Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-f6esjaabfn
Target 7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
SHA256 7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9

Threat Level: Known bad

The file 7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Checks computer location settings

Drops desktop.ini file(s)

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:28

Reported

2022-02-20 06:15

Platform

win7-en-20211208

Max time kernel

167s

Max time network

145s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 604 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\taskhost.exe
PID 604 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\Dwm.exe
PID 604 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 568 wrote to memory of 1352 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 568 wrote to memory of 1352 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 568 wrote to memory of 1352 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 432 wrote to memory of 316 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 432 wrote to memory of 316 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 432 wrote to memory of 316 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1324 wrote to memory of 392 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1324 wrote to memory of 392 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1324 wrote to memory of 392 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 604 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 1644 wrote to memory of 1364 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1644 wrote to memory of 1364 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1644 wrote to memory of 1364 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1112 wrote to memory of 1188 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 1188 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 1188 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1188 wrote to memory of 880 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1188 wrote to memory of 880 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1188 wrote to memory of 880 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 604 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 1772 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 1772 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 1772 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 836 wrote to memory of 1956 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 836 wrote to memory of 1956 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 836 wrote to memory of 1956 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1772 wrote to memory of 584 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1772 wrote to memory of 584 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1772 wrote to memory of 584 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 604 wrote to memory of 16448 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 16448 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 16448 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 16448 wrote to memory of 16472 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16448 wrote to memory of 16472 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16448 wrote to memory of 16472 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 604 wrote to memory of 16772 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 16772 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 16772 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 16780 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 16780 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1112 wrote to memory of 16780 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 16772 wrote to memory of 16820 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16772 wrote to memory of 16820 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16772 wrote to memory of 16820 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16780 wrote to memory of 16828 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16780 wrote to memory of 16828 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16780 wrote to memory of 16828 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 604 wrote to memory of 17172 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 604 wrote to memory of 17172 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

"C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/604-55-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

memory/1112-56-0x000000013F410000-0x000000013F7A6000-memory.dmp

memory/1112-57-0x000000013F410000-0x000000013F7A6000-memory.dmp

memory/1176-59-0x000000013F410000-0x000000013F7A6000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5 14a37196360f7ab8daa2017fa1df4833
SHA1 697834169d99e743ac533e641da0df568fa22a1a
SHA256 854677320c21ad801ef20e60e85db8272eaf8bf02ddd9aaaedbcc03cdb92b2fd
SHA512 1fb797a6b97485f5d21d8f1a03039ae1bcd70e731035ae98b755e0a1ef95f32b25fe4039a5cd80519fb105145699ddc5ff583a54b374f145d7136b93593401fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5 b27f81ea9bea8287015dda6e11fd5755
SHA1 81d5fd0ae0ccaf62e50d0ae6e429aa6738aa1442
SHA256 a976b23a66494b428c6f0700a869adf67f9de73f1b08693344c082233d013dfc
SHA512 36157ad35199f3ecbaafbe5137cdbd1722f7057941689e5ad0c173f29dd161f5fdece6dbfcf6dd6d9ddd735f73fc22cf1433cc7b233a3cf11c8ed8250b0c1456

