Analysis Overview
SHA256
a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd
Threat Level: Known bad
The file a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 03:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 03:56
Reported
2022-02-20 04:09
Platform
win7-en-20211208
Max time kernel
158s
Max time network
59s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YJIvUXj.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe" | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
"C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe"
C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe
"C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe" 8 LAN
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1716-55-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp
\Users\Admin\AppData\Local\Temp\YJIvUXj.exe
| MD5 | bf39de2f9f4f5070199213161d9d6c05 |
| SHA1 | 5ce23ef35396f777855f7a3b05e47329cc7226b7 |
| SHA256 | a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd |
| SHA512 | 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9 |
\Users\Admin\AppData\Local\Temp\YJIvUXj.exe
| MD5 | bf39de2f9f4f5070199213161d9d6c05 |
| SHA1 | 5ce23ef35396f777855f7a3b05e47329cc7226b7 |
| SHA256 | a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd |
| SHA512 | 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9 |
C:\Users\Admin\AppData\Local\Temp\YJIvUXj.exe
| MD5 | bf39de2f9f4f5070199213161d9d6c05 |
| SHA1 | 5ce23ef35396f777855f7a3b05e47329cc7226b7 |
| SHA256 | a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd |
| SHA512 | 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9 |
memory/1256-59-0x000000013FEA0000-0x0000000140015000-memory.dmp
memory/1256-61-0x000000013FEA0000-0x0000000140015000-memory.dmp
memory/1360-62-0x000000013FEA0000-0x0000000140015000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
| MD5 | c9c0f27945c7be39727b1d0475ea9eb7 |
| SHA1 | f584355467b106e8fee27f4af6d6a1994a9f7e04 |
| SHA256 | 2d346078a4131dc1ca3504b5e7c1ce2ed037d817bd6075ef9720560aa3dfe6f3 |
| SHA512 | 87dd29fcdc972bcf647754fa9523a9d3d1db815e13cec3ebdd57664ac06d26b30437958f6cc5d37d24f28757d8196a93949da8669febd42eb8a62ae4cc2f89c8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 57f8d2e78630dbcfb777ce32ff02e0f1 |
| SHA1 | b2f12da1d934e3c15e2fb3bf1ff7f6329ce3f1e1 |
| SHA256 | 5d28efe7a336af345fb5e6185785b7abb683aca9cdd9d03eb70f118c1ca8bae1 |
| SHA512 | caac9738687ae75e56262734ccd0fb2c232079f56dd119b494f3c703e5e529fee3b40b65d8449c79d75e0fbd504cadb8d4249497384fb0830d09f46abf3e10ee |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
| MD5 | 73eef844b819a078276ab1665c4ca01e |
| SHA1 | b5f9c078df15fe3d0b0e9a1691b2bb48dc600f13 |
| SHA256 | 9a0e5dc88e32ecfddb3325dc17d4e5f892786ee8b4189a7dd34ffa6da4257b12 |
| SHA512 | 68188f1bdadf26a95ecba61dbe18acccd2b27f8686fc63216cfd159c1bfda5c440e2beaee9e8fca55547ac5cb87e09685855a095f7948ab6c40eaef5c50b3be0 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
| MD5 | 5bc3a428e34bb10be002b6feb47f3293 |
| SHA1 | c7722a992f46b9e8ee748fd744aa69f0eadaba95 |
| SHA256 | b2ae4010f21d774c38ae44577dadab546abe8b5c1dc95f2350bf1e0bbbc1b5df |
| SHA512 | 756e39ef591aa960ad6811677454ec1c87142ed602332ce46891d96f5f5da407814a8a2cfb6558d5bd4837d448947507bfcff40071322c3c926f84de39273403 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | 7bc315ab6f22462a1aa576a2f8d3c57c |
| SHA1 | 7feca8ffa0417e5951f00dea140322f9efdd65b5 |
| SHA256 | 58d40c38e64d4093ea1b94606752e4d7f975dfc6abc1c40a9e3849d45043ee9b |
| SHA512 | 93d92923a9960a0fa55f16577a7c7bfd8d615df21c38d5f1303cd3e6413cf2dda0aee819aad4ac7cd0c7488707f449f1bc51c6d9c24913c292e8061cb316ae23 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
