Analysis Overview
SHA256
7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
Threat Level: Known bad
The file 7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Suspicious use of NtCreateProcessExOtherParentProcess
Checks computer location settings
Drops desktop.ini file(s)
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:28
Reported
2022-02-20 06:15
Platform
win7-en-20211208
Max time kernel
167s
Max time network
145s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Downloads\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
"C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe"
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
Files
memory/604-55-0x000007FEFB531000-0x000007FEFB533000-memory.dmp
memory/1112-56-0x000000013F410000-0x000000013F7A6000-memory.dmp
memory/1112-57-0x000000013F410000-0x000000013F7A6000-memory.dmp
memory/1176-59-0x000000013F410000-0x000000013F7A6000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
| MD5 | 14a37196360f7ab8daa2017fa1df4833 |
| SHA1 | 697834169d99e743ac533e641da0df568fa22a1a |
| SHA256 | 854677320c21ad801ef20e60e85db8272eaf8bf02ddd9aaaedbcc03cdb92b2fd |
| SHA512 | 1fb797a6b97485f5d21d8f1a03039ae1bcd70e731035ae98b755e0a1ef95f32b25fe4039a5cd80519fb105145699ddc5ff583a54b374f145d7136b93593401fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
| MD5 | b27f81ea9bea8287015dda6e11fd5755 |
| SHA1 | 81d5fd0ae0ccaf62e50d0ae6e429aa6738aa1442 |
| SHA256 | a976b23a66494b428c6f0700a869adf67f9de73f1b08693344c082233d013dfc |
| SHA512 | 36157ad35199f3ecbaafbe5137cdbd1722f7057941689e5ad0c173f29dd161f5fdece6dbfcf6dd6d9ddd735f73fc22cf1433cc7b233a3cf11c8ed8250b0c1456 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 014cb9413db5c3d1e8d7d16db795d357 |
| SHA1 | d22f63cc63873c9e2edaa8dca88e3b62f4022c2c |
| SHA256 | c91871c285908129ba11b814a1f9fd5f76da2374498fa73b12c7a6aeda112406 |
| SHA512 | 67e0b05b14a27f6d06a14622f7971e985289f809c4e5e4eb2adefaea145348c3f521754aef8320120fe5cb844532f96cfc7288c952992611a13dad56fda6809b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
| MD5 | d4bf4909aa9b418895582e3b3b0e7723 |
| SHA1 | e397694178e70f62c844028c35400f12a469c37e |
| SHA256 | 1822c8d567b195238e373f8952532e85f5a5fd94eb0ef13b70d360ce55c29f59 |
| SHA512 | efb364f80481a9d4027d5b08837ba297a716c55dc1d7a154ed705113bc8235f26a4af7c79f4998e4a17cabe83a97e01a79a7a93c18c83de29e6adeb1a094a28a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
| MD5 | 26cc0cbbbaa0ba60004a15738f69c56b |
| SHA1 | bfb68adb4288839a4f824fb9907dee9d93c00051 |
| SHA256 | 0b0e4567598f76cf13781a7f63eebe76fc804924b5619b1af0e6a336a11eec51 |
| SHA512 | f44314d910a92e6d24af5525ba23fb62be7604cf39d816152681310c4a05f13f3bdc717a84a31e942b44774c1a4bba69071be77be7e810c1ecd04bb12a63e6d1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | bd04e87b225eb94b3922552c26f7d0d6 |
| SHA1 | 3622e5ee64d4c35179ee0507b6a23d562c4cb44a |
| SHA256 | 5427dced9e819bb015617a01affc83cc0cf8fb73609ef996daebfe7d43122132 |
| SHA512 | 9ac99e9a7dee46b2f4b758e1aaa74a105fa1cdd25670b8397f5754a96774eb32be08f9d9ed596f8c5e8173fa341d3cc5c7789cb236ed64c9e19066641cbec7f8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
| MD5 | 8b2e355436bd0bca6ade0c53bbb778ca |
| SHA1 | 4d0ef586c18e48724c495a401ee05ecfe07a0168 |
| SHA256 | a98b0e1106191b7eb1f07b8163c1086f682c6e66d15da421bdefb37d64586c96 |
| SHA512 | 9c914f9bc94975c0c9a53c6800518c6fac39c36c74273620ce2d9189b790029d16659be5a47f444ee5723865f7650032e6250c5d1fcae61826bfaf39cad5df7b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | daaee19745115f0f6e8fd66696ced3e1 |
| SHA1 | 72de0111a5e21204db5425fe5e1bf24ac465ddd0 |