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc

MD5 014cb9413db5c3d1e8d7d16db795d357
SHA1 d22f63cc63873c9e2edaa8dca88e3b62f4022c2c
SHA256 c91871c285908129ba11b814a1f9fd5f76da2374498fa73b12c7a6aeda112406
SHA512 67e0b05b14a27f6d06a14622f7971e985289f809c4e5e4eb2adefaea145348c3f521754aef8320120fe5cb844532f96cfc7288c952992611a13dad56fda6809b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 d4bf4909aa9b418895582e3b3b0e7723
SHA1 e397694178e70f62c844028c35400f12a469c37e
SHA256 1822c8d567b195238e373f8952532e85f5a5fd94eb0ef13b70d360ce55c29f59
SHA512 efb364f80481a9d4027d5b08837ba297a716c55dc1d7a154ed705113bc8235f26a4af7c79f4998e4a17cabe83a97e01a79a7a93c18c83de29e6adeb1a094a28a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5 26cc0cbbbaa0ba60004a15738f69c56b
SHA1 bfb68adb4288839a4f824fb9907dee9d93c00051
SHA256 0b0e4567598f76cf13781a7f63eebe76fc804924b5619b1af0e6a336a11eec51
SHA512 f44314d910a92e6d24af5525ba23fb62be7604cf39d816152681310c4a05f13f3bdc717a84a31e942b44774c1a4bba69071be77be7e810c1ecd04bb12a63e6d1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 bd04e87b225eb94b3922552c26f7d0d6
SHA1 3622e5ee64d4c35179ee0507b6a23d562c4cb44a
SHA256 5427dced9e819bb015617a01affc83cc0cf8fb73609ef996daebfe7d43122132
SHA512 9ac99e9a7dee46b2f4b758e1aaa74a105fa1cdd25670b8397f5754a96774eb32be08f9d9ed596f8c5e8173fa341d3cc5c7789cb236ed64c9e19066641cbec7f8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp

MD5 8b2e355436bd0bca6ade0c53bbb778ca
SHA1 4d0ef586c18e48724c495a401ee05ecfe07a0168
SHA256 a98b0e1106191b7eb1f07b8163c1086f682c6e66d15da421bdefb37d64586c96
SHA512 9c914f9bc94975c0c9a53c6800518c6fac39c36c74273620ce2d9189b790029d16659be5a47f444ee5723865f7650032e6250c5d1fcae61826bfaf39cad5df7b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 daaee19745115f0f6e8fd66696ced3e1
SHA1 72de0111a5e21204db5425fe5e1bf24ac465ddd0
SHA256 48d064093fbf29ac392524a65bb8a1f54776a1b2f1e838a5232a1d26ce0a4623
SHA512 d14a64f7b1f8dab5c18702d4ccf87454e22413541f78e486e643c4c87b17e564f3a7e5a14651391f9e8b304b574e23f799c9c969007ad884a7b27fe5284bf935

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 b55b4365ec2f23d34e3d3a7d1f154911
SHA1 e26c1a12978071960fd87ec408522b68a5acd07c
SHA256 845d01727535a5804b83bb208a75173eb75cc6d911dafbda2c6181207f0acee6
SHA512 07b0b7e6698cdef7cda6849f2746547f2b52b1b74f41ca926593a8c8ecc19cd7c1220bab5d5469b66da3f43fcbbc546b04fef4781b26d23687779c18cca12304

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 bfe6998ccb5ff360e5c370adf26f0dd9
SHA1 c91a66241306357775b70534a3e5013f512e5d05
SHA256 e8d040a4fc0cea7f3f47a045c44fd553d9ab6288795c597a3bb1e877891a3ea5
SHA512 db461274785b66769d601fe7a31e4277ed74a5c66dc52e1dd4e18b314cb8a27b6286b4ce02f7042c41c6776ac5ba2ab4a8004f7abdc02abf801453619d53bf3a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt

MD5 6967b25d87b842568698ecb37abce46a
SHA1 8a1318a68f6c4f066ba2ba144454fa8724c12cb7
SHA256 7e1a43e2569504f451b86184e037db5871350f8853fd7cf4eda880c6cc115efa
SHA512 1fad000af4b3755567167d5503da2e659abc6cd14ae58a1a80d4508bd79f18e29f401dcf027631fb4aa8dcfb3169b56f1af4b976ac626f3a7a5c13c851b30df4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp

MD5 0abfcccdf8685533d2dfdc753c0f2f3b
SHA1 bdf2bfdad4e81021be944e50a0563dc2808c0f5b
SHA256 8aa6676af50ec903e139f210171074f7f344abf498cc0cc1a35bab5cf4ad9fb9
SHA512 c70227f6a76b5a6d249af81581cefe1c76085c03e8e18735826c7e3609fd58a712f48e3dc1779f9f97b59eae845b00ae8fb66f9f5e74e40e9bb893f3c70d2530

