bae1
SHA512 caac9738687ae75e56262734ccd0fb2c232079f56dd119b494f3c703e5e529fee3b40b65d8449c79d75e0fbd504cadb8d4249497384fb0830d09f46abf3e10ee

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5 73eef844b819a078276ab1665c4ca01e
SHA1 b5f9c078df15fe3d0b0e9a1691b2bb48dc600f13
SHA256 9a0e5dc88e32ecfddb3325dc17d4e5f892786ee8b4189a7dd34ffa6da4257b12
SHA512 68188f1bdadf26a95ecba61dbe18acccd2b27f8686fc63216cfd159c1bfda5c440e2beaee9e8fca55547ac5cb87e09685855a095f7948ab6c40eaef5c50b3be0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp

MD5 5bc3a428e34bb10be002b6feb47f3293
SHA1 c7722a992f46b9e8ee748fd744aa69f0eadaba95
SHA256 b2ae4010f21d774c38ae44577dadab546abe8b5c1dc95f2350bf1e0bbbc1b5df
SHA512 756e39ef591aa960ad6811677454ec1c87142ed602332ce46891d96f5f5da407814a8a2cfb6558d5bd4837d448947507bfcff40071322c3c926f84de39273403

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 7bc315ab6f22462a1aa576a2f8d3c57c
SHA1 7feca8ffa0417e5951f00dea140322f9efdd65b5
SHA256 58d40c38e64d4093ea1b94606752e4d7f975dfc6abc1c40a9e3849d45043ee9b
SHA512 93d92923a9960a0fa55f16577a7c7bfd8d615df21c38d5f1303cd3e6413cf2dda0aee819aad4ac7cd0c7488707f449f1bc51c6d9c24913c292e8061cb316ae23

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt

MD5 e1fcf20d22d7f2cf0f052c90a044968e
SHA1 807b5910f80ac4dc6079d2eb92fdbc6d210a12dd
SHA256 51191f0cddce8fa1d78d086a8bb192cdf2185eb3d39e82155bee0e4b451c7fc5
SHA512 cc53832016c4685b449b665f993aac8dc3f57bbdc987fcf1457bd3d41b63074649aedba06b682e766ffdde3f1bbf40765187ce2f4f94a0068ddc5c13c82f93ad

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 e5f51855f932f57d526727205829a94a
SHA1 cbfc22a2eb532d55e41bbce383b7da19bbb9209a
SHA256 552aeb32dc99448b443e91cfe3397eb28218b30d822e09ad21386321055100d3
SHA512 403f5d11e91e330ca03ee22fa16ca5e5cba2e29d9322e3c5562e324742524339ca623ba75d7273052af52ef8dc62798b170372e35ef0c8b96fc55d7f78fcb473

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp

MD5 40ec40d0570d48e80b7f6fee5e3c272c
SHA1 1cc690a8014f3a58f98799ca960577328bfe7b03
SHA256 51c8854efab6a271e069eec9416c4aa5eff95bfbefd46530ef63641cb9aa0548
SHA512 63fa5a94ecfb1ffdeb3d88527c47068995421edc36d48eaf7ce910b2a8775cf13ffc15f068a98bece25598654e813501bd2c688493f2b1ee1b6a72158ad820dc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 48a113ef38cfa6679aee25f6e7b3aeac
SHA1 d040364265f209fd53e66605fe7062c608e7a91e
SHA256 63c6b8fc6a9ffb4aa901e0171fc643df8b4c26eb77680b88d3fb22ced398fad1
SHA512 5adf5cc0a0bb31939d94eb203129a4ec5baf3899603ba3bfeb70be4e4959ff07fb46f8310474473fa043a14b3c077659076a042e191179b066bf0a10f2dd9ec1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 510b1571b7c2b27869ab3f7b9e4c00ad
SHA1 83d132426cd5b042fab4e6151b1c39c4ba117ba0
SHA256 32288b0b96b483765f2932221ff2677ee613066de7cf641110e5a08436edb909
SHA512 59056598d67fec42ffc1a3a7e6295d2285c535958293b69e36631f5bcafb8202e34ec357c51451de4a41555423cf4d13f8897883d3b53c37a526311c6cc0d46d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 168ea97cfdd98d734ced4144c3ad1ad5
SHA1 c10bbf3a6ecbdf29fb478e86e74a533a43f9c0c1
SHA256 fcb7b3fca07d04eb94628fa003f4ce04e7bf6fffbc41907ffe3e70d22d55a69a
SHA512 c6237c9ee4454ff2f035139af610bb6c01e21b9ba936700a9f44cee123bb45af82bdcfb13f04ebe25559dfc63ccc7a355366ea6727a4548d5865385080003f16