| SHA256 | 48d064093fbf29ac392524a65bb8a1f54776a1b2f1e838a5232a1d26ce0a4623 |
| SHA512 | d14a64f7b1f8dab5c18702d4ccf87454e22413541f78e486e643c4c87b17e564f3a7e5a14651391f9e8b304b574e23f799c9c969007ad884a7b27fe5284bf935 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
| MD5 | b55b4365ec2f23d34e3d3a7d1f154911 |
| SHA1 | e26c1a12978071960fd87ec408522b68a5acd07c |
| SHA256 | 845d01727535a5804b83bb208a75173eb75cc6d911dafbda2c6181207f0acee6 |
| SHA512 | 07b0b7e6698cdef7cda6849f2746547f2b52b1b74f41ca926593a8c8ecc19cd7c1220bab5d5469b66da3f43fcbbc546b04fef4781b26d23687779c18cca12304 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | bfe6998ccb5ff360e5c370adf26f0dd9 |
| SHA1 | c91a66241306357775b70534a3e5013f512e5d05 |
| SHA256 | e8d040a4fc0cea7f3f47a045c44fd553d9ab6288795c597a3bb1e877891a3ea5 |
| SHA512 | db461274785b66769d601fe7a31e4277ed74a5c66dc52e1dd4e18b314cb8a27b6286b4ce02f7042c41c6776ac5ba2ab4a8004f7abdc02abf801453619d53bf3a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
| MD5 | 6967b25d87b842568698ecb37abce46a |
| SHA1 | 8a1318a68f6c4f066ba2ba144454fa8724c12cb7 |
| SHA256 | 7e1a43e2569504f451b86184e037db5871350f8853fd7cf4eda880c6cc115efa |
| SHA512 | 1fad000af4b3755567167d5503da2e659abc6cd14ae58a1a80d4508bd79f18e29f401dcf027631fb4aa8dcfb3169b56f1af4b976ac626f3a7a5c13c851b30df4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp
| MD5 | 0abfcccdf8685533d2dfdc753c0f2f3b |
| SHA1 | bdf2bfdad4e81021be944e50a0563dc2808c0f5b |
| SHA256 | 8aa6676af50ec903e139f210171074f7f344abf498cc0cc1a35bab5cf4ad9fb9 |
| SHA512 | c70227f6a76b5a6d249af81581cefe1c76085c03e8e18735826c7e3609fd58a712f48e3dc1779f9f97b59eae845b00ae8fb66f9f5e74e40e9bb893f3c70d2530 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | 8ccdb9e5bda5079e23d226d8a454fc79 |
| SHA1 | ce4df2cb2dc78f77bf6064ee66a9832256ac59c5 |
| SHA256 | fa1ffb32a72536d8c8bf9764e06c958f059f488dd14baa84d789f9f61fbc1894 |
| SHA512 | 226b9f8ea37d50ae818e76f07eed7933f7b9cd2778c9c2722843b5cf1e6d814f646bccff18b37d2537fb596c370de2118a30ef1693fc2a43e83ae5d838f0af48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
| MD5 | 0ae1d5be1a4b04be7cda6a71958e9e72 |
| SHA1 | ea68903f0a6697dc70edc9fe5db538983f719af3 |
| SHA256 | 32061594378f9db5f9fc78ea644db87fe24a6b5bc19a7d11e7bfb5a0d5a613f1 |
| SHA512 | 08ee16c6142368851c7986444021f12ddb9a055bb7e479b24ea6183dc28218def4eef2eb154e32e6f3bd0eac89dc7d9880ae7a380310eb4893a927bcb57945f6 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp
| MD5 | 27fc87797acaba765e0bf29f523cd87b |
| SHA1 | 3eda9ba253b2067c1d8785cfa22ff8ef7330e4de |
| SHA256 | b8914a6b98a5412a3353ff65e655cf3fe21df32769ef401fff243ecb66b4ac43 |
| SHA512 | 59ad1249c4bd56b1fa4566564b053e844649b1ed38fcf31284570d0bcbe5fff3fea46e892678c1ac546254be68e8765e9524c7f82872da45639f7fe8c2fec0b6 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK
| MD5 | 43cbcbcaac7c10df25a0a9a971470164 |
| SHA1 | 5f2fdb45b48aff6bb89409d5768a8800d5f11048 |
| SHA256 | 4f2f0acd8a08cb5a63df481a1cffa7cfc67c632a2245190d86324773226d86a5 |
| SHA512 | 42209d943801a6ec048441a4c80a7e028ebcf2c1b280426e966248f598550d783f293937c00b8e80804db4fb6778af24956628a1593cf656c0fbe2d1a4d6e7c1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini
| MD5 | fad5ad4a8595abe2521c8fdb58a98996 |
| SHA1 | f969dc39f235069a5e07a5d70adeb399832e727d |
| SHA256 | c52983bdb1f1161aa017ba8791359eb52d41d3506d228531603bf00279717a09 |
| SHA512 | 6eba735d6d4c0977826bb52702c6c23eb67a4b68b18ce68b4cd30e4614846c9e5f92e57572b26fe665e9e5ab481128f08ce1c88eee119639845dafe214be1993 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