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 8ccdb9e5bda5079e23d226d8a454fc79
SHA1 ce4df2cb2dc78f77bf6064ee66a9832256ac59c5
SHA256 fa1ffb32a72536d8c8bf9764e06c958f059f488dd14baa84d789f9f61fbc1894
SHA512 226b9f8ea37d50ae818e76f07eed7933f7b9cd2778c9c2722843b5cf1e6d814f646bccff18b37d2537fb596c370de2118a30ef1693fc2a43e83ae5d838f0af48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 0ae1d5be1a4b04be7cda6a71958e9e72
SHA1 ea68903f0a6697dc70edc9fe5db538983f719af3
SHA256 32061594378f9db5f9fc78ea644db87fe24a6b5bc19a7d11e7bfb5a0d5a613f1
SHA512 08ee16c6142368851c7986444021f12ddb9a055bb7e479b24ea6183dc28218def4eef2eb154e32e6f3bd0eac89dc7d9880ae7a380310eb4893a927bcb57945f6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp

MD5 27fc87797acaba765e0bf29f523cd87b
SHA1 3eda9ba253b2067c1d8785cfa22ff8ef7330e4de
SHA256 b8914a6b98a5412a3353ff65e655cf3fe21df32769ef401fff243ecb66b4ac43
SHA512 59ad1249c4bd56b1fa4566564b053e844649b1ed38fcf31284570d0bcbe5fff3fea46e892678c1ac546254be68e8765e9524c7f82872da45639f7fe8c2fec0b6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK

MD5 43cbcbcaac7c10df25a0a9a971470164
SHA1 5f2fdb45b48aff6bb89409d5768a8800d5f11048
SHA256 4f2f0acd8a08cb5a63df481a1cffa7cfc67c632a2245190d86324773226d86a5
SHA512 42209d943801a6ec048441a4c80a7e028ebcf2c1b280426e966248f598550d783f293937c00b8e80804db4fb6778af24956628a1593cf656c0fbe2d1a4d6e7c1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini

MD5 fad5ad4a8595abe2521c8fdb58a98996
SHA1 f969dc39f235069a5e07a5d70adeb399832e727d
SHA256 c52983bdb1f1161aa017ba8791359eb52d41d3506d228531603bf00279717a09
SHA512 6eba735d6d4c0977826bb52702c6c23eb67a4b68b18ce68b4cd30e4614846c9e5f92e57572b26fe665e9e5ab481128f08ce1c88eee119639845dafe214be1993

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini

MD5 261a4386346e26b1ae3250aaec83508f
SHA1 2d124e70615167bd1c0658a282f33cc481663779
SHA256 fbe8e595029ecdc3834ff7d4388b26c1c2f53fafa3cb2120b9c05140d4dcb7de
SHA512 b21d0943d7a2d04bf723a4e35d4e15553889cdcf429b494010018bcf47cd95273b7355ef9bb16629f0955a4dc10d064d2bb9b0180ad2e318620b46c681117c11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini

MD5 9c666da527327612c0ba8b70a2a3c6d2
SHA1 6b7e7c01a92573b19bd9c32983e201b537965310
SHA256 dfc8feb18696fae1c9d1fa9cd4a277e13a72b0d8d7aa7eea8d869e3dd2fff01f
SHA512 ef59b0bf16ead987cc3a6bb288bb2e81ddc60bcffd9d2354a0ec227ed221d76fe4595d749bedf6f871a8b3278d896d8772d5531f45caf33b90d343921e175ee7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 324af71ab96814126f02ebcbb7ea7c92
SHA1 de0a94c696d0394d15b1b00f1c7b5844343d6800
SHA256 353f327215089198bc25452b21d9b2af5646bf522deb9d3d46f45f2376fc7cdf
SHA512 2c67fa79646c0915eb7ffd45f272ff3931575bb5f22b471d35c2390ee8a9b67acfcf5fd60f09041d902aa55893f45bc1db5477f1245ef173cb9018390e0d707f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini

MD5 996a6ed50213dc056f7095808f6f6397
SHA1 31f1c66d5c4eb2978e559eb62a2d1952eb43df30
SHA256 e4f1940cda1498bfe0029c5c8e982b08a5cbde79d2d7b4aff92aebeb8b376131
SHA512 d4d6d4290e740ca0427599cb887abc67219b5df42686ebac917a53e0ac56edd8c37d504e4cb7490c523d58d0dd6053de08ffba7da6206359d3cb448ac2ef275a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini

