Analysis Overview
SHA256
7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20
Threat Level: Known bad
The file 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Ryuk
Drops desktop.ini file(s)
Drops file in Windows directory
Program crash
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:25
Reported
2022-02-20 05:53
Platform
win7-en-20211208
Max time kernel
155s
Max time network
142s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Searches\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1624 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | C:\Windows\system32\taskhost.exe |
| PID 1624 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | C:\Windows\system32\Dwm.exe |
| PID 1624 wrote to memory of 1404 | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
"C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe"
Network
Files
memory/1172-55-0x000000013FFC0000-0x0000000140342000-memory.dmp
memory/1172-57-0x000000013FFC0000-0x0000000140342000-memory.dmp
memory/1308-58-0x000000013FFC0000-0x0000000140342000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | c0c959abbda4c1f894aa188265719b54 |
| SHA1 | 5b2e6618078ef56dc215372490c4093b7e65de65 |
| SHA256 | 7719ce0fd78bad146fb5b9ecc980040c39581c835c9da1b44c9b92a3cdd8285f |
| SHA512 | 6dda8707e44960a07e38bd1eff94b0d7c49519104b552108e77e886b8b3a0d0a7c9e4bcf62483533ff895f32043e460ee56e3dd6fb45ed19bd9d0b1030be997b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | d5027c3a93f937eb3d08aec6f656dff4 |
| SHA1 | 06f773d5654c2602fd521d825b4e2ff60106d26b |
| SHA256 | f84f11524d636c0ca559e966d9319981d9b30baffeeab910f4a334d471a3361b |
| SHA512 | 2bbf5ebdaf9b694c43f1eab40d40e159e01a0d61be8300c8f996d7d4bda86f2cc0333053bbe6b067c7ba4035f7fb59b64677202df101e186a61a330014808e1e |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | 7dde3b01ad9d34d62e810c043cfa7511 |
| SHA1 | 896539dd6fb87bd785213aad82a7a0913c62c357 |
| SHA256 | 41b0507f6e3172cd01eda48fdf7728117a7ae990dfd499d072c8f62515206386 |
| SHA512 | 29b35bd4574e3bddadf74026215e81d73e3213e2f055b163bacf82c72321f08e018974695b59bf27ebf722595782ba330b9fa3d062d7097c7d04afaed160b9ad |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 397739b758efc6d812e59b653febc535 |
| SHA1 | b4e57a99f587d7734ecbb1f79b602f36c47e30ca |
| SHA256 | 9bb9f5d63c2fb6703d7bcc28b39875751c9ca9c2a41c9f38d148a942af7a0e75 |
| SHA512 | 1ddaafa075a5fe7907dc430d8352d98debb7e0fec69240570415260e28b7e1a02bf854a5fe33aea6ed607ce771ce088b2f10e8b3df24f1f3a06c70acf63cd892 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp.RYK
| MD5 | 4715ac09541df12242f75966c249d034 |
| SHA1 | 67b97401136821ba7c1a0493538d1307f4bfbe81 |
| SHA256 | d4e24e9d168d998165565363adcb283b39d9044cb3942a2f1a9061890853c633 |
| SHA512 | aab8f4b8360a2f4ee90722315eeb80621f03e07cfed6bfbc5945cf3fe61c067d76f9ffee5859b923fda3ae1e009d11eb2ed749aacc88047abdf82fcaea023da2 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
| MD5 | 4d874cc9ff8ea1440f57de0d9a3c8d59 |
| SHA1 | d001dfba9d61ed3f9b0a1b06fd32dd705ceb8026 |
| SHA256 | 5352a5bd8d9f9852384daa616282941b1a12afe089e044a95f0543fe50515b11 |
| SHA512 | b30ad9a25e6b91314bba04559802216c7e64c4aa7e55050a729e389890a6af8ff50ca309da2ac45d0ae4a8d953b0f39f43d20c5e58427097f42daf659fb8c919 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