| MD5 | 261a4386346e26b1ae3250aaec83508f |
| SHA1 | 2d124e70615167bd1c0658a282f33cc481663779 |
| SHA256 | fbe8e595029ecdc3834ff7d4388b26c1c2f53fafa3cb2120b9c05140d4dcb7de |
| SHA512 | b21d0943d7a2d04bf723a4e35d4e15553889cdcf429b494010018bcf47cd95273b7355ef9bb16629f0955a4dc10d064d2bb9b0180ad2e318620b46c681117c11 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
| MD5 | 9c666da527327612c0ba8b70a2a3c6d2 |
| SHA1 | 6b7e7c01a92573b19bd9c32983e201b537965310 |
| SHA256 | dfc8feb18696fae1c9d1fa9cd4a277e13a72b0d8d7aa7eea8d869e3dd2fff01f |
| SHA512 | ef59b0bf16ead987cc3a6bb288bb2e81ddc60bcffd9d2354a0ec227ed221d76fe4595d749bedf6f871a8b3278d896d8772d5531f45caf33b90d343921e175ee7 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | 324af71ab96814126f02ebcbb7ea7c92 |
| SHA1 | de0a94c696d0394d15b1b00f1c7b5844343d6800 |
| SHA256 | 353f327215089198bc25452b21d9b2af5646bf522deb9d3d46f45f2376fc7cdf |
| SHA512 | 2c67fa79646c0915eb7ffd45f272ff3931575bb5f22b471d35c2390ee8a9b67acfcf5fd60f09041d902aa55893f45bc1db5477f1245ef173cb9018390e0d707f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
| MD5 | 996a6ed50213dc056f7095808f6f6397 |
| SHA1 | 31f1c66d5c4eb2978e559eb62a2d1952eb43df30 |
| SHA256 | e4f1940cda1498bfe0029c5c8e982b08a5cbde79d2d7b4aff92aebeb8b376131 |
| SHA512 | d4d6d4290e740ca0427599cb887abc67219b5df42686ebac917a53e0ac56edd8c37d504e4cb7490c523d58d0dd6053de08ffba7da6206359d3cb448ac2ef275a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
| MD5 | 7e8f1a3d4573258a1eec5867a208a190 |
| SHA1 | 40c62f035bab6656f23ba6b92a8746b4617aa198 |
| SHA256 | 295c4c8071e6bbb4387385fe44244c428c500858dd3313fe911b12a87105cd11 |
| SHA512 | b0dfd8ca535523b39d8b3649aa38f0ef16937ad5e9d12f7c148b1996f7fb2f93afb3951c9f81f30e139c0f9382b3de6651cb7f98c719b129f075a5fd814864b8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
| MD5 | 5065b10dd40bb314594895d30c5a42e7 |
| SHA1 | 146010526eaf565c37abd7b37875a303a0432c35 |
| SHA256 | d56e344952abb7c9833be7075ee9bd695e60e8cd77915d9642b5f17814d64eda |
| SHA512 | b9576a87d259fe185563ea09e9d56e3e1e49410c731cfa316a7413b3b93b16776a0afdf4d2f9e1d23b5d86db0db69bd5cbbb106cf6ff62a638e1674f742d89e8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | a31306420b1a1cc3ac6a92bf872cc0e4 |
| SHA1 | 8c38b8634d511ba0d6fc978d1f71e10537f26d7c |
| SHA256 | b0290943a3bb31b0a01bc096597645d596689e3a19316603038111f179c61d8a |
| SHA512 | 48ce14580a76ce6bb650052878e561a323382f7985afb2362033f5637ca4d7acf586c360d23928bc04ae70e69c13a2e55113f8036030ff3ae3662708d17c58a1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
| MD5 | f5eff849442c3baae64bc20353ebe19a |
| SHA1 | 12bf93fb9f53e29e2516c461dcc89c150ec07bac |
| SHA256 | d6d58ad7a00326e6217b674d9ea2a125f47850d728d1e405a01339166f5ce366 |
| SHA512 | 49e6e71d62805fcc82e349f10d57b297714591fcd3642de2176ac2915c4e57045e116ebeda9779e535b0fa7bfcea2c366aff59e4bc573fbf152dbf16c941b3f8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
| MD5 | 15be8497c108ad8210dffb644458c45f |
| SHA1 | c406ad1c9e6f56da6dc96396353b331f196cc351 |
| SHA256 | 338544072b1fdfdef0ca7774fdb949db8e0cfbe38dbe91450670b20107cf1b44 |
| SHA512 | 71ba6aaf9b77d05713db4fabba2e6bd407f703c8940bbf48abd7af1171424f6159c2582037d01bf26e31a3bd8f39be2f7a896ac6ee7780313bda8dfdb75a3048 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
| MD5 | 7a7d65e9214e69e1247501a8a627d833 |
| SHA1 | 5c202c61a525f5bc646b92496e714ab72e005d87 |
| SHA256 | d2c97debbd6dcf704d474c4dd7fe56f3b763e8d6b5f49135f570972b1fe4134c |
| SHA512 | 9fd91bb2e8c5c4c893231955fcfaca7898f906d0152b2667a84cfc5a5a7047fd8575d4a5b77ecb32b96db4094f70f17a526b6cc4e14d769ae1984727ddf87f34 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
