ryuk | 7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9

Analysis

max time kernel
177s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
Size

203KB
MD5

071ccc24faaf0a8577075b7466293e8c
SHA1

8beed359f92bfc5e14384783526f77049eb2cb9a
SHA256

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
SHA512

454f5db75da3285cc28795078b598b8995d6a3fd586084b68c583029455a437905b5e58451992b3277ff61a1cd3b09a6107d4b94810128a738496137c4a62f90

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4940 created 2924 4940 WerFault.exe StartMenuExperienceHost.exe

description	pid	process	target process
PID 4940 created 2924	4940	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5112 2740 WerFault.exe DllHost.exe
5864 2924 WerFault.exe StartMenuExperienceHost.exe

pid	pid_target	process	target process
5112	2740	WerFault.exe	DllHost.exe
5864	2924	WerFault.exe	StartMenuExperienceHost.exe

Modifies registry class 64 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fd952d82bf3e368f3a81b1cf0f18903d9328ee9b7784222a1595c0fb321a631a"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = 5c6124782926d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006f96c7792926d8016f96c7792926d8016f96c7792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000666439353264383262663365333638663361383162316366306631383930336439333238656539623737383432323261313539356330666233323161363331610000b20009000400efbe5454ca395454ca392e000000000000000000000000000000000000000000000000009197d400660064003900350032006400380032006200660033006500330036003800660033006100380031006200310063006600300066003100380039003000330064003900330032003800650065003900620037003700380034003200320032006100310035003900350063003000660062003300320031006100360033003100610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66643935326438326266336533363866336138316231636630663138393033643933323865653962373738343232326131353935633066623332316136333161000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60e3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60e3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = f016af792926d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d935a6792926d801d935a6792926d801d935a6792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000653462366366373833356330633631323438626533306539653962616163623230633931306433316632346661323437366363333561623263396163626634630000b20009000400efbe5454ca395454ca392e0000000000000000000000000000000000000000000000000027f8f500650034006200360063006600370038003300350063003000630036003100320034003800620065003300300065003900650039006200610061006300620032003000630039003100300064003300310066003200340066006100320034003700360063006300330035006100620032006300390061006300620066003400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65346236636637383335633063363132343862653330653965396261616362323063393130643331663234666132343736636333356162326339616362663463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60b3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60b3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000cac569922926d80120b31b942926d80120b31b942926d801ceb10a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000303033643730306537636237323732643464373962376235333539633464313535386431336533663336313536303331366536656431633666363335313261630000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000bebddb00300030003300640037003000300065003700630062003700320037003200640034006400370039006200370062003500330035003900630034006400310035003500380064003100330065003300660033003600310035003600300033003100360065003600650064003100630036006600360033003500310032006100630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30303364373030653763623732373264346437396237623533353963346431353538643133653366333631353630333136653665643163366636333531326163000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6213ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d6213ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = c29fa5792926d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b7bdaf792926d801b7bdaf792926d801b7bdaf792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000623637366339313136623964326231626335373038396635323263653362353262396136633035363430366232303265363738376235303136653963316565370000b20009000400efbe5454ca395454ca392e000000000000000000000000000000000000000000000000004970ec00620036003700360063003900310031003600620039006400320062003100620063003500370030003800390066003500320032006300650033006200350032006200390061003600630030003500360034003000360062003200300032006500360037003800370062003500300031003600650039006300310065006500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62363736633931313662396432623162633537303839663532326365336235326239613663303536343036623230326536373837623530313665396331656537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60c3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60c3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e9cbf2762926d801e9cbf2762926d801e9cbf2762926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454c7392000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe5454c7395454c7392e0000000000000000000000000000000000000000000000000017db1500380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6053ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d6053ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = da4ac0792926d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\003d700e7cb7272d4d79b7b5359c4d1558d13e3f361560316e6ed1c6f63512ac"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004270c0792926d8014270c0792926d8014270c0792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000303033643730306537636237323732643464373962376235333539633464313535386431336533663336313536303331366536656431633666363335313261630000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000bebddb00300030003300640037003000300065003700630062003700320037003200640034006400370039006200370062003500330035003900630034006400310035003500380064003100330065003300660033003600310035003600300033003100360065003600650064003100630036006600360033003500310032006100630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30303364373030653763623732373264346437396237623533353963346431353538643133653366333631353630333136653665643163366636333531326163000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60d3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60d3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = 8dd8d0792926d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c86c864-fab1-4ce7-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = 97ef83662926d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = c7470aaa2926d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000042ac9c792926d80142ac9c792926d80142ac9c792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000be81ff00390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60a3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60a3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b676c9116b9d2b1bc57089f522ce3b52b9a6c056406b202e6787b5016e9c1ee7"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\003d700e7cb7272d4d79b7b5359c4d1558d13e3f361560316e6ed1c6f63512ac"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e4b6cf7835c0c61248be30e9e9baacb20c910d31f24fa2476cc35ab2c9acbf4c"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = b0bcc8792926d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17"	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exesihost.exe