| MD5 | 090e8eea380a46ee8e89aaa8f0150b6f |
| SHA1 | be6c9ddc79fb0ca62eab3efe8583ed5715767ec6 |
| SHA256 | 66e2456ec7a117a50cb3bd3d026bec2dfea696161a107f2f0dd09852c9d81118 |
| SHA512 | e4dd205411e73b2f72ed1fc8a12507f9434fd5d25144015288cdae1a41739af075bc171832400a3c2d61cd0ec72da945270b1190db4396068593188435d2f3c5 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK
| MD5 | fdaba9336a24311f9bfd88896d59a67a |
| SHA1 | d2780f8497cb9e95de669bcc66b72a27cd1066c1 |
| SHA256 | 7e954de21aad871d788749fcb44ad0eface08a0af6180f8c03193106e7762feb |
| SHA512 | f2e857308f3a08b5b7213a50b03e01e6c09785b8f49b1a9ad0e48f7d3df3def056208b18bf0a36ac3e4d120cb8c29fb6ed57da18a080b39e4a1863e63409a8eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
| MD5 | 4fed66a8e8d991fbb51be5cbbee5cdca |
| SHA1 | a151420d02e4b7d4fb914f63ad1338d5ce33b954 |
| SHA256 | 9b489d9296f8b3498159025d9c01652c2e006a8d69ecdfbe2ba2ab5b62d33d83 |
| SHA512 | 284bc89ca6887df839804d073d82cef02e18a58757e8a254992ef6970f5b5ac6b1041c3715c012e656b0af7d4c0e0b10806637ae97b16bc7902ef739214cd019 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | fd29b5b08232315bb957b5c66e2d5de5 |
| SHA1 | 0ce62efaa1a43e452ee9506e8e61138167518e2f |
| SHA256 | 083b6f573a604b65187d67e0c20c33b01c6eb977a11b2c958ef1321c355cae1c |
| SHA512 | 03e2e59cfafd00ab5eef8a875398f9dddda0ef140899f1b51fbea9f327d64dea6d289e53984af629ff5bccd7593a64781ddd1e930816072fbb6f32ba8d093e1e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
| MD5 | 0815068fd791e20c971d7275615ebebc |
| SHA1 | 3784ee7e00f0fbf2892458b910478a4adfd43048 |
| SHA256 | 9180f41b3fa2c8421dcef3262ecbcb6852a216427ef76075230e5185c671433b |
| SHA512 | e11a60e38a8c67599194bbaa61fa711e7eb917898e048b24d9bf158035d81f2d0d243eb26bd3d7a1c5192a05552e5728120fb0a2f064b0b317f0ef71fb05568c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
| MD5 | 0a3577553d5a5121d89d5a4c8e48468e |
| SHA1 | 83380b8baba793a09a2c9d989167c422b170ed45 |
| SHA256 | 68fd1478cd1ae73afbf3d07a8d5f191c5e2696de303cdd5858fcefd96fb7c691 |
| SHA512 | 2edbb0ae5dccbc6e7d68c8da970218117683f507c506c6abcf375d4a3c7887952e081013d34fe060e6a9b2a9301b826ca1a92ec55efc36df520018c1cf90f257 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp.RYK
| MD5 | a4e279ec66b078deb2ac135da8452131 |
| SHA1 | 49ebef0d1de55ade843b7e16124396be3ce5ffa8 |
| SHA256 | 11582771a47af1735b616365e931dcba04646835f129bcf8046f2690ae97ad14 |
| SHA512 | 48046cf3b23ec61ad8eb892b5f7061f5ebd8416cf8967bd4ca2d791dd15d4a8eb16f1d24a3c671bd448e7b45ef87b84b46fcaf9cb3cb9f231639edd7f64f2537 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
| MD5 | 9e194d7538cb1cc2bac830076ebb2ca2 |
| SHA1 | e929e27ba09acabddf43a1f24b0e864652228f8b |
| SHA256 | 7455f42e072bc17e05d416113b9e9ebc304cc5e4df5cc6635d57bc006cb0fddb |
| SHA512 | 84e56969d31a6e62bded104ccb7af34c4daa46c3062084226fba9d5fea10cce37c996ef836a2c0c813eaa6790f58919d58ec9f144814885addb0fd66b9ffdf64 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK
| MD5 | f9f305504699e1e9858ffb4ef096df96 |
| SHA1 | 44cebdf346ee448309155418538df014f17b1729 |
| SHA256 | a8775315a29e97b914160f5438634b58644ee940164529b2d4c156222d2ec6d9 |
| SHA512 | de4ebd32860542f2a2193dd93c71d11a939da6ea9b16d005061c54797903bdb4152886936055f16655f11f54386142bc78de295a4bb783a1140dc87e5e564419 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs.RYK