| MD5 | e1fcf20d22d7f2cf0f052c90a044968e |
| SHA1 | 807b5910f80ac4dc6079d2eb92fdbc6d210a12dd |
| SHA256 | 51191f0cddce8fa1d78d086a8bb192cdf2185eb3d39e82155bee0e4b451c7fc5 |
| SHA512 | cc53832016c4685b449b665f993aac8dc3f57bbdc987fcf1457bd3d41b63074649aedba06b682e766ffdde3f1bbf40765187ce2f4f94a0068ddc5c13c82f93ad |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | e5f51855f932f57d526727205829a94a |
| SHA1 | cbfc22a2eb532d55e41bbce383b7da19bbb9209a |
| SHA256 | 552aeb32dc99448b443e91cfe3397eb28218b30d822e09ad21386321055100d3 |
| SHA512 | 403f5d11e91e330ca03ee22fa16ca5e5cba2e29d9322e3c5562e324742524339ca623ba75d7273052af52ef8dc62798b170372e35ef0c8b96fc55d7f78fcb473 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp
| MD5 | 40ec40d0570d48e80b7f6fee5e3c272c |
| SHA1 | 1cc690a8014f3a58f98799ca960577328bfe7b03 |
| SHA256 | 51c8854efab6a271e069eec9416c4aa5eff95bfbefd46530ef63641cb9aa0548 |
| SHA512 | 63fa5a94ecfb1ffdeb3d88527c47068995421edc36d48eaf7ce910b2a8775cf13ffc15f068a98bece25598654e813501bd2c688493f2b1ee1b6a72158ad820dc |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
| MD5 | 48a113ef38cfa6679aee25f6e7b3aeac |
| SHA1 | d040364265f209fd53e66605fe7062c608e7a91e |
| SHA256 | 63c6b8fc6a9ffb4aa901e0171fc643df8b4c26eb77680b88d3fb22ced398fad1 |
| SHA512 | 5adf5cc0a0bb31939d94eb203129a4ec5baf3899603ba3bfeb70be4e4959ff07fb46f8310474473fa043a14b3c077659076a042e191179b066bf0a10f2dd9ec1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | 510b1571b7c2b27869ab3f7b9e4c00ad |
| SHA1 | 83d132426cd5b042fab4e6151b1c39c4ba117ba0 |
| SHA256 | 32288b0b96b483765f2932221ff2677ee613066de7cf641110e5a08436edb909 |
| SHA512 | 59056598d67fec42ffc1a3a7e6295d2285c535958293b69e36631f5bcafb8202e34ec357c51451de4a41555423cf4d13f8897883d3b53c37a526311c6cc0d46d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
| MD5 | 168ea97cfdd98d734ced4144c3ad1ad5 |
| SHA1 | c10bbf3a6ecbdf29fb478e86e74a533a43f9c0c1 |
| SHA256 | fcb7b3fca07d04eb94628fa003f4ce04e7bf6fffbc41907ffe3e70d22d55a69a |
| SHA512 | c6237c9ee4454ff2f035139af610bb6c01e21b9ba936700a9f44cee123bb45af82bdcfb13f04ebe25559dfc63ccc7a355366ea6727a4548d5865385080003f16 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
| MD5 | 3a8b3c5f6deee43ac1e2bd63f99664ae |
| SHA1 | 5281355fde26936e980b7437a50b870aa11db0c4 |
| SHA256 | 930c33c3d115ea1903ca17ffd05c4acd6653fe38c193e102a5ca9765139b0083 |
| SHA512 | 7ab61598fdfc63a1ed61989dcfef36820dcc57e2df52dc96c8d831c53daba2f7e7847c1a63a07a421230a50b002e8bdbe4d3ab52ff72f5313e11b3255483872f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | bd6e08016a5e43d11dc7219f7fcfc3b4 |
| SHA1 | c3aa555f99a2ab015f12fa27aa2b445356e96f28 |
| SHA256 | fae145f1f860bf0ac2ec29cd1be6a0da5fea580e418b27cdf5fb5eb6163a43bc |
| SHA512 | 2a73df38c2ad6ad233cbbfbb00f8548fde29202f61b075f46e34941d27feae8da74c3235a1a87086031c3c5558259fe07a8ff4c4d42c176e3cf83a9bd1132db1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
| MD5 | 545b3c50062e339ebbe4bfec46ca64e0 |
| SHA1 | 1f4392c000b61e335c4230591023f10a9a53e67c |
| SHA256 | 23bf48e7c44de0ca61d3b9497474c88da9b08c289bebff00e1652864bb842baa |
| SHA512 | f020c62138e32a806162fe1e478f20b7c2c6d916acad6c7438ff8c8be010b4a8968aadecd4f841cb99bce1b8ef79da1cf1961298f1acc1713f9f5cc30853ca25 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
| MD5 | 40a14cf88d5963a0dec1b13be7dafa65 |
| SHA1 | ac84fb2c0cd53a423d4ddd61ce7f3041b3e997e7 |
| SHA256 | 93835d405d8becfb293a308daac3916a25248f9dbb2edcb47ffbd4caa3978fb0 |
| SHA512 | 7180306c9df5bf4dcf0021b499152a3d75254b776e7c4824eafc82afc4f8fc91f022f71ab1d809250319981e99aae97362f65d17b86298e4e9904a32409143f0 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