MD5 7e8f1a3d4573258a1eec5867a208a190
SHA1 40c62f035bab6656f23ba6b92a8746b4617aa198
SHA256 295c4c8071e6bbb4387385fe44244c428c500858dd3313fe911b12a87105cd11
SHA512 b0dfd8ca535523b39d8b3649aa38f0ef16937ad5e9d12f7c148b1996f7fb2f93afb3951c9f81f30e139c0f9382b3de6651cb7f98c719b129f075a5fd814864b8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 5065b10dd40bb314594895d30c5a42e7
SHA1 146010526eaf565c37abd7b37875a303a0432c35
SHA256 d56e344952abb7c9833be7075ee9bd695e60e8cd77915d9642b5f17814d64eda
SHA512 b9576a87d259fe185563ea09e9d56e3e1e49410c731cfa316a7413b3b93b16776a0afdf4d2f9e1d23b5d86db0db69bd5cbbb106cf6ff62a638e1674f742d89e8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 a31306420b1a1cc3ac6a92bf872cc0e4
SHA1 8c38b8634d511ba0d6fc978d1f71e10537f26d7c
SHA256 b0290943a3bb31b0a01bc096597645d596689e3a19316603038111f179c61d8a
SHA512 48ce14580a76ce6bb650052878e561a323382f7985afb2362033f5637ca4d7acf586c360d23928bc04ae70e69c13a2e55113f8036030ff3ae3662708d17c58a1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 f5eff849442c3baae64bc20353ebe19a
SHA1 12bf93fb9f53e29e2516c461dcc89c150ec07bac
SHA256 d6d58ad7a00326e6217b674d9ea2a125f47850d728d1e405a01339166f5ce366
SHA512 49e6e71d62805fcc82e349f10d57b297714591fcd3642de2176ac2915c4e57045e116ebeda9779e535b0fa7bfcea2c366aff59e4bc573fbf152dbf16c941b3f8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 15be8497c108ad8210dffb644458c45f
SHA1 c406ad1c9e6f56da6dc96396353b331f196cc351
SHA256 338544072b1fdfdef0ca7774fdb949db8e0cfbe38dbe91450670b20107cf1b44
SHA512 71ba6aaf9b77d05713db4fabba2e6bd407f703c8940bbf48abd7af1171424f6159c2582037d01bf26e31a3bd8f39be2f7a896ac6ee7780313bda8dfdb75a3048

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 7a7d65e9214e69e1247501a8a627d833
SHA1 5c202c61a525f5bc646b92496e714ab72e005d87
SHA256 d2c97debbd6dcf704d474c4dd7fe56f3b763e8d6b5f49135f570972b1fe4134c
SHA512 9fd91bb2e8c5c4c893231955fcfaca7898f906d0152b2667a84cfc5a5a7047fd8575d4a5b77ecb32b96db4094f70f17a526b6cc4e14d769ae1984727ddf87f34

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 1cc3496870b33725679dbd389f3f7c53
SHA1 ff03ab527da353efad2a344ddf0bf59454674786
SHA256 9ef629f312ac3f9e513531a170133d1124a3fc731155e36132bff7d1f08466e2
SHA512 a8ff34c3b2129262ed8bdaacbe855223a6d2ff0362798be95229d6ec13a5f9f49e2f0674b84ca4cf0fa4209e4695e47d205ca2ab5dab28544e760f5726ad170a