| MD5 | 8f43443fa9ceafc20c570fd69bdcf8df |
| SHA1 | c04838ff38f607304952433195322eccf8ac32a3 |
| SHA256 | c271ac183a806f3163ca31b57ded99d68dde9ee8e678b6afd54b524a26965485 |
| SHA512 | 22bcf33c67a09c44ea11e60f42509d53951bb3ba1453b4f3e5d29fd2f496f8b61b078ff1937918be574629d5d2fcee7c1f94208c61eabb07f62594558f78ea0c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
| MD5 | 9d10c0e5349766180365cc760c58ec7a |
| SHA1 | 580f22083d09b40e1a4ab14f390c9cacfb191045 |
| SHA256 | 5d6c87a3ed169ce7940f8b279ade433c46268f07c12330449e963f6c6079355b |
| SHA512 | ed05da7d1202ac3792d629f37a22c89dfe5292bbfc0b925306745fbad9c9729b7f1271611b50193991600d49bdfdbe112e5a23a38b62bab5d57019dd241025f0 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
| MD5 | 22e4799153a8cf0cafb3fbdecb8c8cd3 |
| SHA1 | 75d4d32419fb19e2199f53ceaceb354696f62fc2 |
| SHA256 | 097e19c37da4815bb9210f7f9e6e893b6aff7d98bf395134f247aa32b6bda979 |
| SHA512 | 797cbbda58f7feb068e96ec1062ccc85b91b7171e954f0b9afc18065a592c3ccdf162eb1fa69dd7843155aaee9a8cb4d97e482b45d7cc8e20df6c762c837e789 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
| MD5 | 67d962550e8841f4b3433162387e2307 |
| SHA1 | fb3e95e324685936a8942b8c421eb0488c3d7820 |
| SHA256 | 9ec0ee6b91037c5f05f3253c29b31027cdf1b0edb4b4052458e300470789cc49 |
| SHA512 | 86fffe96f3036537acf4be99bea4b586e37f55decba4e4141bbdf077eebfc24a162bef6cc407a54d6638afeafead694b7cdded275acfa23860f02e226295cbf1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml.RYK
| MD5 | e084319fb31f37f9da0103c4b65c984f |
| SHA1 | 5754d067220e758cc39a4cdec43160fe8d9a806c |
| SHA256 | 850db200531a6fc0cd743272198425f7491e1ab53db3df12f46d088877df8de1 |
| SHA512 | a6db67e6b0f3b8bd8f422bf431c95ea362b06793cedf9ad6ffb758c95739e2f325dd95c4e5037492a1b6427ef875e7ce302cb821fcdbdb16ded0eef357a8bcca |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log.RYK
| MD5 | e34755f91f11adb09f00b77f174c122d |
| SHA1 | 148fb69df368cc00db235619d78ba0c158f0da3f |
| SHA256 | dfadf3234a191e3ec1a9fe0ae6a2163f3bfacd47e44d8e0bc080d02cf311ecbc |
| SHA512 | a456d75f6c938935296bdedc74dea7c67df46a8b157fcedae3b3d24d3e7219578457cf6b0bb39463b793f94b1a1173767a2a6d9b4f563d2215abe96c5741081a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | 706b3931d7b4eae88e2a88898b97f08d |
| SHA1 | f0666594e84e17432f1331c503fdeb0668ed6860 |
| SHA256 | afce2f42754dd5403367dfcad5cea745c6d772b8973b9e75cf0a44766ec5bec2 |
| SHA512 | 319d57d6024f8965d1008dc7408fa957e8d5fe0834b63b2e1a0d1eb2d217b956bd05f49f267fa4cbd29fa04fdf21d79a4efc34472cbc0277417064ccc79350b4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
| MD5 | 4210cbd43bf79720ccf72ab8c4e5a0a6 |
| SHA1 | c54212a81c6ea7c82366a64efbbbfdcae8d0ca8d |
| SHA256 | 69bf4e408a005f939aee1bd82a0c5d82698dfcb64a10f2d7a60b05d77c5fdb64 |
| SHA512 | aa633035d3e6dfa0b0bc7b4888f5fdf78bf2aafee2871384a9bf5e6eeb540cab2da483bcd61873bbe6a5fe005d82b2d9c2d7dfefc1538df7e0c7ca91bdf4728d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | 13fdf2f1b4dc3f250d67b0a3572d7797 |
| SHA1 | c48e4d9886c34894fa71d5a22fc527afc99f1686 |
| SHA256 | 7af0e8c7041007ecaa70fa9fb749147cb33401e282c27866ec048f89fea3b971 |