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 3a8b3c5f6deee43ac1e2bd63f99664ae
SHA1 5281355fde26936e980b7437a50b870aa11db0c4
SHA256 930c33c3d115ea1903ca17ffd05c4acd6653fe38c193e102a5ca9765139b0083
SHA512 7ab61598fdfc63a1ed61989dcfef36820dcc57e2df52dc96c8d831c53daba2f7e7847c1a63a07a421230a50b002e8bdbe4d3ab52ff72f5313e11b3255483872f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 bd6e08016a5e43d11dc7219f7fcfc3b4
SHA1 c3aa555f99a2ab015f12fa27aa2b445356e96f28
SHA256 fae145f1f860bf0ac2ec29cd1be6a0da5fea580e418b27cdf5fb5eb6163a43bc
SHA512 2a73df38c2ad6ad233cbbfbb00f8548fde29202f61b075f46e34941d27feae8da74c3235a1a87086031c3c5558259fe07a8ff4c4d42c176e3cf83a9bd1132db1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 545b3c50062e339ebbe4bfec46ca64e0
SHA1 1f4392c000b61e335c4230591023f10a9a53e67c
SHA256 23bf48e7c44de0ca61d3b9497474c88da9b08c289bebff00e1652864bb842baa
SHA512 f020c62138e32a806162fe1e478f20b7c2c6d916acad6c7438ff8c8be010b4a8968aadecd4f841cb99bce1b8ef79da1cf1961298f1acc1713f9f5cc30853ca25

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log

MD5 40a14cf88d5963a0dec1b13be7dafa65
SHA1 ac84fb2c0cd53a423d4ddd61ce7f3041b3e997e7
SHA256 93835d405d8becfb293a308daac3916a25248f9dbb2edcb47ffbd4caa3978fb0
SHA512 7180306c9df5bf4dcf0021b499152a3d75254b776e7c4824eafc82afc4f8fc91f022f71ab1d809250319981e99aae97362f65d17b86298e4e9904a32409143f0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 8e990f2e11933f62728bccc24654a6a2
SHA1 6529850ee32fc4b6c5121b63e24bc2ade88ebf25
SHA256 3d08f1cebc3950aa931cca6d0cb736ac256638c9e6b2ca2ba9af30be401ea7bb
SHA512 8ecae8eae05d50ddb635a0ea99b0fe3a5587d3042faa0dcb4d478db2426f1c74508d384c645309491608da812e9490a792f51d55a991d4451bb52c98c88b1979

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 d45473dabfe752af416202cf20510a7c
SHA1 6459388093bb68db9fe1cecdf8e6128e57bd5a54
SHA256 b73672b147d085da4f124cc03fc3b129b62c45df31b7d39428a8a278d4bb0056
SHA512 867c85a4e0c5599b4cebb8f6c40988e9172c0857664216c9ab9f0d5a5bc868ed4542ef1d248df01b7b8368d8636ba079bd9add8d95a40d57afa3c3a0d2091097

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 e5c41da0e4454043f005e390605f5945
SHA1 dfc66b529cd18d77d7111a5ebc1fb9fe1e291986
SHA256 7afe4e68616378eb5f03c850b1545dc9cafb5101131f9eba4a90a72d9e71f897
SHA512 ee2c35ea66fdee0e03821108b0e76f20868d075e262fceb29ac8b1c927d8661dbcf435c5383bd41e260935d1e4f819caf8993ed068fff89a4ec2bf2d7198d9f9

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg

MD5 edffd3ead4e21c8653b332379101d2bf
SHA1 a8b66f8778e88627faba48493e693f149f9732ed
SHA256 5361f182ee54c382a536b04f1b8f53a48952fd9f163f8e13e8aec2ddd12a3901
SHA512 55bb5aa2356a73d5240eba92a8ea7430b12b7fb6d0ae7c654b946b38031c7e66e166ca10f143f1657a4d9aae86c4e93818d298de1781277723070e1d4587e7b7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat

MD5 cd2f87d8bc70d1ca878fbab78b5f59e9
SHA1 6171dc83984400d3bab96886bc215598b9232cdf
SHA256 bc3203a2070288479dd4d6999ebd38f2de53be9188016a83a80fb3a7ece99857
SHA512 042ff72311fcb5e77ff1edc14d64c86fa70e9705b39fc569a1bf8a849f8b30f7432815d6e027b9498dd9362f8f5975ec6c8f0dc9a33181c10399fea2d84d490c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg

MD5 4f2b95b1afd5c2038ff616b16dd1d0cb
SHA1 4065ba511cdbc912065666e27b5328fe7e74b0a1
SHA256 e7968286373a3c78993eb1645ca2c6f81fb0bdaf8d1e1e9481e7e24ca60501e4
SHA512 f1847890f9ee0b1397d0afda2ca364fe6b5688ec0cadbb817a69e7f1790177b3dd841c0f317183941ebd53399e481cc2ab70076c9e615f2d533ed7954faceb98

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 08f608b89fbf6718f90c789b2901bc1b
SHA1 5100d894dbd5b9eaf0a1d33c32e4a31ef71bfb01
SHA256 08c28ceaf9895f4404bed36da983f6d7d8fb722116ccad53ec0e0ba08a3242dd
SHA512 85d9c997bb7cdfd6135de74ddd4d842555cbfd3b9634103b8d45f3e35c728370e3cc9de2b0bb24752e356ea64551355dec779787ee89b94a64457fdc693f14c1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 03:56

Reported

2022-02-20 04:10

Platform

win10v2004-en-20220112

Max time kernel

161s

Max time network

199s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\sihost.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kuKnEoN.exe" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbd2237f-ecf3-4603- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df2edde2-581b-47d8- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a2495988d95aab725d53daf974b376eee82c7d3044b3b549e237dbd5a08d00a4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = 6a09bebf1726d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000046199ebf1726d80146199ebf1726d80146199ebf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe5454ed285454ed282e00000000000000000000000000000000000000000000000000bae1b100390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6052e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6052e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009304aabf1726d8019304aabf1726d8019304aabf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000613234393539383864393561616237323564353364616639373462333736656565383263376433303434623362353439653233376462643561303864303061340000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000006df6a500610032003400390035003900380038006400390035006100610062003700320035006400350033006400610066003900370034006200330037003600650065006500380032006300370064003300300034003400620033006200350034003900650032003300370064006200640035006100300038006400300030006100340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61323439353938386439356161623732356435336461663937346233373665656538326337643330343462336235343965323337646264356130386430306134000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6062e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6062e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3660e7cc-43ca-43e6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = 7e588abf1726d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f1f0b5bf1726d801f1f0b5bf1726d801f1f0b5bf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000313463626232303731363461383933383363366139636563303831336337616263303832326439393766396533656434643364366639663764366138613061660000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000000f0a9a00310034006300620062003200300037003100360034006100380039003300380033006300360061003900630065006300300038003100330063003700610062006300300038003200320064003900390037006600390065003300650064003400640033006400360066003900660037006400360061003800610030006100660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31346362623230373136346138393338336336613963656330383133633761626330383232643939376639653365643464336436663966376436613861306166000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6072e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6072e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = d37f01bf1726d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c69d04c01726d801a6349dc01726d801a6349dc01726d801ab4a11000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe5454ed285454ed282e00000000000000000000000000000000000000000000000000db07d800330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = 8e44a6bf1726d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\14cbb207164a89383c6a9cec0813c7abc0822d997f9e3ed4d3d6f9f7d6a8a0af" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d11c1386-4f77-4d65- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d1d8ffbf1726d8014bf9a1c01726d8014bf9a1c01726d801cd3412000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ec282000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe5454ec285454ec282e000000000000000000000000000000000000000000000000005c223100370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6102e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6102e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2d9451f8-245c-426a- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a4abedbe1726d801a4abedbe1726d801a4abedbe1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ec282000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe5454ec285454ec282e000000000000000000000000000000000000000000000000005c223100370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6022e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6022e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f1698dbf1726d801f1698dbf1726d801f1698dbf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000000f91c200380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6042e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6042e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = abc1b6bf1726d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = 7c5627c81726d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
PID 2840 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
PID 2840 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\sihost.exe
PID 2840 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\svchost.exe
PID 2840 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\taskhostw.exe
PID 2840 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\svchost.exe
PID 2840 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\DllHost.exe
PID 2840 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2840 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\RuntimeBroker.exe
PID 2840 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2840 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\RuntimeBroker.exe
PID 2840 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\RuntimeBroker.exe
PID 2840 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\RuntimeBroker.exe
PID 2840 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2840 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2840 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 2840 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 2840 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 2840 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 1580 wrote to memory of 1260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2828 wrote to memory of 1780 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1580 wrote to memory of 1260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2828 wrote to memory of 1780 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2228 wrote to memory of 1424 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2228 wrote to memory of 1424 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 3716 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe C:\Windows\System32\net.exe
PID 3716 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe C:\Windows\System32\net.exe
PID 2228 wrote to memory of 2504 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\cmd.exe
PID 2228 wrote to memory of 2504 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\cmd.exe
PID 1424 wrote to memory of 2512 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1424 wrote to memory of 2512 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2228 wrote to memory of 428 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2228 wrote to memory of 428 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 3716 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe C:\Windows\System32\net.exe
PID 3716 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe C:\Windows\System32\net.exe
PID 2144 wrote to memory of 4332 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2144 wrote to memory of 4332 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 428 wrote to memory of 4380 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 428 wrote to memory of 4380 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4320 wrote to memory of 4452 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4320 wrote to memory of 4452 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2504 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2504 wrote to memory of 4460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2840 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\cmd.exe
PID 2840 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\cmd.exe
PID 2840 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 2840 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 2840 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 2840 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe C:\Windows\System32\net.exe
PID 4852 wrote to memory of 5588 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4852 wrote to memory of 5588 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5196 wrote to memory of 5612 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5196 wrote to memory of 5612 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2744 wrote to memory of 4836 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2744 wrote to memory of 4836 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 4844 wrote to memory of 5864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4844 wrote to memory of 5864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3716 wrote to memory of 6008 N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe C:\Windows\System32\cmd.exe
PID 3716 wrote to memory of 6008 N/A C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe C:\Windows\System32\cmd.exe
PID 6008 wrote to memory of 6060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 6008 wrote to memory of 6060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe

"C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe"

C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe

"C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 428 -p 2744 -ip 2744

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 456 -p 2904 -ip 2904

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2744 -s 1020

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" /f

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 72.21.91.29:80 tcp
N/A 10.127.0.1:7 udp
NL 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
NL 184.29.205.60:443 tcp
NL 184.29.205.60:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe

MD5 bf39de2f9f4f5070199213161d9d6c05
SHA1 5ce23ef35396f777855f7a3b05e47329cc7226b7
SHA256 a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
SHA512 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe

MD5 bf39de2f9f4f5070199213161d9d6c05
SHA1 5ce23ef35396f777855f7a3b05e47329cc7226b7
SHA256 a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
SHA512 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9

memory/2228-132-0x00007FF6B4F60000-0x00007FF6B50D5000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 7af6840984fb27debe3e29121aa7cf76
SHA1 c6b0c98c3196e27a96f36752782e18acf3917166
SHA256 3e6653300396a43d2011bbd56844a00da6b4d882a6d906017b5a2376f31d5614
SHA512 cc14ef94687c83becb967d724657a3cb37a3b8920b26f4535522105b4434fcec9bf6ed640b82344ef5b4408bbfba90e4e097383d4857c733eafc789973ca2613

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 e465141175092b041fad92077ee8fbb8
SHA1 c6543e21d391b95dbe5fafc059f29f954b54dcd7
SHA256 690cba06db57489d6cc80446b96db800e353c95e847d537edf91c686c9819139
SHA512 42b99fe70f3660c47da5c52b8027446c618b738968c795f1638f673a282a2d4dd503c63e52b9679165de02ab7f9070a140a47ac190a13f46bd68d059ba06dc41

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 ee95b77b98e3b679450f0fbefd77d9c6
SHA1 c16e7b2d4d3ac88b8c032cb6e0c42ba35527099d
SHA256 a3d3f9b920c90c8e6af01a8f71006804a9e23b6e24658fe28f2c9f0435f87948
SHA512 64cafb2f75eb8facbee591620462cc1db3e819c1d96c110105babcaf5e178b4f0edc014495e1d720402230466339ef30217641d24c5fc9d99fc6f108efef8ade