| MD5 | 8e990f2e11933f62728bccc24654a6a2 |
| SHA1 | 6529850ee32fc4b6c5121b63e24bc2ade88ebf25 |
| SHA256 | 3d08f1cebc3950aa931cca6d0cb736ac256638c9e6b2ca2ba9af30be401ea7bb |
| SHA512 | 8ecae8eae05d50ddb635a0ea99b0fe3a5587d3042faa0dcb4d478db2426f1c74508d384c645309491608da812e9490a792f51d55a991d4451bb52c98c88b1979 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
| MD5 | d45473dabfe752af416202cf20510a7c |
| SHA1 | 6459388093bb68db9fe1cecdf8e6128e57bd5a54 |
| SHA256 | b73672b147d085da4f124cc03fc3b129b62c45df31b7d39428a8a278d4bb0056 |
| SHA512 | 867c85a4e0c5599b4cebb8f6c40988e9172c0857664216c9ab9f0d5a5bc868ed4542ef1d248df01b7b8368d8636ba079bd9add8d95a40d57afa3c3a0d2091097 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
| MD5 | e5c41da0e4454043f005e390605f5945 |
| SHA1 | dfc66b529cd18d77d7111a5ebc1fb9fe1e291986 |
| SHA256 | 7afe4e68616378eb5f03c850b1545dc9cafb5101131f9eba4a90a72d9e71f897 |
| SHA512 | ee2c35ea66fdee0e03821108b0e76f20868d075e262fceb29ac8b1c927d8661dbcf435c5383bd41e260935d1e4f819caf8993ed068fff89a4ec2bf2d7198d9f9 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg
| MD5 | edffd3ead4e21c8653b332379101d2bf |
| SHA1 | a8b66f8778e88627faba48493e693f149f9732ed |
| SHA256 | 5361f182ee54c382a536b04f1b8f53a48952fd9f163f8e13e8aec2ddd12a3901 |
| SHA512 | 55bb5aa2356a73d5240eba92a8ea7430b12b7fb6d0ae7c654b946b38031c7e66e166ca10f143f1657a4d9aae86c4e93818d298de1781277723070e1d4587e7b7 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat
| MD5 | cd2f87d8bc70d1ca878fbab78b5f59e9 |
| SHA1 | 6171dc83984400d3bab96886bc215598b9232cdf |
| SHA256 | bc3203a2070288479dd4d6999ebd38f2de53be9188016a83a80fb3a7ece99857 |
| SHA512 | 042ff72311fcb5e77ff1edc14d64c86fa70e9705b39fc569a1bf8a849f8b30f7432815d6e027b9498dd9362f8f5975ec6c8f0dc9a33181c10399fea2d84d490c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg
| MD5 | 4f2b95b1afd5c2038ff616b16dd1d0cb |
| SHA1 | 4065ba511cdbc912065666e27b5328fe7e74b0a1 |
| SHA256 | e7968286373a3c78993eb1645ca2c6f81fb0bdaf8d1e1e9481e7e24ca60501e4 |
| SHA512 | f1847890f9ee0b1397d0afda2ca364fe6b5688ec0cadbb817a69e7f1790177b3dd841c0f317183941ebd53399e481cc2ab70076c9e615f2d533ed7954faceb98 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 08f608b89fbf6718f90c789b2901bc1b |
| SHA1 | 5100d894dbd5b9eaf0a1d33c32e4a31ef71bfb01 |
| SHA256 | 08c28ceaf9895f4404bed36da983f6d7d8fb722116ccad53ec0e0ba08a3242dd |
| SHA512 | 85d9c997bb7cdfd6135de74ddd4d842555cbfd3b9634103b8d45f3e35c728370e3cc9de2b0bb24752e356ea64551355dec779787ee89b94a64457fdc693f14c1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 03:56
Reported
2022-02-20 04:10
Platform
win10v2004-en-20220112
Max time kernel
161s
Max time network
199s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\sihost.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kuKnEoN.exe" | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\fbd2237f-ecf3-4603- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\df2edde2-581b-47d8- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a2495988d95aab725d53daf974b376eee82c7d3044b3b549e237dbd5a08d00a4" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = 6a09bebf1726d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000046199ebf1726d80146199ebf1726d80146199ebf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe5454ed285454ed282e00000000000000000000000000000000000000000000000000bae1b100390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6052e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6052e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000009304aabf1726d8019304aabf1726d8019304aabf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000613234393539383864393561616237323564353364616639373462333736656565383263376433303434623362353439653233376462643561303864303061340000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000006df6a500610032003400390035003900380038006400390035006100610062003700320035006400350033006400610066003900370034006200330037003600650065006500380032006300370064003300300034003400620033006200350034003900650032003300370064006200640035006100300038006400300030006100340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61323439353938386439356161623732356435336461663937346233373665656538326337643330343462336235343965323337646264356130386430306134000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6062e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6062e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3660e7cc-43ca-43e6- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = 7e588abf1726d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f1f0b5bf1726d801f1f0b5bf1726d801f1f0b5bf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000313463626232303731363461383933383363366139636563303831336337616263303832326439393766396533656434643364366639663764366138613061660000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000000f0a9a00310034006300620062003200300037003100360034006100380039003300380033006300360061003900630065006300300038003100330063003700610062006300300038003200320064003900390037006600390065003300650064003400640033006400360066003900660037006400360061003800610030006100660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31346362623230373136346138393338336336613963656330383133633761626330383232643939376639653365643464336436663966376436613861306166000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6072e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6072e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = d37f01bf1726d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c69d04c01726d801a6349dc01726d801a6349dc01726d801ab4a11000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000336566323963656363663661323665316565653439343865326132313733653635376536383162613165353637646132313765346136323130336331306362320000b20009000400efbe5454ed285454ed282e00000000000000000000000000000000000000000000000000db07d800330065006600320039006300650063006300660036006100320036006500310065006500650034003900340038006500320061003200310037003300650036003500370065003600380031006200610031006500350036003700640061003200310037006500340061003600320031003000330063003100300063006200320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33656632396365636366366132366531656565343934386532613231373365363537653638316261316535363764613231376534613632313033633130636232000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = 8e44a6bf1726d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\14cbb207164a89383c6a9cec0813c7abc0822d997f9e3ed4d3d6f9f7d6a8a0af" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d11c1386-4f77-4d65- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7ac56ac6088d2866672963a8250dcfbb3526d3a51b9a3e861858925e66dc0f54" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d1d8ffbf1726d8014bf9a1c01726d8014bf9a1c01726d801cd3412000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ec282000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe5454ec285454ec282e000000000000000000000000000000000000000000000000005c223100370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6102e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6102e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2d9451