| SHA512 | 4733a3be886b13b67fd92aebf35a3420721aabb5e82a923dade1da06bbbcaec032f34f5de5b320103b1fef91ce88a4bbfe1c5bc5d5ff0ca8485381d57b75f708 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | 5d0a1850261847f1573da163c49890da |
| SHA1 | 8982c43daa6fee0acaab5a7a155b4ab32327e1bf |
| SHA256 | 4aad660cb1cf6db2736456a1c42d386a35b20a5d71493e921137938c0a529512 |
| SHA512 | 649fc0a02f265f8bc95bf2a18162e34487716bb1e49942897d53ea6b2b02f5d8abe4ad204e3bc7e77ae161fcd2f50a1bef7335a5023617f66e439a4f10211216 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
| MD5 | a4b1de3b615b85286e306f5a9a5f4a8e |
| SHA1 | 919c6a354546d73d2b677e0f50cdb281bb21d9f4 |
| SHA256 | c204eda41a181ec47b0888c901702e6059eec8d6cdcc5e7dd2211fdeb8969617 |
| SHA512 | 081a2b6f544d02bda388df8fc0560c17a28416b4ce41c42c1aa6a994d9cf4603e4716f8d72e181678e47179b37980c3f1087ffcf927ae55a9b6133a94923673b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:25
Reported
2022-02-20 05:53
Platform
win10v2004-en-20220112
Max time kernel
192s
Max time network
206s
Command Line
Signatures
Ryuk
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5072 created 2816 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\3D Objects\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4072" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899864250629497" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.191388" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000f67713422626d801bd10e8432626d801bd10e8432626d801fa580d000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545466362000626639623338316330663664366336383433633665373562313431623239303232633939653565616639626137626434623131623539393833626563323664360000b20009000400efbe54546636545466362e0000000000000000000000000000000000000000000000000018722101620066003900620033003800310063003000660036006400360063003600380034003300630036006500370035006200310034003100620032003900300032003200630039003900650035006500610066003900620061003700620064003400620031003100620035003900390038003300620065006300320036006400360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000574fd471000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62663962333831633066366436633638343363366537356231343162323930323263393965356561663962613762643462313162353939383362656332366436000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d61f42cd4a9083ec1182d05e446572696abad9b5dc40371b4eb595e9fc647d27d61f42cd4a9083ec1182d05e446572696ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\9e810fd05a1a3d5c2e33734ef12615f09d7c75f5accea787995899040471b715" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3e895748-e3b7-4c04- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a3e7c75c-370f-49e6- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e7b194f4-98a4-4ed7- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005cc4c4412626d801ae89e8412626d801ae89e8412626d80105e204000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545466362000316431313663613235333032313232653865393436313430373365356433666231383161306566363033346339316134386566346166303035326533326238610000b20009000400efbe54546636545466362e0000000000000000000000000000000000000000000000000019992801310064003100310036006300610032003500330030003200310032003200650038006500390034003600310034003000370033006500350064003300660062003