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:28

Reported

2022-02-20 06:16

Platform

win10v2004-en-20220112

Max time kernel

177s

Max time network

185s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 4940 created 2924 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\sihost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fd952d82bf3e368f3a81b1cf0f18903d9328ee9b7784222a1595c0fb321a631a" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = 5c6124782926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006f96c7792926d8016f96c7792926d8016f96c7792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000666439353264383262663365333638663361383162316366306631383930336439333238656539623737383432323261313539356330666233323161363331610000b20009000400efbe5454ca395454ca392e000000000000000000000000000000000000000000000000009197d400660064003900350032006400380032006200660033006500330036003800660033006100380031006200310063006600300066003100380039003000330064003900330032003800650065003900620037003700380034003200320032006100310035003900350063003000660062003300320031006100360033003100610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66643935326438326266336533363866336138316231636630663138393033643933323865653962373738343232326131353935633066623332316136333161000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60e3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60e3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = f016af792926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d935a6792926d801d935a6792926d801d935a6792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000653462366366373833356330633631323438626533306539653962616163623230633931306433316632346661323437366363333561623263396163626634630000b20009000400efbe5454ca395454ca392e0000000000000000000000000000000000000000000000000027f8f500650034006200360063006600370038003300350063003000630036003100320034003800620065003300300065003900650039006200610061006300620032003000630039003100300064003300310066003200340066006100320034003700360063006300330035006100620032006300390061006300620066003400630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65346236636637383335633063363132343862653330653965396261616362323063393130643331663234666132343736636333356162326339616362663463000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60b3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60b3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000cac569922926d80120b31b942926d80120b31b942926d801ceb10a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000303033643730306537636237323732643464373962376235333539633464313535386431336533663336313536303331366536656431633666363335313261630000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000bebddb00300030003300640037003000300065003700630062003700320037003200640034006400370039006200370062003500330035003900630034006400310035003500380064003100330065003300660033003600310035003600300033003100360065003600650064003100630036006600360033003500310032006100630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30303364373030653763623732373264346437396237623533353963346431353538643133653366333631353630333136653665643163366636333531326163000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6213ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d6213ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = c29fa5792926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000b7bdaf792926d801b7bdaf792926d801b7bdaf792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000623637366339313136623964326231626335373038396635323263653362353262396136633035363430366232303265363738376235303136653963316565370000b20009000400efbe5454ca395454ca392e000000000000000000000000000000000000000000000000004970ec00620036003700360063003900310031003600620039006400320062003100620063003500370030003800390066003500320032006300650033006200350032006200390061003600630030003500360034003000360062003200300032006500360037003800370062003500300031003600650039006300310065006500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62363736633931313662396432623162633537303839663532326365336235326239613663303536343036623230326536373837623530313665396331656537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60c3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60c3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000e9cbf2762926d801e9cbf2762926d801e9cbf2762926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454c7392000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe5454c7395454c7392e0000000000000000000000000000000000000000000000000017db1500380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6053ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d6053ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = da4ac0792926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\003d700e7cb7272d4d79b7b5359c4d1558d13e3f361560316e6ed1c6f63512ac" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004270c0792926d8014270c0792926d8014270c0792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000303033643730306537636237323732643464373962376235333539633464313535386431336533663336313536303331366536656431633666363335313261630000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000bebddb00300030003300640037003000300065003700630062003700320037003200640034006400370039006200370062003500330035003900630034006400310035003500380064003100330065003300660033003600310035003600300033003100360065003600650064003100630036006600360033003500310032006100630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30303364373030653763623732373264346437396237623533353963346431353538643133653366333631353630333136653665643163366636333531326163000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60d3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60d3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = 8dd8d0792926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2c86c864-fab1-4ce7- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = 97ef83662926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = c7470aaa2926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000042ac9c792926d80142ac9c792926d80142ac9c792926d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ca392000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe5454ca395454ca392e00000000000000000000000000000000000000000000000000be81ff00390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000417401a81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60a3ffae39083ec1182d0fafb7f96cc3abad9b5dc40371b4eb595e9fc647d27d60a3ffae39083ec1182d0fafb7f96cc3ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b676c9116b9d2b1bc57089f522ce3b52b9a6c056406b202e6787b5016e9c1ee7" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e67568ec-fac0-4769- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\003d700e7cb7272d4d79b7b5359c4d1558d13e3f361560316e6ed1c6f63512ac" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c847a8a3-3c69-4a12- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\e4b6cf7835c0c61248be30e9e9baacb20c910d31f24fa2476cc35ab2c9acbf4c" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2e495218-3b13-4c15- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = b0bcc8792926d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\585d35cc-6653-4935- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ad04bcc4-cce3-45c0- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b80c5c9f-004b-42e3- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\571e01b0-615d-4c58- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f87e80a3-78d2-4651- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17" C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\sihost.exe
PID 2092 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\svchost.exe
PID 2092 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\taskhostw.exe
PID 2092 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\svchost.exe
PID 2092 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\DllHost.exe
PID 2092 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2092 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\RuntimeBroker.exe
PID 2092 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2092 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\RuntimeBroker.exe
PID 2092 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\RuntimeBroker.exe
PID 2092 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\RuntimeBroker.exe
PID 2092 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2092 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2092 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2740 wrote to memory of 5112 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2740 wrote to memory of 5112 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2220 wrote to memory of 1384 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 1384 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 5108 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 5108 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 3772 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 3772 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 3368 wrote to memory of 5344 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3368 wrote to memory of 5344 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1728 wrote to memory of 5340 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1728 wrote to memory of 5340 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5108 wrote to memory of 5364 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5108 wrote to memory of 5364 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1384 wrote to memory of 5372 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1384 wrote to memory of 5372 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2092 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 2092 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe C:\Windows\System32\net.exe
PID 3772 wrote to memory of 5580 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3772 wrote to memory of 5580 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5424 wrote to memory of 5568 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5424 wrote to memory of 5568 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5172 wrote to memory of 5600 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5172 wrote to memory of 5600 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5404 wrote to memory of 5564 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4224 wrote to memory of 5592 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5404 wrote to memory of 5564 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4224 wrote to memory of 5592 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2220 wrote to memory of 5880 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 5880 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 5928 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 5928 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 5976 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2220 wrote to memory of 5976 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 5976 wrote to memory of 6052 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5976 wrote to memory of 6052 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5880 wrote to memory of 6044 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5880 wrote to memory of 6044 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5928 wrote to memory of 6060 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5928 wrote to memory of 6060 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