pid	process
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2220	sihost.exe
2220	sihost.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2220	sihost.exe
2220	sihost.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exesihost.exeRuntimeBroker.exeStartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
Token: SeBackupPrivilege	2220	sihost.exe
Token: SeShutdownPrivilege	2988	RuntimeBroker.exe
Token: SeBackupPrivilege	2924	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2092 wrote to memory of 2220	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	sihost.exe
PID 2092 wrote to memory of 2236	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	svchost.exe
PID 2092 wrote to memory of 2280	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	taskhostw.exe
PID 2092 wrote to memory of 2520	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	svchost.exe
PID 2092 wrote to memory of 2740	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	DllHost.exe
PID 2092 wrote to memory of 2924	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	StartMenuExperienceHost.exe
PID 2092 wrote to memory of 2988	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	RuntimeBroker.exe
PID 2092 wrote to memory of 3060	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	SearchApp.exe
PID 2092 wrote to memory of 2772	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	RuntimeBroker.exe
PID 2092 wrote to memory of 3400	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	RuntimeBroker.exe
PID 2092 wrote to memory of 3456	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	RuntimeBroker.exe
PID 2092 wrote to memory of 1716	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	backgroundTaskHost.exe
PID 2092 wrote to memory of 1652	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	backgroundTaskHost.exe
PID 2092 wrote to memory of 2980	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	BackgroundTransferHost.exe
PID 2740 wrote to memory of 5112	2740	DllHost.exe	WerFault.exe
PID 2740 wrote to memory of 5112	2740	DllHost.exe	WerFault.exe
PID 2220 wrote to memory of 1384	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 1384	2220	sihost.exe	net.exe
PID 2092 wrote to memory of 3368	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 3368	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 1728	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 1728	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2220 wrote to memory of 5108	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 5108	2220	sihost.exe	net.exe
PID 2092 wrote to memory of 5172	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 5172	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 4224	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 4224	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2220 wrote to memory of 3772	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 3772	2220	sihost.exe	net.exe
PID 3368 wrote to memory of 5344	3368	net.exe	net1.exe
PID 3368 wrote to memory of 5344	3368	net.exe	net1.exe
PID 1728 wrote to memory of 5340	1728	net.exe	net1.exe
PID 1728 wrote to memory of 5340	1728	net.exe	net1.exe
PID 5108 wrote to memory of 5364	5108	net.exe	net1.exe
PID 5108 wrote to memory of 5364	5108	net.exe	net1.exe
PID 1384 wrote to memory of 5372	1384	net.exe	net1.exe
PID 1384 wrote to memory of 5372	1384	net.exe	net1.exe
PID 2092 wrote to memory of 5404	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 5404	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 5424	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 2092 wrote to memory of 5424	2092	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 3772 wrote to memory of 5580	3772	net.exe	net1.exe
PID 3772 wrote to memory of 5580	3772	net.exe	net1.exe
PID 5424 wrote to memory of 5568	5424	net.exe	net1.exe
PID 5424 wrote to memory of 5568	5424	net.exe	net1.exe
PID 5172 wrote to memory of 5600	5172	net.exe	net1.exe
PID 5172 wrote to memory of 5600	5172	net.exe	net1.exe
PID 5404 wrote to memory of 5564	5404	net.exe	net1.exe
PID 4224 wrote to memory of 5592	4224	net.exe	net1.exe
PID 5404 wrote to memory of 5564	5404	net.exe	net1.exe
PID 4224 wrote to memory of 5592	4224	net.exe	net1.exe
PID 2220 wrote to memory of 5880	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 5880	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 5928	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 5928	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 5976	2220	sihost.exe	net.exe
PID 2220 wrote to memory of 5976	2220	sihost.exe	net.exe
PID 5976 wrote to memory of 6052	5976	net.exe	net1.exe
PID 5976 wrote to memory of 6052	5976	net.exe	net1.exe
PID 5880 wrote to memory of 6044	5880	net.exe	net1.exe
PID 5880 wrote to memory of 6044	5880	net.exe	net1.exe
PID 5928 wrote to memory of 6060	5928	net.exe	net1.exe
PID 5928 wrote to memory of 6060	5928	net.exe	net1.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1652

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3060

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2924 -s 3012
2⤵
- Program crash
PID:5864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 948
2⤵
- Program crash
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2520