f8-245c-426a- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a4abedbe1726d801a4abedbe1726d801a4abedbe1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ec282000376163353661633630383864323836363637323936336138323530646366626233353236643361353162396133653836313835383932356536366463306635340000b20009000400efbe5454ec285454ec282e000000000000000000000000000000000000000000000000005c223100370061006300350036006100630036003000380038006400320038003600360036003700320039003600330061003800320035003000640063006600620062003300350032003600640033006100350031006200390061003300650038003600310038003500380039003200350065003600360064006300300066003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37616335366163363038386432383636363732393633613832353064636662623335323664336135316239613365383631383538393235653636646330663534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6022e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6022e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38b64632-4248-40fd- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\566b3109-38c5-4424- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\33486878-55c3-4e20- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\203ac902-c5f6-4f9a- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f1698dbf1726d801f1698dbf1726d801f1698dbf1726d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ed282000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe5454ed285454ed282e000000000000000000000000000000000000000000000000000f91c200380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f50e18f1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6042e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6042e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\acda46dc-effb-4ab2- = abc1b6bf1726d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\88407c7c-a4f5-4859- = 7c5627c81726d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0fa6a186-e9b4-4a27- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3ef29ceccf6a26e1eee4948e2a2173e657e681ba1e567da217e4a62103c10cb2" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\82ee2ada-cec2-4d72- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\sihost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe
"C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe"
C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
"C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" 8 LAN
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2744 -ip 2744
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 2904 -ip 2904
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 1020
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd.exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 72.21.91.29:80 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| NL | 184.29.205.60:443 | tcp | |
| NL | 184.29.205.60:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
| MD5 | bf39de2f9f4f5070199213161d9d6c05 |
| SHA1 | 5ce23ef35396f777855f7a3b05e47329cc7226b7 |
| SHA256 | a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd |
| SHA512 | 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9 |
C:\Users\Admin\AppData\Local\Temp\kuKnEoN.exe
| MD5 | bf39de2f9f4f5070199213161d9d6c05 |
| SHA1 | 5ce23ef35396f777855f7a3b05e47329cc7226b7 |
| SHA256 | a02107e2dc63a86777f46ed7d3c18ef4485eac83cb14ca1a0fca2f4d80e815cd |
| SHA512 | 1c0c591c5fdb65fc33c2ded6e89ab65aac5f45996068ca2e0b0d8a56d56371f9c104cfa15641af7bee4127a92d69fa5ed43a7f8dd8bc251440ea8b513e262cd9 |
memory/2228-132-0x00007FF6B4F60000-0x00007FF6B50D5000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 7af6840984fb27debe3e29121aa7cf76 |