| MD5 | 1cc3496870b33725679dbd389f3f7c53 |
| SHA1 | ff03ab527da353efad2a344ddf0bf59454674786 |
| SHA256 | 9ef629f312ac3f9e513531a170133d1124a3fc731155e36132bff7d1f08466e2 |
| SHA512 | a8ff34c3b2129262ed8bdaacbe855223a6d2ff0362798be95229d6ec13a5f9f49e2f0674b84ca4cf0fa4209e4695e47d205ca2ab5dab28544e760f5726ad170a |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:28
Reported
2022-02-20 06:16
Platform
win10v2004-en-20220112
Max time kernel
177s
Max time network
185s
Command Line
Signatures
Ryuk
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4940 created 2924 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\3D Objects\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fd952d82bf3e368f3a81b1cf0f18903d9328ee9b7784222a1595c0fb321a631a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = 5c6124782926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006f96c7792926d8016f96c7792926d8016f96c7792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000666439353264383262663365333638663361383162316366306631383930336439333238656539623737383432323261313539356330666233323161363331610000b20009000400efbe5454ca395454ca392e000000000000000000000000000000000000000000000000009197d400660064003900350032006400380032006200660033006500330036003800660033006100380031006200310063006600300066003100380039003000330064003900330032003800650065003900620037003700380034003200320032006100310035003900350063003000660062003300320031006100360033003100610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66643935326438326266336533363866336138316231636630663138393033643933323865653962373738343232326131353935633066623332316136333161000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60e3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60e3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = f016af792926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d935a6792926d801d935a6792926d801d935a6792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000653462366366373833356330633631323438626533306539653962616163623230633931306433316632346661323437366363333561623263396163626634630000b20009000400efbe5454ca395454ca392e0000000000000000000000000000000000000000000000000027f8f500650034006200360063006600370038003300350063003000630036003100320034003800620065003300300065003900650039006200610061006300620032003000630039003100300064003300310066003200340066006100320034003700360063006300330035006100620032006300390061006300620066003400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65346236636637383335633063363132343862653330653965396261616362323063393130643331663234666132343736636333356162326339616362663463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60b3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60b3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000cac569922926d80120b31b942926d80120b31b942926d801ceb10a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000303033643730306537636237323732643464373962376235333539633464313535386431336533663336313536303331366536656431633666363335313261630000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000bebddb00300030003300640037003000300065003700630062003700320037003200640034006400370039006200370062003500330035003900630034006400310035003500380064003100330065003300660033003600310035003600300033003100360065003600650064003100630036006600360033003500310032006100630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30303364373030653763623732373264346437396237623533353963346431353538643133653366333631353630333136653665643163366636333531326163000