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2236

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5372

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5364

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5580

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:6044

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
"C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5340

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5592

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5564

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:6100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:6092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:4332

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1856

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:216

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2860

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4204

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2924 -ip 2924
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
8650b370f7d087b1fec03e0677ea0d58

SHA1
141de4b73c855b4a757ea77a2c049dd6ea69e598

SHA256
23257fd81621c01aca4c19a7ed51daecb18e8b1f4f95578f2b7a372d3a914e81

SHA512
af24b42c52dcc5b908e97eab474436d77b18134ca5557e09a75f4342a6283cd06e6e5a33d3554ea43558438e12609ba7ee727cacd327f9e27890aac22fab0112

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
2ceb69988849994a7a9007a5657a3984

SHA1
1f74d86c6c2b1ba6cbc038d94270d221890635c9

SHA256
ba8ec9c2f8b9daeaa37d84a5fffd3cb2e0b02a0e5c69b5d671fc37f28fb81ee0

SHA512
829de004720e097b0834da4e43ec2a5a1e4a16775ecd4cd8fe4743fde133f350ff2a21534c11e0cfa5913c5e9f7215c7dfbe7e42c7ce54160540bab7cbab1fd1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
a45738dd14bb1c5251934c24c36285f6

SHA1
52e64f25c9f0bbad108740311c194a891fd40c5f

SHA256
0a92f16e4d91d8828848621cd52d107d358a6474a5ed8efc59abffeb77043d7a

SHA512
1cf3b62fdd8413fe606983598668638bcfaf02f6f411d28689ecdaa8a53acd1dfe2955fbb1cdddf539289d1f4703da379b81c1bee397d7d4a0244e08eed66138

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
2652337d5f2a03ccbf0ddf3a4275f464

SHA1
f4d50b521c78267eb8388f5bbfa533b609cd1d5f

SHA256
1ffca5aad0fd60adf72da61dd80fe83b187cbde78145144af45dedd6d88b02e0

SHA512
11e72ab6985e0991210271bcc42ee6929c91c79ec0a5f8b943c0ab309fe586661231cc005d25d42299cec62935e00e727058bcdf1f3fde0f4b8859e1ea2586fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
de764ec51a0f58c2eea45e57525e1e39

SHA1
92db0975f0a6900447dffa40659a0a2b85d0f37a

SHA256
0246424cf48469fbb005c76dd13f93c81a9b472dc01c4f85f84d0c0db84c8f04

SHA512
54059ddf8dfaf0cb0603668808aacc721fb762544e7023f32eda7cb3f21dd940891de6f5475da47065019e96684dc7935c2de3d201d3fea4dbb09e4a53064ca1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
5a8638986c15545767f341de2d0d0c78

SHA1
e95dd64a88681f949d2c5549947d488631f2d9b2

SHA256
2698c17edbaa1528f5c87978d520f537e6438418da2dae41365cbb1696de88a8

SHA512
96cb95c4b04e4fa69b3fc09bf79fa549294891b99b9dd8c814ab6859dd0bd5146a024751fcb74049ea2697b6a0166a2a92723af226af7dbc9c3db57ed4289ce4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
fcac432da4ceebfc816865539dbdae97

SHA1
296183280041ee3f6fca7594503b63b74bd7c2d9

SHA256
145fa7d06c74a9e15151168a5aa2b1b20863156e59a748de034adbc29b947414

SHA512
814aa0de194ae80451a41da496b432ef321c7863e0b1351b7e41991383a5ae105bcc14e9ff6314066943894144a5c71dd2d436f79a41520ea2abfe05d829ede2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
6727bb6da7d91251bbcfdc6e9a02c98a

SHA1
42b19d6250dfbca26a84270d7787b0d951f57b2e

SHA256
38626d338353fca6f0f438fbd4cd5c3c56d52d4b5701e724a68738d115fa2f37

SHA512
eb908e11f47df7f09901a41fa1e772725bf3f53d516acad970b2fb5281b2e2c2c3ab98ac11b61e40870f4a1e2c55423ba209550af1f430f78551eefecad4afd1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
27c56429929e8f95ce80f08947658189

SHA1
b9d3d06b29960784e102f0d1cf787abf019eef7c

SHA256
89ce1a1986cd8d7284b55374c084b75e2c27e01dc08bac625484ff00a942f263

SHA512
e7f4c7331f281680b57bce42db9051da7c1e6b5f8ac012ce75a32d9da819f191e4a58a2da71e378ad03b709204b6c96569de5502d5f735ad86ad12a39c0fe4b3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
9b61657106725992be2de0deb4afca4c