| SHA1 | c6b0c98c3196e27a96f36752782e18acf3917166 |
| SHA256 | 3e6653300396a43d2011bbd56844a00da6b4d882a6d906017b5a2376f31d5614 |
| SHA512 | cc14ef94687c83becb967d724657a3cb37a3b8920b26f4535522105b4434fcec9bf6ed640b82344ef5b4408bbfba90e4e097383d4857c733eafc789973ca2613 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | e465141175092b041fad92077ee8fbb8 |
| SHA1 | c6543e21d391b95dbe5fafc059f29f954b54dcd7 |
| SHA256 | 690cba06db57489d6cc80446b96db800e353c95e847d537edf91c686c9819139 |
| SHA512 | 42b99fe70f3660c47da5c52b8027446c618b738968c795f1638f673a282a2d4dd503c63e52b9679165de02ab7f9070a140a47ac190a13f46bd68d059ba06dc41 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | ee95b77b98e3b679450f0fbefd77d9c6 |
| SHA1 | c16e7b2d4d3ac88b8c032cb6e0c42ba35527099d |
| SHA256 | a3d3f9b920c90c8e6af01a8f71006804a9e23b6e24658fe28f2c9f0435f87948 |
| SHA512 | 64cafb2f75eb8facbee591620462cc1db3e819c1d96c110105babcaf5e178b4f0edc014495e1d720402230466339ef30217641d24c5fc9d99fc6f108efef8ade |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
| MD5 | c14ac2739541090d8fb4055f8d3179fb |
| SHA1 | 3fd89a21a51026d42555e394f4090db4033beaa6 |
| SHA256 | b8818e8b17a1f56f66748b04e03fa91a93ec06ed4361ce5f2dd29e5857204694 |
| SHA512 | 1fbe113c403a268b33e8b9f59014ed3334f45486b91bb3e15c4c020b4d7cdf10ddee0a02cd285ab1c4f4218fe29afa4b8ab20bdd1ed4839cf37eccc12f1355aa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | fc52c9fdbae51880a7533bfcc0e299e5 |
| SHA1 | 9b98afb83db15ba5b73822e6d73d044957e79d5e |
| SHA256 | 3cfbc30f997461a52917b267665246f12e7df8667b55c7401533a45788701111 |
| SHA512 | 7b50fb820aae835fddf6495c6b99cdb351c301dab3039b53daada3a06902b085a58dafcc24d39205922dd6e6338f691b814c8b8740ef094e6a37611fdaa71ec7 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | ddde381b9d59d0ecb83d4594e4d85d37 |
| SHA1 | 62a293f71be844edb870cb4d8641d701b2b8c85e |
| SHA256 | 930da77c6ad6e5e9ff3105cb5c2bcdeb23a31485df4eb9ca0d97a32c2fda1497 |
| SHA512 | fe858f4b53540f8b71c2127f268861e3658391612500407f98582212ff8f60401dc4be7a1286b7f1a7df425328ae853d2ca807fa06a0312003031ee88228a130 |
C:\Documents and Settings\Admin\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
| MD5 | 01947cf2a2fee17cbd0d74fff4170450 |
| SHA1 | 7d731831c9526c30fd44e8e7815246fcc14a2b14 |
| SHA256 | 34421a9294b2e0828a0bc7328960ca89f67af10af801144e2d71cefb20d20a7c |
| SHA512 | 37cf51cb837828991f81010d00eade1cd29cdb4c1a5acd0828dcd0b5e4a14a5a0973442c807d4fad1f84ad30366c78e590e987bcc97eae58539c1b58516a4700 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
| MD5 | 03d68def5df8096c289123431913602d |
| SHA1 | 612ba61a0dc89b1e5f208fb2e1873e73abcde4aa |
| SHA256 | a9ac709db261d0588fb48273576d55d3082121df54fdd77a54310f0feeb75dbd |
| SHA512 | 7f5240264587c93295c87b2138c1b3631764d33b0017689a4af144149d2fc7886628abb2f7c2319015333cdf4e5ebb3e49b0e471c88ce7013c9d84487a50d433 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
| MD5 | 74284426f0aad31ee00508968d50d947 |
| SHA1 | cbbb8e41887c2ab7e7b36701185293021f153ba3 |
| SHA256 | c7d7b82a9a355b791148f934d2958aa1f441af8e6b93ba3ad6bad1b2373f857b |
| SHA512 | 6bfce3c1fe5b63e45623eff2e572b699ed1545c04872d685920988d66c3ac257b15f6ea0a7b25cd0f33663324d7b9570a9fd650b1246b4d56b66236ce3d8950d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp.RYK
| MD5 | ac45355c821e3eb16e6e2dbd06ec5219 |
| SHA1 | 30e40b96a547809191f1e3f2b29a266ffbea3275 |
| SHA256 | 91c26386d265c8e3f156f7d0f2a3abd3e2d54861eb480861f88ae1fc5c73366f |
| SHA512 | 3a4d36dd00f5de3925e790279837ac66e369177e9fac12cc0d967c564fcd049af7cdf648855fd6f74eba529d824071b719ad6b7005a958ed92a1bbea174221a3 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64.RYK