"C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2740 -s 948

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 460 -p 2924 -ip 2924

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2924 -s 3012

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
NL 92.123.77.56:80 tcp
NL 92.123.77.56:80 tcp
NL 104.80.224.57:443 tcp

Files

memory/2220-130-0x00007FF761430000-0x00007FF7617C6000-memory.dmp

memory/2236-131-0x00007FF761430000-0x00007FF7617C6000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 8650b370f7d087b1fec03e0677ea0d58
SHA1 141de4b73c855b4a757ea77a2c049dd6ea69e598
SHA256 23257fd81621c01aca4c19a7ed51daecb18e8b1f4f95578f2b7a372d3a914e81
SHA512 af24b42c52dcc5b908e97eab474436d77b18134ca5557e09a75f4342a6283cd06e6e5a33d3554ea43558438e12609ba7ee727cacd327f9e27890aac22fab0112

C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5 2ceb69988849994a7a9007a5657a3984
SHA1 1f74d86c6c2b1ba6cbc038d94270d221890635c9
SHA256 ba8ec9c2f8b9daeaa37d84a5fffd3cb2e0b02a0e5c69b5d671fc37f28fb81ee0
SHA512 829de004720e097b0834da4e43ec2a5a1e4a16775ecd4cd8fe4743fde133f350ff2a21534c11e0cfa5913c5e9f7215c7dfbe7e42c7ce54160540bab7cbab1fd1

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 5a8638986c15545767f341de2d0d0c78
SHA1 e95dd64a88681f949d2c5549947d488631f2d9b2
SHA256 2698c17edbaa1528f5c87978d520f537e6438418da2dae41365cbb1696de88a8
SHA512 96cb95c4b04e4fa69b3fc09bf79fa549294891b99b9dd8c814ab6859dd0bd5146a024751fcb74049ea2697b6a0166a2a92723af226af7dbc9c3db57ed4289ce4