100380031006100300065006600360030003300340063003900310061003400380065006600340061006600300030003500320065003300320062003800610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000574fd471000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31643131366361323533303231323265386539343631343037336535643366623138316130656636303334633931613438656634616630303532653332623861000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d61e42cd4a9083ec1182d05e446572696abad9b5dc40371b4eb595e9fc647d27d61e42cd4a9083ec1182d05e446572696ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\bf9b381c0f6d6c6843c6e75b141b29022c99e5eaf9ba7bd4b11b59983bec26d6" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- = 59d4f34a2626d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000004c4e3412626d8013fdfc7472626d8013fdfc7472626d801015408000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545466362000396538313066643035613161336435633265333337333465663132363135663039643763373566356163636561373837393935383939303430343731623731350000b20009000400efbe54546636545466362e00000000000000000000000000000000000000000000000000464a1a01390065003800310030006600640030003500610031006100330064003500630032006500330033003700330034006500660031003200360031003500660030003900640037006300370035006600350061006300630065006100370038003700390039003500380039003900300034003000340037003100620037003100350000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000574fd471000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39653831306664303561316133643563326533333733346566313236313566303964376337356635616363656137383739393538393930343034373162373135000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d62042cd4a9083ec1182d05e446572696abad9b5dc40371b4eb595e9fc647d27d62042cd4a9083ec1182d05e446572696ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- = d9c745492626d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ee6bf499-4e80-413d- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c9db898a-0c2b-4ec0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9ff656cf-0c73-4383- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1d116ca25302122e8e94614073e5d3fb181a0ef6034c91a48ef4af0052e32b8a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ede06af8-aaf3-4328- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a77eeb16-2469-4dbf- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3521da4c-35fe-4114- = 2da2bd472626d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\sihost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
"C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 880
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2816 -ip 2816
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2816 -s 2944
Network
| Country | Destination | Domain | Proto |
| NL | 184.29.205.60:443 | tcp | |
| NL | 184.29.205.60:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 20.190.9.86:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
memory/2204-130-0x00007FF7C2FF0000-0x00007FF7C3372000-memory.dmp
memory/2224-131-0x00007FF7C2FF0000-0x00007FF7C3372000-memory.dmp
memory/2412-132-0x00007FF7C2FF0000-0x00007FF7C3372000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 1c2f2850d3f1abebb990fcc37ac8fac9 |
| SHA1 | f51ce47c63d4599aef0f9e89050530d5060e8ece |