| MD5 | cfc819a77b468f0d901716d8848088e2 |
| SHA1 | 70f0e9352199d9510b312f7f2c90392aa4affbaa |
| SHA256 | ad9cb00f453e2e066a95394c43cd1df7bacc056dbf4463895b8d014fe6ceec2e |
| SHA512 | 43a8cd99ff0d9e506468c0dc86e280534ada00f0b6c3f561d0694c192334c18b1f5aab75ba0dc719191656ff778757875acd0130047458f278bf8a8bc323f59b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.RYK
| MD5 | b38207e02b1384006cc1c9e83931d059 |
| SHA1 | f92907d9e7a236db58fca346aec666bab20cd025 |
| SHA256 | 6687abe889fa188eb5c9c40e71b0eaaf7717e1b628e5324148aee42819a6cf8c |
| SHA512 | 16b311f78a24ddf43358e24a5cf730ac759c3e270dc787ef9956f2977bdf821b712656d4b71c545893835c12617bdac57d6981912ed8bddaabecf070a4d9a5bc |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
| MD5 | 511afeec9125b8ffa946d5e34ea0b8e6 |
| SHA1 | e1451c2ed9485dee2c1be6cb4654e0782eb12ddd |
| SHA256 | 1c9d263d6b2431f4cc8add1481af3d9591d4e0c4b3dd1ec08805f80deb778ef3 |
| SHA512 | 143955eec904472f756cee52ca268676d1b8d0aaf74b0ccbd6f4e3424cdbf31f0ff47d004247016a9555909794ceb659e6d997bd0326873e4590375d3949bc8c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
| MD5 | 666ae765a2e735ab65e0a6e3152508af |
| SHA1 | af58ff00ad8f939ae38c4899febd5e3161045511 |
| SHA256 | 8b12871430f0ab92f87e3940a68d615a01298a883931ef4b0836fc091af07d47 |
| SHA512 | a3654cb034395ec7b43a97a6fcbedd88b3d9c49100aa6e1bb51f38e65af8e8af588cd6cdd7618256464b3c724e6a467f8a611d57ceffef360eab7aa241a472a8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
| MD5 | 6162d56267c0f4815abbe0450e4c7a4a |
| SHA1 | 12943dc2e488d2d14586d937017d2cbf797910b6 |
| SHA256 | 0fe65a463816710c2828430e84844208af038d9f66868c260f2f39c74b00794c |
| SHA512 | 3e3c525bae27d18f079febd90001bd630c982ccf5a7a8a9af2ffa103f835ded48f533a1129d2e981f18ab2f7bf5e7871f3a3b50d5b98fd274bc993da825fa327 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
| MD5 | 772a4a1431819315bc451d77d597186b |
| SHA1 | 6827e21ef2fe06976e17fc4b6e7dc5e6607c3564 |
| SHA256 | 6fbd30174e73593a1c613f1cbdf002be11a2c6bf1fda603b93e01b319086d296 |
| SHA512 | ac2064c91c1fdd0c9aeff692e02cad5a14aa957c11f5c93c90fbb195fb8b15701c6b08535bc7ac6ef1d5dc7755d2f02b9cde5d5b8199aa98681d100216085cf5 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | f96ccc9ebacadded1af084d4d9af47f7 |
| SHA1 | 690252586a1295012a01a8caba27a3120022bf72 |
| SHA256 | 0322188cee23842241755a1425a8948609282976041c12738acd20ad220fcec6 |
| SHA512 | 259b02cf18089c7cdf95c4c7d7359c5f7c30948f6134b1baf4f97aa15536ee3102952ed376e7236216776e745d246c96e16e5becf2a0446919e4dc562bb2d95e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
| MD5 | 7b09bbe914ea2f8a2f0a0f93bfc3fc93 |
| SHA1 | 06e18e29452830b545e7156ae8167ad808e3fefc |
| SHA256 | 975de8badea2bfd72a972b71561f525398c71fe165384b36070a76a55478e8d5 |
| SHA512 | e13490dc6f118dbe0a89fbe92ea9c9bb368a7436502819669da5355de9be7ee2658cea28dc07b57d292947e4be7993216f585c9ae278e1ab21acfb9f9a96ae05 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log.RYK
| MD5 | 8629d11e8a83824149376f80e71e93b9 |
| SHA1 | f0e2dc834f3f6e607ce7149a72f486ace04eef87 |
| SHA256 | fd45e9cdad450bf85644d81afe120331ff1a889955ac6d4b3a73d798c8dd946c |
| SHA512 | 95b8645b9c650ae9d08f44b7945017591f1cde0ea2feb12bcbd256d6f1a0e8fa52b66776be8fb551e76d123f32e28c52fa195e4b797718a745b2db5af248dc88 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
| MD5 | 6f70bd719ac455e38eedebeee08cb8fd |
| SHA1 | 96cd971b86074d3defd677ee952256a4048d6949 |
| SHA256 | 541ff4c4f82061360310ee95e53e8d9428a71ab926dbfb01a535f3a7f1e1b71f |
| SHA512 | 1f80397e4639ad75e64b88b7bcf23c0f4d8d5dec6785d7013f10bde188e909159519f5a0dab5c61f2d716dfefc59dcd5f335a4fb3886ed7792f38c79ed9099eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp.RYK