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6213ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d6213ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = c29fa5792926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b7bdaf792926d801b7bdaf792926d801b7bdaf792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000623637366339313136623964326231626335373038396635323263653362353262396136633035363430366232303265363738376235303136653963316565370000b20009000400efbe5454ca395454ca392e000000000000000000000000000000000000000000000000004970ec00620036003700360063003900310031003600620039006400320062003100620063003500370030003800390066003500320032006300650033006200350032006200390061003600630030003500360034003000360062003200300032006500360037003800370062003500300031003600650039006300310065006500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62363736633931313662396432623162633537303839663532326365336235326239613663303536343036623230326536373837623530313665396331656537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60c3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60c3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e9cbf2762926d801e9cbf2762926d801e9cbf2762926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454c7392000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe5454c7395454c7392e0000000000000000000000000000000000000000000000000017db1500380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6053ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d6053ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = da4ac0792926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\003d700e7cb7272d4d79b7b5359c4d1558d13e3f361560316e6ed1c6f63512ac" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004270c0792926d8014270c0792926d8014270c0792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000303033643730306537636237323732643464373962376235333539633464313535386431336533663336313536303331366536656431633666363335313261630000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000bebddb00300030003300640037003000300065003700630062003700320037003200640034006400370039006200370062003500330035003900630034006400310035003500380064003100330065003300660033003600310035003600300033003100360065003600650064003100630036006600360033003500310032006100630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30303364373030653763623732373264346437396237623533353963346431353538643133653366333631353630333136653665643163366636333531326163000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60d3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60d3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = 8dd8d0792926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c86c864-fab1-4ce7- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = 97ef83662926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = c7470aaa2926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000042ac9c792926d80142ac9c792926d80142ac9c792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000be81ff00390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60a3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60a3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b676c9116b9d2b1bc57089f522ce3b52b9a6c056406b202e6787b5016e9c1ee7" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\003d700e7cb7272d4d79b7b5359c4d1558d13e3f361560316e6ed1c6f63512ac" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e4b6cf7835c0c61248be30e9e9baacb20c910d31f24fa2476cc35ab2c9acbf4c" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = b0bcc8792926d801 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\sihost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