| SHA256 | 33101431f7a5a0bfb01191ebe2528ff92a8efe17990441686ae86a6ccf41e0cd |
| SHA512 | affdc8311c6046b6fe4fc46cd1e58be45afb18cd1cf2dee545945849f0f2bea0463c06df14fc32658172f76fafc83ac0a3359eecc3da295bd8af6b256fb1c7a0 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 14ef4cfcdd3dd8b81a3d60e36c62e994 |
| SHA1 | 074b7f17e3ca33391686fd8ad7db67f2623b7347 |
| SHA256 | c2a9723a77e3904049c5f643cca2874158d9e86a03e4be970c55f8807f6ee3f8 |
| SHA512 | 52b2f5bcf0ef987a685bd2a94232a980dd073e1f6fe04f19d94e3313298a7bfa1612e197dc26f92f47cf53f83d241701d96532214daf937227d21ab3d67fe698 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | cd91e1b1df03068e3d6ede46cf02f8f7 |
| SHA1 | 9ca040b1636ab2d914351d5eeb2b2830b766c12b |
| SHA256 | b0ff8fb23397e54c6c7d07112b79134e4ee4180e718a31c074523f72e5c7d16c |
| SHA512 | d85f508bbdfe35cb83fa4f419a7ba7707052e9ebc6cb6b6e63bca93b92cfa34330bcf5c9f191cd0a02d85541b1f7e726c3f9f5e8482af694305f6a0f22c4d591 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | 3eccc936cf76d0e33904e6b3e3c3f452 |
| SHA1 | b311b6461a8fe4ff8405009a835c5470d52e23de |
| SHA256 | e57b54ab5e0ec2caffe91b987032519e7ddf67f3c00cbc23e943a39bb9840dbf |
| SHA512 | 74ba41e1c38a8b572d078ffc57885413a2d6dadcb980b4bb305d6938dc43e63091a85bb415cda0bea76a9ba24c621e61dde92065ca8711b4c7a50996eef4b8cb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
| MD5 | c4126830f9c6ef0bfcea74a8a3698252 |
| SHA1 | ab729aa49a562aabd59711fb60c6ce712511eb29 |
| SHA256 | 5dcfc0d2f2f7505e7b6cfce609d1cf2cf12ed25e13ee79d9b036e5d9c4ace7f0 |
| SHA512 | 4b93070afb7b16a643aee741d87d74804780f9e24d74b79d632ae90aa5cb81f3a5de73d42755f85ec7a16a2b9a801df53bb1a5549d33b5c974189076d8ffe7a3 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
| MD5 | 5587b9de439d63c05f60dd2ea1d3fc1b |
| SHA1 | 5b3634735dfd4eec637465184731dfc98cb30260 |
| SHA256 | 3d54607940361579e53722484fa2ffbe31d0ed4ac1e5b8a6c1acdfcee5efad3f |
| SHA512 | 5e0332c0e29d2cf4faadf8d7783930fa1a73b98fb16c8ca84df2b48704ead21d8472f6b150bca3bc12d3ab880a60e128b59cc02eb6b587b4674e3734348bd2e7 |
C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | 8409476a4601eade0ad5f08515a9aa3b |
| SHA1 | 993513c1f59a772854d9ffbbc5234de95fbcedc2 |
| SHA256 | 0b781ca1846dc8573d6f067ce4d813313e3d12d192add5d3124ac25ce26f793d |
| SHA512 | 9e9f96fd7688327ac1c3dc8ee7336875428941e978fbc736359992ac635790336cd76138b62ec21c0e167792803b9a08cbb203ec0ac9a46139819150b762bf82 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
| MD5 | 1e9099404014c42df11bc9b7da05d350 |
| SHA1 | 03836ed0f111031e1f52e28999e0b87b48c75cde |
| SHA256 | b5370e22f1068767797ec6e63a4d65e8e1996be749796e402bd09093dc32082d |
| SHA512 | 268c7737c9d65dd295103a14df5106353552f1765c89931f2c874acd8fdbc36af71a9eabc791e7144df3e2ac17bbb3120798c690e3630406560ab2f104373179 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
| MD5 | 12f2acfa1499ba9978f1834f64164725 |
| SHA1 | 131867e64492727abd35b96f891ecb9ff4caecc2 |
| SHA256 | 5758a748530c803ed2e059f559821ba11b744b3acbd2262730d563ae1ecc1c20 |
| SHA512 | 8e46d3faa0e7d3c357104d8e775bf1828dc58bcce241bedd5887cf4f4798ca39e95370e17798241772563519f6147ded3c6f89f594cfe84199d5a0187bf16142 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
| MD5 | ca4f2f30342e8ba71000c6144274ea30 |