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 fcac432da4ceebfc816865539dbdae97
SHA1 296183280041ee3f6fca7594503b63b74bd7c2d9
SHA256 145fa7d06c74a9e15151168a5aa2b1b20863156e59a748de034adbc29b947414
SHA512 814aa0de194ae80451a41da496b432ef321c7863e0b1351b7e41991383a5ae105bcc14e9ff6314066943894144a5c71dd2d436f79a41520ea2abfe05d829ede2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5 6727bb6da7d91251bbcfdc6e9a02c98a
SHA1 42b19d6250dfbca26a84270d7787b0d951f57b2e
SHA256 38626d338353fca6f0f438fbd4cd5c3c56d52d4b5701e724a68738d115fa2f37
SHA512 eb908e11f47df7f09901a41fa1e772725bf3f53d516acad970b2fb5281b2e2c2c3ab98ac11b61e40870f4a1e2c55423ba209550af1f430f78551eefecad4afd1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5 c41f0714dd5ddc7ffa07f8fdde147ba1
SHA1 7feaae7b97f2c8ce795ec66e66003069ee6895df
SHA256 9675667a5b459027a1e56994fd8a328ffa50344bdfc1903be506af34da3ee4d9
SHA512 028b3560f227aea94e448b0de81acb5c9faab77dcafb4960d4bd2b21872b3fbe8767988484c8f04464c9a022fc3692bab9e5ccaaef25f30b013c448196d7a219

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 db2ca64f536fa825f3297119871aebb5
SHA1 d6b3fb62fdcbcfbc109a39809f027eb1ba87c7f6
SHA256 6d1da09c75d658a99838510b6ee28f5f2b31b4bbdc60930222eda79a651ecf8f
SHA512 8a8f7e60e87cd55d537aceb624443b944332f1c9a07db782c7e76463aeb9883574ad495858d89ccca8d8e507fedf2cd91a3cbf2b893670a5ac63a9b42f4c3b0e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 91566ac63abd394d34acd71dce207c86
SHA1 5d9bae9ac30e936a53f12bfaab7c68d219008368
SHA256 9c7f86c1f81590c49fdf30492960b22c2dc82fd4e46867c6dd4ebc62ccad3d41
SHA512 1c905d4b4e5cb06b559b484f943af54c1f4894d2a0dabae589f090be82dbe80f2ceeef44bcde54c53c636238b192ccfd238ac187cbd90611d712def201c85d7f

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 de764ec51a0f58c2eea45e57525e1e39
SHA1 92db0975f0a6900447dffa40659a0a2b85d0f37a
SHA256 0246424cf48469fbb005c76dd13f93c81a9b472dc01c4f85f84d0c0db84c8f04
SHA512 54059ddf8dfaf0cb0603668808aacc721fb762544e7023f32eda7cb3f21dd940891de6f5475da47065019e96684dc7935c2de3d201d3fea4dbb09e4a53064ca1

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 2652337d5f2a03ccbf0ddf3a4275f464
SHA1 f4d50b521c78267eb8388f5bbfa533b609cd1d5f
SHA256 1ffca5aad0fd60adf72da61dd80fe83b187cbde78145144af45dedd6d88b02e0
SHA512 11e72ab6985e0991210271bcc42ee6929c91c79ec0a5f8b943c0ab309fe586661231cc005d25d42299cec62935e00e727058bcdf1f3fde0f4b8859e1ea2586fb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 a45738dd14bb1c5251934c24c36285f6
SHA1 52e64f25c9f0bbad108740311c194a891fd40c5f
SHA256 0a92f16e4d91d8828848621cd52d107d358a6474a5ed8efc59abffeb77043d7a
SHA512 1cf3b62fdd8413fe606983598668638bcfaf02f6f411d28689ecdaa8a53acd1dfe2955fbb1cdddf539289d1f4703da379b81c1bee397d7d4a0244e08eed66138