"C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 948
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2924 -ip 2924
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2924 -s 3012
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 104.80.224.57:443 | tcp |
Files
memory/2220-130-0x00007FF761430000-0x00007FF7617C6000-memory.dmp
memory/2236-131-0x00007FF761430000-0x00007FF7617C6000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | 8650b370f7d087b1fec03e0677ea0d58 |
| SHA1 | 141de4b73c855b4a757ea77a2c049dd6ea69e598 |
| SHA256 | 23257fd81621c01aca4c19a7ed51daecb18e8b1f4f95578f2b7a372d3a914e81 |
| SHA512 | af24b42c52dcc5b908e97eab474436d77b18134ca5557e09a75f4342a6283cd06e6e5a33d3554ea43558438e12609ba7ee727cacd327f9e27890aac22fab0112 |
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
| MD5 | 2ceb69988849994a7a9007a5657a3984 |
| SHA1 | 1f74d86c6c2b1ba6cbc038d94270d221890635c9 |
| SHA256 | ba8ec9c2f8b9daeaa37d84a5fffd3cb2e0b02a0e5c69b5d671fc37f28fb81ee0 |
| SHA512 | 829de004720e097b0834da4e43ec2a5a1e4a16775ecd4cd8fe4743fde133f350ff2a21534c11e0cfa5913c5e9f7215c7dfbe7e42c7ce54160540bab7cbab1fd1 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 5a8638986c15545767f341de2d0d0c78 |
| SHA1 | e95dd64a88681f949d2c5549947d488631f2d9b2 |
| SHA256 | 2698c17edbaa1528f5c87978d520f537e6438418da2dae41365cbb1696de88a8 |
| SHA512 | 96cb95c4b04e4fa69b3fc09bf79fa549294891b99b9dd8c814ab6859dd0bd5146a024751fcb74049ea2697b6a0166a2a92723af226af7dbc9c3db57ed4289ce4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | fcac432da4ceebfc816865539dbdae97 |
| SHA1 | 296183280041ee3f6fca7594503b63b74bd7c2d9 |
| SHA256 | 145fa7d06c74a9e15151168a5aa2b1b20863156e59a748de034adbc29b947414 |
| SHA512 | 814aa0de194ae80451a41da496b432ef321c7863e0b1351b7e41991383a5ae105bcc14e9ff6314066943894144a5c71dd2d436f79a41520ea2abfe05d829ede2 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
| MD5 | 6727bb6da7d91251bbcfdc6e9a02c98a |
| SHA1 | 42b19d6250dfbca26a84270d7787b0d951f57b2e |
| SHA256 | 38626d338353fca6f0f438fbd4cd5c3c56d52d4b5701e724a68738d115fa2f37 |
| SHA512 | eb908e11f47df7f09901a41fa1e772725bf3f53d516acad970b2fb5281b2e2c2c3ab98ac11b61e40870f4a1e2c55423ba209550af1f430f78551eefecad4afd1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
| MD5 | c41f0714dd5ddc7ffa07f8fdde147ba1 |
| SHA1 | 7feaae7b97f2c8ce795ec66e66003069ee6895df |
| SHA256 | 9675667a5b459027a1e56994fd8a328ffa50344bdfc1903be506af34da3ee4d9 |
| SHA512 | 028b3560f227aea94e448b0de81acb5c9faab77dcafb4960d4bd2b21872b3fbe8767988484c8f04464c9a022fc3692bab9e5ccaaef25f30b013c448196d7a219 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
| MD5 | db2ca64f536fa825f3297119871aebb5 |
| SHA1 | d6b3fb62fdcbcfbc109a39809f027eb1ba87c7f6 |
| SHA256 | 6d1da09c75d658a99838510b6ee28f5f2b31b4bbdc60930222eda79a651ecf8f |
| SHA512 | 8a8f7e60e87cd55d537aceb624443b944332f1c9a07db782c7e76463aeb9883574ad495858d89ccca8d8e507fedf2cd91a3cbf2b893670a5ac63a9b42f4c3b0e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
| MD5 | 91566ac63abd394d34acd71dce207c86 |
| SHA1 | 5d9bae9ac30e936a53f12bfaab7c68d219008368 |
| SHA256 | 9c7f86c1f81590c49fdf30492960b22c2dc82fd4e46867c6dd4ebc62ccad3d41 |
| SHA512 | 1c905d4b4e5cb06b559b484f943af54c1f4894d2a0dabae589f090be82dbe80f2ceeef44bcde54c53c636238b192ccfd238ac187cbd90611d712def201c85d7f |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | de764ec51a0f58c2eea45e57525e1e39 |
| SHA1 | 92db0975f0a6900447dffa40659a0a2b85d0f37a |