| MD5 | 61c8e4f7b852938c801b0d1601ed7402 |
| SHA1 | 18fa616d0d93bd53bb75a3f6d492022f72601e75 |
| SHA256 | 140f0e5302b554ad239a34acce06d164056e04452ece5d1bc3a69ec0876985d8 |
| SHA512 | ab825da31bcd004516ec5fd0aaeb3396bf515b17479370c47e69f82b99560b7e88056333377cd709a42eb773d3fbd7ca06b3973dcb20877b43aaa0ec8795597d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp.RYK
| MD5 | 3e30e3348701151a422e888c242e531f |
| SHA1 | a570c04f334c71add3afcb8afbb54db009663cff |
| SHA256 | 44c741fca649169368181dafc144b64192397fd9bfe83306fd68640bf1bd51c4 |
| SHA512 | 0d9fa1e7c5959dc4f9b3769cc7e1e033597e2bf5e734c22c4e86cfa288811675d42fe7130a0b8b4448854d6be7e6351c86506a3b302c572e2f6c4bd141fbe322 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
| MD5 | c98b812421babbda1b182f442ac80c5a |
| SHA1 | d3ad1b9e65cf58a27fb35e01d11affa09cd413f0 |
| SHA256 | 2e7c80429da672344a0b262d378e4f3cdcb898293d397706fca528c5f9b965e0 |
| SHA512 | d2af18ef6e3cf4a870b465f430cf74bbf8f2abab3ebe5935573bddf947693a447bfa241e4921eba8ce71930d83005582b6df87c45d777626fedbca1364c91f1e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp.RYK
| MD5 | b1e701d9da48310ce7d05a4efe080e9a |
| SHA1 | 1dc5589f218676242b4e2d96e276ff95edbd1316 |
| SHA256 | 1ce91284c63638a448431a7088129db9480308c76b4d012d265ae92e10ca9f0b |
| SHA512 | e35daad556738e6142f175b4cd01072b0407c5f25f30a285bf5751686c91e96cf658a0f3feee60f9b589e4ec72c0fc3d01b095c093b706e118c2dd74c453762e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp.RYK
| MD5 | 0c28081fe4c89fd760e620de1bb1dfa0 |
| SHA1 | 9dbb5bf424e1ffe792640837dd1914960cb1c48d |
| SHA256 | d4fd7092e3eea445f2dbc87c07ec14391bd4bf5145a9f577099ba7f978741029 |
| SHA512 | c3a46bf414a994f050892efb8c43b0d03bd551bf3d297922867a16513205b91020e5a09f27a60981c988ac6d0aac231ac6bcfe6db4cefa599ff262970ff87ec4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx.RYK
| MD5 | e94855c6d0d2e9a1484c92a935cf28f3 |
| SHA1 | 671cb793b07bdc0542202e2e1f5da9f4a437b34f |
| SHA256 | c2fe10ab426efe7eddd48d6b07755ae7d6cb64d62b2e057be7d73e67e3c7dc75 |
| SHA512 | 1e2b775a20716ec0dc764e3af178403dd4ee3d011a1228bd71f0399b392fb6df2d6113cd0cd4f32bf9b5bae03f23b3d2ebe152b5ea292f8b80a411be180ee21e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
| MD5 | a4c6a43fcc79345164e0cd5e82779da9 |
| SHA1 | 2cec78808c6cecf30da30279de7a196c4d42c525 |
| SHA256 | a1c5ba26e2d3ef189a461a9b4eccf18262194d34fd1e9bfef8c7a6e7578bf74f |
| SHA512 | 0e6051c487e16becdbfcae209a0e9cdb0bb1ce3cc7fc6d1ec2f79c62c9f72af4c12f51c25d419a8b0d11e8fadcd68efa839069c04c3460565d8c0e62a511280d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp.RYK
| MD5 | 0fc960afaceea8e7ff40c4096e2b949a |
| SHA1 | 42416a3fccdd3088dbde4e7e96b83d3ca8e785d3 |
| SHA256 | 10261cbe3020dba52ebb0070302f8de393c10630aeac446d26019622085f002b |
| SHA512 | a56ffe5ffbebde92fe68fe829b358b01234145218382d84c20cac62a7596f8873a3239c62875e78c212240cf203f692df222e9e323be7ae51d23ce81215faaf7 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK
| MD5 | b4c0b01591fc08d0298762f1cc8c9391 |
| SHA1 | 9c305f208546f0a837f9988da6ca0cecb3e9e1fa |
| SHA256 | aa74a926bed6b5e0dd0b80054163e72f1e961c3475dcf14c1aefbd1b7bc75543 |
| SHA512 | 982d7e6cf81444c36c5c2398545def291d0ae306ac573d2aa0b1cf0fbeddea4ac6e088ea923500c59d6940f0f97007ebe27c315b901ed8a0b8a4497088be43b2 |
memory/2744-195-0x00000265DB370000-0x00000265DB378000-memory.dmp
memory/2744-196-0x00000265DAEF0000-0x00000265DAEF1000-memory.dmp
memory/2744-197-0x00000265DB1F0000-0x00000265DB1F8000-memory.dmp
memory/2744-198-0x00000265DB040000-0x00000265DB041000-memory.dmp