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 c14ac2739541090d8fb4055f8d3179fb
SHA1 3fd89a21a51026d42555e394f4090db4033beaa6
SHA256 b8818e8b17a1f56f66748b04e03fa91a93ec06ed4361ce5f2dd29e5857204694
SHA512 1fbe113c403a268b33e8b9f59014ed3334f45486b91bb3e15c4c020b4d7cdf10ddee0a02cd285ab1c4f4218fe29afa4b8ab20bdd1ed4839cf37eccc12f1355aa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 fc52c9fdbae51880a7533bfcc0e299e5
SHA1 9b98afb83db15ba5b73822e6d73d044957e79d5e
SHA256 3cfbc30f997461a52917b267665246f12e7df8667b55c7401533a45788701111
SHA512 7b50fb820aae835fddf6495c6b99cdb351c301dab3039b53daada3a06902b085a58dafcc24d39205922dd6e6338f691b814c8b8740ef094e6a37611fdaa71ec7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 ddde381b9d59d0ecb83d4594e4d85d37
SHA1 62a293f71be844edb870cb4d8641d701b2b8c85e
SHA256 930da77c6ad6e5e9ff3105cb5c2bcdeb23a31485df4eb9ca0d97a32c2fda1497
SHA512 fe858f4b53540f8b71c2127f268861e3658391612500407f98582212ff8f60401dc4be7a1286b7f1a7df425328ae853d2ca807fa06a0312003031ee88228a130

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 01947cf2a2fee17cbd0d74fff4170450
SHA1 7d731831c9526c30fd44e8e7815246fcc14a2b14
SHA256 34421a9294b2e0828a0bc7328960ca89f67af10af801144e2d71cefb20d20a7c
SHA512 37cf51cb837828991f81010d00eade1cd29cdb4c1a5acd0828dcd0b5e4a14a5a0973442c807d4fad1f84ad30366c78e590e987bcc97eae58539c1b58516a4700

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 03d68def5df8096c289123431913602d
SHA1 612ba61a0dc89b1e5f208fb2e1873e73abcde4aa
SHA256 a9ac709db261d0588fb48273576d55d3082121df54fdd77a54310f0feeb75dbd
SHA512 7f5240264587c93295c87b2138c1b3631764d33b0017689a4af144149d2fc7886628abb2f7c2319015333cdf4e5ebb3e49b0e471c88ce7013c9d84487a50d433

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

MD5 74284426f0aad31ee00508968d50d947
SHA1 cbbb8e41887c2ab7e7b36701185293021f153ba3
SHA256 c7d7b82a9a355b791148f934d2958aa1f441af8e6b93ba3ad6bad1b2373f857b
SHA512 6bfce3c1fe5b63e45623eff2e572b699ed1545c04872d685920988d66c3ac257b15f6ea0a7b25cd0f33663324d7b9570a9fd650b1246b4d56b66236ce3d8950d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp.RYK

MD5 ac45355c821e3eb16e6e2dbd06ec5219
SHA1 30e40b96a547809191f1e3f2b29a266ffbea3275
SHA256 91c26386d265c8e3f156f7d0f2a3abd3e2d54861eb480861f88ae1fc5c73366f
SHA512 3a4d36dd00f5de3925e790279837ac66e369177e9fac12cc0d967c564fcd049af7cdf648855fd6f74eba529d824071b719ad6b7005a958ed92a1bbea174221a3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64.RYK

MD5 cfc819a77b468f0d901716d8848088e2
SHA1 70f0e9352199d9510b312f7f2c90392aa4affbaa
SHA256 ad9cb00f453e2e066a95394c43cd1df7bacc056dbf4463895b8d014fe6ceec2e
SHA512 43a8cd99ff0d9e506468c0dc86e280534ada00f0b6c3f561d0694c192334c18b1f5aab75ba0dc719191656ff778757875acd0130047458f278bf8a8bc323f59b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.RYK