| SHA256 | 0246424cf48469fbb005c76dd13f93c81a9b472dc01c4f85f84d0c0db84c8f04 |
| SHA512 | 54059ddf8dfaf0cb0603668808aacc721fb762544e7023f32eda7cb3f21dd940891de6f5475da47065019e96684dc7935c2de3d201d3fea4dbb09e4a53064ca1 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
| MD5 | 2652337d5f2a03ccbf0ddf3a4275f464 |
| SHA1 | f4d50b521c78267eb8388f5bbfa533b609cd1d5f |
| SHA256 | 1ffca5aad0fd60adf72da61dd80fe83b187cbde78145144af45dedd6d88b02e0 |
| SHA512 | 11e72ab6985e0991210271bcc42ee6929c91c79ec0a5f8b943c0ab309fe586661231cc005d25d42299cec62935e00e727058bcdf1f3fde0f4b8859e1ea2586fb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | a45738dd14bb1c5251934c24c36285f6 |
| SHA1 | 52e64f25c9f0bbad108740311c194a891fd40c5f |
| SHA256 | 0a92f16e4d91d8828848621cd52d107d358a6474a5ed8efc59abffeb77043d7a |
| SHA512 | 1cf3b62fdd8413fe606983598668638bcfaf02f6f411d28689ecdaa8a53acd1dfe2955fbb1cdddf539289d1f4703da379b81c1bee397d7d4a0244e08eed66138 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
| MD5 | 27c56429929e8f95ce80f08947658189 |
| SHA1 | b9d3d06b29960784e102f0d1cf787abf019eef7c |
| SHA256 | 89ce1a1986cd8d7284b55374c084b75e2c27e01dc08bac625484ff00a942f263 |
| SHA512 | e7f4c7331f281680b57bce42db9051da7c1e6b5f8ac012ce75a32d9da819f191e4a58a2da71e378ad03b709204b6c96569de5502d5f735ad86ad12a39c0fe4b3 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
| MD5 | 1505ac49d874b394cd9edf4deda36bcf |
| SHA1 | a88774eb399ad3c07f95985b2fb7948ee8baa81d |
| SHA256 | 2e44ffad7931f587bfa8d4ee252e9195b6bfe733c4676465bfa50b9d27ca1034 |
| SHA512 | 068c4f35643f51c692720c33ec9f3ef28e8169daf4cde66b39d3d7e0fe3be8277406f515209ede671c127943787c20b43872bae6dd8caa00e7e99e65e989227e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
| MD5 | 9b61657106725992be2de0deb4afca4c |
| SHA1 | e8f3d8c7a7ce68cecb7126c7b274213e16f480d8 |
| SHA256 | cfb644a0eded832343b36bf3b7d98a5cdcc8c3881b52d1845848e9ab50edc4bf |
| SHA512 | 5318b4e51ef01c22798194a7941bd5b1554641754be97d66378ceea8f35c5df791880ad38737f64c16ab415a4d6e0252b34558100253746059c673f08538b094 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | d5f73bfc61bdca56ab83f036a25e8384 |
| SHA1 | d81a37d39009d665b3dad64e90fb02db099f6e5e |
| SHA256 | 1556c109ab18bbdd4ccd9576a04379f068961b553610c0ccf1033c097a38b10e |
| SHA512 | d91d78989c7052791baf7445d0fd0d20cbfa5fb915a7592fc0eb86a7d3f74c598236285becd558b64f0d59adf09bd3a9d7dece44d9196c74b1ba792c38378503 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
| MD5 | 01c162ddaa842c665d45b97b90b4acbb |
| SHA1 | 61ca296984a0bfe13b11f8b676c9472b8ae4d375 |
| SHA256 | 1359cfd551886a17232bf3d85468e34ed429d3e53f0aad2ba602e4ca4ec4651f |
| SHA512 | 918af691f9e7a1af3dc6055b284fbf59d77cbcdb957cd7be20fef0e70b0e0e8e5ff31f669c16499e24545dcc7b24924e598764f916ad13d8beacce87563be044 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
| MD5 | 1f964df42755cad300939768810d9742 |
| SHA1 | 9c90f2c9ea2cb56cb4ce304fcc52958981aeff0b |
| SHA256 | 8c05c9a1b77234cc9bd1cb527585dca0c3c7666431146e77ac2cc38c6e993f02 |
| SHA512 | b45fb451ca4c665c1dc9c468d7f5d15f32b42c197faa2da5af48f1119b0aabd6cd3b50767857d236c01d48db3f3d9a1552a69ed5bcb9a9cbf75638ad7a81a3d4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | f048e5fff270591c7bd9840e92eb6639 |
| SHA1 | 500a077f5cadc3829f839787d21b2fd83af9f6e0 |
| SHA256 | 58afdfa77ed941fc5cb5bdef26418916ef9cfaf1e62985451ab86826e3bc0785 |
| SHA512 | fca88dd1dd8a242d730101e33a29a1ff90e26562794f8907b5754bde274797368991e296f994de54773db85101f16528a5af0f1d9544fa1364aa2df1fc248ee8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log
| MD5 | 47caa158658ac80bf6c83995814e139b |
| SHA1 | a81962d6c98568c2f9ac7aa1bec496ce6daec4c2 |