SHA1
e8f3d8c7a7ce68cecb7126c7b274213e16f480d8

SHA256
cfb644a0eded832343b36bf3b7d98a5cdcc8c3881b52d1845848e9ab50edc4bf

SHA512
5318b4e51ef01c22798194a7941bd5b1554641754be97d66378ceea8f35c5df791880ad38737f64c16ab415a4d6e0252b34558100253746059c673f08538b094

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
c41f0714dd5ddc7ffa07f8fdde147ba1

SHA1
7feaae7b97f2c8ce795ec66e66003069ee6895df

SHA256
9675667a5b459027a1e56994fd8a328ffa50344bdfc1903be506af34da3ee4d9

SHA512
028b3560f227aea94e448b0de81acb5c9faab77dcafb4960d4bd2b21872b3fbe8767988484c8f04464c9a022fc3692bab9e5ccaaef25f30b013c448196d7a219

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
1505ac49d874b394cd9edf4deda36bcf

SHA1
a88774eb399ad3c07f95985b2fb7948ee8baa81d

SHA256
2e44ffad7931f587bfa8d4ee252e9195b6bfe733c4676465bfa50b9d27ca1034

SHA512
068c4f35643f51c692720c33ec9f3ef28e8169daf4cde66b39d3d7e0fe3be8277406f515209ede671c127943787c20b43872bae6dd8caa00e7e99e65e989227e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
91566ac63abd394d34acd71dce207c86

SHA1
5d9bae9ac30e936a53f12bfaab7c68d219008368

SHA256
9c7f86c1f81590c49fdf30492960b22c2dc82fd4e46867c6dd4ebc62ccad3d41

SHA512
1c905d4b4e5cb06b559b484f943af54c1f4894d2a0dabae589f090be82dbe80f2ceeef44bcde54c53c636238b192ccfd238ac187cbd90611d712def201c85d7f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
db2ca64f536fa825f3297119871aebb5

SHA1
d6b3fb62fdcbcfbc109a39809f027eb1ba87c7f6

SHA256
6d1da09c75d658a99838510b6ee28f5f2b31b4bbdc60930222eda79a651ecf8f

SHA512
8a8f7e60e87cd55d537aceb624443b944332f1c9a07db782c7e76463aeb9883574ad495858d89ccca8d8e507fedf2cd91a3cbf2b893670a5ac63a9b42f4c3b0e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log
MD5
47caa158658ac80bf6c83995814e139b

SHA1
a81962d6c98568c2f9ac7aa1bec496ce6daec4c2

SHA256
a7c442e703d674a17d0c8e20e4682c385b57e48a0e92a7a9d275850cba08d7cb

SHA512
868fa89e2beeff7d1a9e6e3357ee7112aa5d88bb863e5cc571d2e8b7a194f5cf22fdb1b81d271936323b5d2a89f354ce76d45b75297c1b05b32d7931652c1d99

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
f62e8377ce799b8ec21e1363889fc7a9

SHA1
bb87186d48f743543183e9ab36312e4e550dd6bb

SHA256
53c8136915e572b144246ae42142486d7c12f1aa553f575bfe94855370999884

SHA512
1cb6e2a250378e24e1406574c2dae939f638164e830641b615754d1dfce595bacc5de4cc2a6657bf1a152d1aa18126ca23da7f3d1e45df784601fbffca3a78cb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
01c162ddaa842c665d45b97b90b4acbb

SHA1
61ca296984a0bfe13b11f8b676c9472b8ae4d375

SHA256
1359cfd551886a17232bf3d85468e34ed429d3e53f0aad2ba602e4ca4ec4651f

SHA512
918af691f9e7a1af3dc6055b284fbf59d77cbcdb957cd7be20fef0e70b0e0e8e5ff31f669c16499e24545dcc7b24924e598764f916ad13d8beacce87563be044

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
d5f73bfc61bdca56ab83f036a25e8384

SHA1
d81a37d39009d665b3dad64e90fb02db099f6e5e

SHA256
1556c109ab18bbdd4ccd9576a04379f068961b553610c0ccf1033c097a38b10e

SHA512
d91d78989c7052791baf7445d0fd0d20cbfa5fb915a7592fc0eb86a7d3f74c598236285becd558b64f0d59adf09bd3a9d7dece44d9196c74b1ba792c38378503

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
e641215ad6ac2086e017c0e64838c0aa

SHA1
92fc66cebf948294c0173e03b7cdc299395e8db8

SHA256
3d70b8020e290744e1bff1c734be52d01d17f7bed4b1d76c123163d37b526cea

SHA512
554b27086523dfeb7ecf2e556d2e1851a1c046b5c1a2cdf8aceae7a2773e909f12fa09d63d0c8045128b3dc7fffb4505e519e49698e3ae1a727d568fbac4c105