| SHA1 | 927845e15ca1f1c23c07b44007a354286e95b045 |
| SHA256 | 7b2abcde2c8ecaa1745d3ad8a3f8dc35b20e23e24b938fceb010e643e1252212 |
| SHA512 | 8523fc1f0cedadd373b4b250fd051b3597da206b7bc78657d28da97b9cee026a7a40432bd1916b2a1783f3678d743935d3028e1c44929dddedcc9a19b763c0dc |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
| MD5 | 86cb6137a9ff9c7d78b655057b1c74c1 |
| SHA1 | ddb3df524ecd58aa9a8039b3f0fbabf2f21aa392 |
| SHA256 | 312078931037e8ab608e187902b60896db3a76d6b17d35937adc568d3ebf5712 |
| SHA512 | fb5edf74733c7058c8d83334b9d27db2ff503fa4f55d845e9460f00a4b71928bf5c7cf6891d59dd5070109b99ce860d70ad1e2683d8aa584bd091f0fbd28924e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
| MD5 | 647f12e5821e4b9cafc1f888be77f27b |
| SHA1 | e03b1139852c9b7e862f04e6107d95cbbba3a90c |
| SHA256 | 85bb02e573ba3e193ed7ccf16a7cf160a15a7b115170d864a76c9ded30210e17 |
| SHA512 | c010357c81c06bf8982d42dae1cf4579c29e7437ce45a98fc283ccc9fd0526f623c2b47ec3f82b4457fbb931b52c82a72b2e9d281dfcb7eeacbb5bcc0a964dd1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
| MD5 | f2c09a7652186cd8f2e27bc8f938bb6b |
| SHA1 | 67397c1d312935afc740a9e54e294b32b6a97d6c |
| SHA256 | 26dc3ecdffffd0dfed5d8bc24bfbe99d0d9a136786916c57e8af3ba686f91bb1 |
| SHA512 | 18d198ab04d0a2fd58238e4a23f9e3c31c8da433f8a58e9573774dabdd4cdcf4728bd5fcf5f23dfc23190244c9ffba4f953bed80f8b4f74b53d2b75713278860 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
| MD5 | 99455969696aa88246a6ef0ac17c10aa |
| SHA1 | a884026974b072f9eb258206e2d31f5e4c3ca512 |
| SHA256 | bb8287b717e1be1383e0a36ec68f8f8b2114646c34fa8d7d2baa7508a8813caf |
| SHA512 | 7c23033419c84154786990fd1868d42f3b5899e6a939fe87d1b6f29d53d83a0797a01152dfeaac7b8a0c7401fc0c435af3ce220e6c483ff55f956de44195795a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | 58c1327dfdca31ec59e73d0562dc5422 |
| SHA1 | be6a43f05eda3267b1dad29df87e6bae618be927 |
| SHA256 | 6e65021ce17b9b3dd496fa09155577a545b709ee5efb68ac11a7463591e5e4fa |
| SHA512 | a66aac6e2297656aa7b7d890357bc641b21126f53db8e63a895bcd133b3d88759a9f441227945ac4b5fa47c3d89ed42415f4999ceee6049d2caf6530a24322d0 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
| MD5 | 1df9e3f4002409ef5366615dab30788f |
| SHA1 | 9515efdbbf171201727dd92d1838b82aeec0db3a |
| SHA256 | 29be09cfba16064152ff491b4e8313bd1dc354de7063147ec091d6872a87b284 |
| SHA512 | 62adfb708356d667483295872af14607fce5e1c303bf2986595e9579638a6b84907e068d6d32410223d4d7400bd9a6ea3a1eb6c90dd4a796e291d7c8375ab7dd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 71ef631df9514893a6733e9e55d34366 |
| SHA1 | 71fb256816bc2daf5d2c95cb15093db9be936a5b |
| SHA256 | ba6ca972ef6b42e6b79d5b4c689fd87ffb351ca64d6ef9a023afb653d6e9165f |
| SHA512 | 11f283933c1a34601c1bb9e5f8748a1a49f38e59b7fddc4e5ac6d08494ccacbdc3a0e319cd1c366442b5a60b9c5f5c43fccf7dea3134edccf82c2f34bbb45c77 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | 75962e790ac775f2ae84a1b1baa282d2 |
| SHA1 | b4f55c8cc4f34ea2b55a613037d164ee923b1ed8 |
| SHA256 | d1316d735a0c92f18e0b75ab6438169ed97adb363b429a8eb495634e42789dd9 |
| SHA512 | 17abfb52637aeb19f93b186c07de7c88725da89475305bca446dfcdc1cc3338e946a10896a303e56ef4cb67526c28b051c12dd7484a02b799c3b809ad7937e78 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | b1b0ab54b74972ffb7e672e8bab3d282 |