MD5 b38207e02b1384006cc1c9e83931d059
SHA1 f92907d9e7a236db58fca346aec666bab20cd025
SHA256 6687abe889fa188eb5c9c40e71b0eaaf7717e1b628e5324148aee42819a6cf8c
SHA512 16b311f78a24ddf43358e24a5cf730ac759c3e270dc787ef9956f2977bdf821b712656d4b71c545893835c12617bdac57d6981912ed8bddaabecf070a4d9a5bc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5 511afeec9125b8ffa946d5e34ea0b8e6
SHA1 e1451c2ed9485dee2c1be6cb4654e0782eb12ddd
SHA256 1c9d263d6b2431f4cc8add1481af3d9591d4e0c4b3dd1ec08805f80deb778ef3
SHA512 143955eec904472f756cee52ca268676d1b8d0aaf74b0ccbd6f4e3424cdbf31f0ff47d004247016a9555909794ceb659e6d997bd0326873e4590375d3949bc8c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

MD5 666ae765a2e735ab65e0a6e3152508af
SHA1 af58ff00ad8f939ae38c4899febd5e3161045511
SHA256 8b12871430f0ab92f87e3940a68d615a01298a883931ef4b0836fc091af07d47
SHA512 a3654cb034395ec7b43a97a6fcbedd88b3d9c49100aa6e1bb51f38e65af8e8af588cd6cdd7618256464b3c724e6a467f8a611d57ceffef360eab7aa241a472a8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 6162d56267c0f4815abbe0450e4c7a4a
SHA1 12943dc2e488d2d14586d937017d2cbf797910b6
SHA256 0fe65a463816710c2828430e84844208af038d9f66868c260f2f39c74b00794c
SHA512 3e3c525bae27d18f079febd90001bd630c982ccf5a7a8a9af2ffa103f835ded48f533a1129d2e981f18ab2f7bf5e7871f3a3b50d5b98fd274bc993da825fa327

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 772a4a1431819315bc451d77d597186b
SHA1 6827e21ef2fe06976e17fc4b6e7dc5e6607c3564
SHA256 6fbd30174e73593a1c613f1cbdf002be11a2c6bf1fda603b93e01b319086d296
SHA512 ac2064c91c1fdd0c9aeff692e02cad5a14aa957c11f5c93c90fbb195fb8b15701c6b08535bc7ac6ef1d5dc7755d2f02b9cde5d5b8199aa98681d100216085cf5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 f96ccc9ebacadded1af084d4d9af47f7
SHA1 690252586a1295012a01a8caba27a3120022bf72
SHA256 0322188cee23842241755a1425a8948609282976041c12738acd20ad220fcec6
SHA512 259b02cf18089c7cdf95c4c7d7359c5f7c30948f6134b1baf4f97aa15536ee3102952ed376e7236216776e745d246c96e16e5becf2a0446919e4dc562bb2d95e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5 7b09bbe914ea2f8a2f0a0f93bfc3fc93
SHA1 06e18e29452830b545e7156ae8167ad808e3fefc
SHA256 975de8badea2bfd72a972b71561f525398c71fe165384b36070a76a55478e8d5
SHA512 e13490dc6f118dbe0a89fbe92ea9c9bb368a7436502819669da5355de9be7ee2658cea28dc07b57d292947e4be7993216f585c9ae278e1ab21acfb9f9a96ae05

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log.RYK

MD5 8629d11e8a83824149376f80e71e93b9
SHA1 f0e2dc834f3f6e607ce7149a72f486ace04eef87
SHA256 fd45e9cdad450bf85644d81afe120331ff1a889955ac6d4b3a73d798c8dd946c
SHA512 95b8645b9c650ae9d08f44b7945017591f1cde0ea2feb12bcbd256d6f1a0e8fa52b66776be8fb551e76d123f32e28c52fa195e4b797718a745b2db5af248dc88

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html

MD5 6f70bd719ac455e38eedebeee08cb8fd
SHA1 96cd971b86074d3defd677ee952256a4048d6949
SHA256 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f
SHA512 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp.RYK

MD5 61c8e4f7b852938c801b0d1601ed7402
SHA1 18fa616d0d93bd53bb75a3f6d492022f72601e75
SHA256 140f0e5302b554ad239a34acce06d164056e04452ece5d1bc3a69ec0876985d8
SHA512 ab825da31bcd004516ec5fd0aaeb3396bf515b17479370c47e69f82b99560b7e88056333377cd709a42eb773d3fbd7ca06b3973dcb20877b43aaa0ec8795597d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp.RYK