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
1f964df42755cad300939768810d9742

SHA1
9c90f2c9ea2cb56cb4ce304fcc52958981aeff0b

SHA256
8c05c9a1b77234cc9bd1cb527585dca0c3c7666431146e77ac2cc38c6e993f02

SHA512
b45fb451ca4c665c1dc9c468d7f5d15f32b42c197faa2da5af48f1119b0aabd6cd3b50767857d236c01d48db3f3d9a1552a69ed5bcb9a9cbf75638ad7a81a3d4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
f048e5fff270591c7bd9840e92eb6639

SHA1
500a077f5cadc3829f839787d21b2fd83af9f6e0

SHA256
58afdfa77ed941fc5cb5bdef26418916ef9cfaf1e62985451ab86826e3bc0785

SHA512
fca88dd1dd8a242d730101e33a29a1ff90e26562794f8907b5754bde274797368991e296f994de54773db85101f16528a5af0f1d9544fa1364aa2df1fc248ee8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.RYK
MD5
4caeb62ba9202cf032549b0ece66be8d

SHA1
061185b8ab97ed236fab2be502e43438752bc73a

SHA256
8e6aed06e3aea06de9b4ab438b69c6972cd69fb5d00d1150d343676a5a523e24

SHA512
7278018e51a710b85b084f46462e00bc21b918004e5cb59bc99f258f5cdc241feae314f4d0a85885dd1b07aa067085ea4e4ce622468574e4b748d9bcfffb1a95

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
MD5
bc178c31b2a6624d550c2056c5c1772d

SHA1
47661320da6d07424a351cd0010d8f5c9ccae3cb

SHA256
ed22a57cce790ddb27f54d4f46a4e72a3af4f883a94fcbd69d3900a102fea739

SHA512
bc6c85f02d7f9bb2d68342e4852aa6124832241bf9c4a9c89c43cf95437fe74e0bd1e454bd13efa9330d954e3fc83bf2640c9f44bcbd2df0fcf5335a871c4206

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
MD5
bc178c31b2a6624d550c2056c5c1772d

SHA1
47661320da6d07424a351cd0010d8f5c9ccae3cb

SHA256
ed22a57cce790ddb27f54d4f46a4e72a3af4f883a94fcbd69d3900a102fea739

SHA512
bc6c85f02d7f9bb2d68342e4852aa6124832241bf9c4a9c89c43cf95437fe74e0bd1e454bd13efa9330d954e3fc83bf2640c9f44bcbd2df0fcf5335a871c4206

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
MD5
48ce28613d74befce37174f5cbfa9f44

SHA1
92a733e02a05bb1a28d336b5879eb9adada1df3a

SHA256
98b5156f9c74bee2938a6dcfe9d4cfa5f8806f76e6b75a4a080870cf6c736c7f

SHA512
6b04fcc95a8dfb6826ce79b67922f88b04649b6465d2d043f686b5b03a39bb57c912d7cbd6434c2779b4931a97174f8ec4589249663010c99f042b38491ed965

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
MD5
c935ed1f454802602feab049875c44ab

SHA1
3ef9d65001618dae1c8113cc50902dc4cefb83b2

SHA256
b93f06232fb133cf2556c454aa207b74ef772452325b67534d51b1b0a834c729

SHA512
01d299436423266383f9a0162467db20a649f1d89f513b6832f703abe65f1c3145255626f5ef37bef4b2880bc81d5352e2a57cb853abbf88771c96e0a7ad04d3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Web Data
MD5
1d1080837c225971c4cf0f2c8607df71

SHA1
a1aa6cba221a70b8a455cb1ae2334bf79f98beeb

SHA256
582d4a3f3814f6a51cfb00deac60158cd9659892292d0200134a62de89c36ef0

SHA512
dc191e780c38b88c8ee4ca651e976908ef8cb48bc31f04eda11619216226dde2777f1118cd70ea62c56bae9eab4c7bec39de2c6da97651ab4d6bbf839556dff9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
memory/2220-130-0x00007FF761430000-0x00007FF7617C6000-memory.dmp

Filesize
3.6MB

Download
memory/2236-131-0x00007FF761430000-0x00007FF7617C6000-memory.dmp

Filesize
3.6MB

Download
memory/2740-195-0x000001B6B83C0000-0x000001B6B83C8000-memory.dmp

Filesize
32KB

Download
memory/2740-196-0x000001B6B8330000-0x000001B6B8331000-memory.dmp

Filesize
4KB

Download