| SHA1 | 46b58663961e0529811a6c100cea7a7094151699 |
| SHA256 | 41463b305ccf0c4497ae3ca529a5cc62f8699a53e75f20dc7847309d5c8f344f |
| SHA512 | 6a8849d3643779360709e4442fb96ab43290b56ce8cdb45bf373c758911d35dcdc159bfa9937b43a1c1a8af5fbf80fdf3868b4dab3beb4ee06e32b31681a5ebf |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log
| MD5 | 18d31e7ffd3703af6051e2a7a65e3f61 |
| SHA1 | d0b6f8c50849a21c4dd7b8e016837710078d97e6 |
| SHA256 | bae77dd377058da0e15a576308730146fe21cde41fd6f7a594c2eabbadbc2bef |
| SHA512 | ff971ee4c685823766d2afc4f7edc6cf2526221a36fa43fd379f8935a3de8b3e6fb78697d6155637d1b088ff5d8914461dfdc7f192a7de14982bb7cf9a835108 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
| MD5 | 32d3f3ff9c9a0631ca14af12a8b4af86 |
| SHA1 | b1a1dbef9a5b55cd4f4f2a1d6292fdf1ac8341ba |
| SHA256 | f6b89505a9d88012d4c6ef960561d8205f015009d840b20949af82607ef45cc1 |
| SHA512 | d110c2801f2201275d815cd9add0dbf91f8d6306ea964a9811d0231afa369c2ea2420aeda34b32de900d9a3cb690fc7ed4da3267236befc59895d94d2e1a94fd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
| MD5 | bd8206db4fdb1120727f34355fedf3d9 |
| SHA1 | 07d8dfc7df26ff8707740c38425f42f156c8e3d6 |
| SHA256 | acde7534331206b770861e458f59c2d635d0169a641acc723e83148fae492617 |
| SHA512 | 16ed47d498bbfd1648f4e1f95020fe6fdf08f10041d389867d11150379192218a04e65e9027819d6466c687c80c01383fafee6e1ceb73f0f3a34217b7d286340 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
| MD5 | c85593fa093e18eced98a2948e1967d8 |
| SHA1 | 7e9c6f196ba3e39184f77f001b8cfdd1dcac3260 |
| SHA256 | 84448cbf20826a316be8a615e141c02001b7214d96fe38259ba1e8f5d8b10acf |
| SHA512 | ebd2042605f074c5e6cb59a0d56e09ecec9cd487b151f303744d0d15aa45151068e745c2e308f6d29672218e3186b2a18141abb99713ba55a31647a7ba752245 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
| MD5 | 93ac4f71e55f69fbbb5c2b1bd461a035 |
| SHA1 | d6c8b6fbefbbc28b74f75bb03ae13adc4462ca31 |
| SHA256 | c22a5655aa19adf7d3ef5011fd5fe99a9ac72c153608b5ba4d1a6a20b015a0aa |
| SHA512 | 9b2d162bba9b3a519466cc3c1fad4a034301cd528c821bcc2847b2b1f4531dd046dd93ba03b502531fadbb11915298607bd2499a255ac14a7ef128e1cb0b8b2d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\History
| MD5 | 21e268cc609a0f255bf8fdf289e4a29d |
| SHA1 | 7c6d597a68432da17e5731d38cdd41d656db61e3 |
| SHA256 | 378a9ff4c4a95314c1999a333ed94ae21dde6e76da584f79f5864bba2ba34e02 |
| SHA512 | f8cbfc747d6b1653da3a9ed7ea8d9a3a235a1aef5eb25cd4e20bea2e36b8469aeb19852f2065d7b19154a3c077b27ccf7919ad158b0ea68a0e33812305d829ba |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
| MD5 | 76e5c9d07c4bcc4f7f2cdab2cbb1e85d |
| SHA1 | 885f6b1bfbbcab44bf980714ee3f9b4544fb1389 |
| SHA256 | 79fc624c29fd7702309d7b103d712f840d9d8a7afc166e392b723a7d5a087c4f |
| SHA512 | 4fe4a9b68d674f70c56e6232a0dd881729fab8840122bfcd043523ac6c98520696e511ef55827244b9e543a6f0f86388db74f512f34ac82a039379345b9bf956 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt
| MD5 | 892c3779e403ba2b9deba0670b435e6e |
| SHA1 | d46ff9301f175a170a8c33d02064e05c5f944805 |
| SHA256 | 5b1b88f481222c1926db240ac8453ee8948afcc39a27b0b31a02a048b8971e33 |
| SHA512 | 829b289254af2dfa8906e6109c23affd17b33388c8eff6cb30d463708bf3993bd10558e87f3dd94be61d2116c3284f0ff04c10abf197c950465310a290812809 |