| SHA256 | a7c442e703d674a17d0c8e20e4682c385b57e48a0e92a7a9d275850cba08d7cb |
| SHA512 | 868fa89e2beeff7d1a9e6e3357ee7112aa5d88bb863e5cc571d2e8b7a194f5cf22fdb1b81d271936323b5d2a89f354ce76d45b75297c1b05b32d7931652c1d99 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
| MD5 | e641215ad6ac2086e017c0e64838c0aa |
| SHA1 | 92fc66cebf948294c0173e03b7cdc299395e8db8 |
| SHA256 | 3d70b8020e290744e1bff1c734be52d01d17f7bed4b1d76c123163d37b526cea |
| SHA512 | 554b27086523dfeb7ecf2e556d2e1851a1c046b5c1a2cdf8aceae7a2773e909f12fa09d63d0c8045128b3dc7fffb4505e519e49698e3ae1a727d568fbac4c105 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | f62e8377ce799b8ec21e1363889fc7a9 |
| SHA1 | bb87186d48f743543183e9ab36312e4e550dd6bb |
| SHA256 | 53c8136915e572b144246ae42142486d7c12f1aa553f575bfe94855370999884 |
| SHA512 | 1cb6e2a250378e24e1406574c2dae939f638164e830641b615754d1dfce595bacc5de4cc2a6657bf1a152d1aa18126ca23da7f3d1e45df784601fbffca3a78cb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.RYK
| MD5 | 4caeb62ba9202cf032549b0ece66be8d |
| SHA1 | 061185b8ab97ed236fab2be502e43438752bc73a |
| SHA256 | 8e6aed06e3aea06de9b4ab438b69c6972cd69fb5d00d1150d343676a5a523e24 |
| SHA512 | 7278018e51a710b85b084f46462e00bc21b918004e5cb59bc99f258f5cdc241feae314f4d0a85885dd1b07aa067085ea4e4ce622468574e4b748d9bcfffb1a95 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
| MD5 | bc178c31b2a6624d550c2056c5c1772d |
| SHA1 | 47661320da6d07424a351cd0010d8f5c9ccae3cb |
| SHA256 | ed22a57cce790ddb27f54d4f46a4e72a3af4f883a94fcbd69d3900a102fea739 |
| SHA512 | bc6c85f02d7f9bb2d68342e4852aa6124832241bf9c4a9c89c43cf95437fe74e0bd1e454bd13efa9330d954e3fc83bf2640c9f44bcbd2df0fcf5335a871c4206 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
| MD5 | 48ce28613d74befce37174f5cbfa9f44 |
| SHA1 | 92a733e02a05bb1a28d336b5879eb9adada1df3a |
| SHA256 | 98b5156f9c74bee2938a6dcfe9d4cfa5f8806f76e6b75a4a080870cf6c736c7f |
| SHA512 | 6b04fcc95a8dfb6826ce79b67922f88b04649b6465d2d043f686b5b03a39bb57c912d7cbd6434c2779b4931a97174f8ec4589249663010c99f042b38491ed965 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
| MD5 | bc178c31b2a6624d550c2056c5c1772d |
| SHA1 | 47661320da6d07424a351cd0010d8f5c9ccae3cb |
| SHA256 | ed22a57cce790ddb27f54d4f46a4e72a3af4f883a94fcbd69d3900a102fea739 |
| SHA512 | bc6c85f02d7f9bb2d68342e4852aa6124832241bf9c4a9c89c43cf95437fe74e0bd1e454bd13efa9330d954e3fc83bf2640c9f44bcbd2df0fcf5335a871c4206 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
| MD5 | c935ed1f454802602feab049875c44ab |
| SHA1 | 3ef9d65001618dae1c8113cc50902dc4cefb83b2 |
| SHA256 | b93f06232fb133cf2556c454aa207b74ef772452325b67534d51b1b0a834c729 |
| SHA512 | 01d299436423266383f9a0162467db20a649f1d89f513b6832f703abe65f1c3145255626f5ef37bef4b2880bc81d5352e2a57cb853abbf88771c96e0a7ad04d3 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Web Data
| MD5 | 1d1080837c225971c4cf0f2c8607df71 |
| SHA1 | a1aa6cba221a70b8a455cb1ae2334bf79f98beeb |
| SHA256 | 582d4a3f3814f6a51cfb00deac60158cd9659892292d0200134a62de89c36ef0 |
| SHA512 | dc191e780c38b88c8ee4ca651e976908ef8cb48bc31f04eda11619216226dde2777f1118cd70ea62c56bae9eab4c7bec39de2c6da97651ab4d6bbf839556dff9 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | 55b3bfb09c9b34a5800004bbc9cd87d7 |
| SHA1 | 43fcc0be9f710cb7be8358908127cb31753f38dc |
| SHA256 | 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4 |
| SHA512 | b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb |
memory/2740-195-0x000001B6B83C0000-0x000001B6B83C8000-memory.dmp
memory/2740-196-0x000001B6B8330000-0x000001B6B8331000-memory.dmp