MD5 3e30e3348701151a422e888c242e531f
SHA1 a570c04f334c71add3afcb8afbb54db009663cff
SHA256 44c741fca649169368181dafc144b64192397fd9bfe83306fd68640bf1bd51c4
SHA512 0d9fa1e7c5959dc4f9b3769cc7e1e033597e2bf5e734c22c4e86cfa288811675d42fe7130a0b8b4448854d6be7e6351c86506a3b302c572e2f6c4bd141fbe322

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5 c98b812421babbda1b182f442ac80c5a
SHA1 d3ad1b9e65cf58a27fb35e01d11affa09cd413f0
SHA256 2e7c80429da672344a0b262d378e4f3cdcb898293d397706fca528c5f9b965e0
SHA512 d2af18ef6e3cf4a870b465f430cf74bbf8f2abab3ebe5935573bddf947693a447bfa241e4921eba8ce71930d83005582b6df87c45d777626fedbca1364c91f1e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp.RYK

MD5 b1e701d9da48310ce7d05a4efe080e9a
SHA1 1dc5589f218676242b4e2d96e276ff95edbd1316
SHA256 1ce91284c63638a448431a7088129db9480308c76b4d012d265ae92e10ca9f0b
SHA512 e35daad556738e6142f175b4cd01072b0407c5f25f30a285bf5751686c91e96cf658a0f3feee60f9b589e4ec72c0fc3d01b095c093b706e118c2dd74c453762e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp.RYK

MD5 0c28081fe4c89fd760e620de1bb1dfa0
SHA1 9dbb5bf424e1ffe792640837dd1914960cb1c48d
SHA256 d4fd7092e3eea445f2dbc87c07ec14391bd4bf5145a9f577099ba7f978741029
SHA512 c3a46bf414a994f050892efb8c43b0d03bd551bf3d297922867a16513205b91020e5a09f27a60981c988ac6d0aac231ac6bcfe6db4cefa599ff262970ff87ec4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx.RYK

MD5 e94855c6d0d2e9a1484c92a935cf28f3
SHA1 671cb793b07bdc0542202e2e1f5da9f4a437b34f
SHA256 c2fe10ab426efe7eddd48d6b07755ae7d6cb64d62b2e057be7d73e67e3c7dc75
SHA512 1e2b775a20716ec0dc764e3af178403dd4ee3d011a1228bd71f0399b392fb6df2d6113cd0cd4f32bf9b5bae03f23b3d2ebe152b5ea292f8b80a411be180ee21e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp

MD5 a4c6a43fcc79345164e0cd5e82779da9
SHA1 2cec78808c6cecf30da30279de7a196c4d42c525
SHA256 a1c5ba26e2d3ef189a461a9b4eccf18262194d34fd1e9bfef8c7a6e7578bf74f
SHA512 0e6051c487e16becdbfcae209a0e9cdb0bb1ce3cc7fc6d1ec2f79c62c9f72af4c12f51c25d419a8b0d11e8fadcd68efa839069c04c3460565d8c0e62a511280d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp.RYK

MD5 0fc960afaceea8e7ff40c4096e2b949a
SHA1 42416a3fccdd3088dbde4e7e96b83d3ca8e785d3
SHA256 10261cbe3020dba52ebb0070302f8de393c10630aeac446d26019622085f002b
SHA512 a56ffe5ffbebde92fe68fe829b358b01234145218382d84c20cac62a7596f8873a3239c62875e78c212240cf203f692df222e9e323be7ae51d23ce81215faaf7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK

MD5 b4c0b01591fc08d0298762f1cc8c9391
SHA1 9c305f208546f0a837f9988da6ca0cecb3e9e1fa
SHA256 aa74a926bed6b5e0dd0b80054163e72f1e961c3475dcf14c1aefbd1b7bc75543
SHA512 982d7e6cf81444c36c5c2398545def291d0ae306ac573d2aa0b1cf0fbeddea4ac6e088ea923500c59d6940f0f97007ebe27c315b901ed8a0b8a4497088be43b2

memory/2744-195-0x00000265DB370000-0x00000265DB378000-memory.dmp

memory/2744-196-0x00000265DAEF0000-0x00000265DAEF1000-memory.dmp

memory/2744-197-0x00000265DB1F0000-0x00000265DB1F8000-memory.dmp

memory/2744-198-0x00000265DB040000-0x00000265DB041000-memory.dmp