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5 27c56429929e8f95ce80f08947658189
SHA1 b9d3d06b29960784e102f0d1cf787abf019eef7c
SHA256 89ce1a1986cd8d7284b55374c084b75e2c27e01dc08bac625484ff00a942f263
SHA512 e7f4c7331f281680b57bce42db9051da7c1e6b5f8ac012ce75a32d9da819f191e4a58a2da71e378ad03b709204b6c96569de5502d5f735ad86ad12a39c0fe4b3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 1505ac49d874b394cd9edf4deda36bcf
SHA1 a88774eb399ad3c07f95985b2fb7948ee8baa81d
SHA256 2e44ffad7931f587bfa8d4ee252e9195b6bfe733c4676465bfa50b9d27ca1034
SHA512 068c4f35643f51c692720c33ec9f3ef28e8169daf4cde66b39d3d7e0fe3be8277406f515209ede671c127943787c20b43872bae6dd8caa00e7e99e65e989227e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5 9b61657106725992be2de0deb4afca4c
SHA1 e8f3d8c7a7ce68cecb7126c7b274213e16f480d8
SHA256 cfb644a0eded832343b36bf3b7d98a5cdcc8c3881b52d1845848e9ab50edc4bf
SHA512 5318b4e51ef01c22798194a7941bd5b1554641754be97d66378ceea8f35c5df791880ad38737f64c16ab415a4d6e0252b34558100253746059c673f08538b094

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 d5f73bfc61bdca56ab83f036a25e8384
SHA1 d81a37d39009d665b3dad64e90fb02db099f6e5e
SHA256 1556c109ab18bbdd4ccd9576a04379f068961b553610c0ccf1033c097a38b10e
SHA512 d91d78989c7052791baf7445d0fd0d20cbfa5fb915a7592fc0eb86a7d3f74c598236285becd558b64f0d59adf09bd3a9d7dece44d9196c74b1ba792c38378503

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5 01c162ddaa842c665d45b97b90b4acbb
SHA1 61ca296984a0bfe13b11f8b676c9472b8ae4d375
SHA256 1359cfd551886a17232bf3d85468e34ed429d3e53f0aad2ba602e4ca4ec4651f
SHA512 918af691f9e7a1af3dc6055b284fbf59d77cbcdb957cd7be20fef0e70b0e0e8e5ff31f669c16499e24545dcc7b24924e598764f916ad13d8beacce87563be044

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 1f964df42755cad300939768810d9742
SHA1 9c90f2c9ea2cb56cb4ce304fcc52958981aeff0b
SHA256 8c05c9a1b77234cc9bd1cb527585dca0c3c7666431146e77ac2cc38c6e993f02
SHA512 b45fb451ca4c665c1dc9c468d7f5d15f32b42c197faa2da5af48f1119b0aabd6cd3b50767857d236c01d48db3f3d9a1552a69ed5bcb9a9cbf75638ad7a81a3d4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 f048e5fff270591c7bd9840e92eb6639
SHA1 500a077f5cadc3829f839787d21b2fd83af9f6e0
SHA256 58afdfa77ed941fc5cb5bdef26418916ef9cfaf1e62985451ab86826e3bc0785
SHA512 fca88dd1dd8a242d730101e33a29a1ff90e26562794f8907b5754bde274797368991e296f994de54773db85101f16528a5af0f1d9544fa1364aa2df1fc248ee8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log

MD5 47caa158658ac80bf6c83995814e139b
SHA1 a81962d6c98568c2f9ac7aa1bec496ce6daec4c2
SHA256 a7c442e703d674a17d0c8e20e4682c385b57e48a0e92a7a9d275850cba08d7cb
SHA512 868fa89e2beeff7d1a9e6e3357ee7112aa5d88bb863e5cc571d2e8b7a194f5cf22fdb1b81d271936323b5d2a89f354ce76d45b75297c1b05b32d7931652c1d99

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 e641215ad6ac2086e017c0e64838c0aa
SHA1 92fc66cebf948294c0173e03b7cdc299395e8db8
SHA256 3d70b8020e290744e1bff1c734be52d01d17f7bed4b1d76c123163d37b526cea
SHA512 554b27086523dfeb7ecf2e556d2e1851a1c046b5c1a2cdf8aceae7a2773e909f12fa09d63d0c8045128b3dc7fffb4505e519e49698e3ae1a727d568fbac4c105

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 f62e8377ce799b8ec21e1363889fc7a9
SHA1 bb87186d48f743543183e9ab36312e4e550dd6bb
SHA256 53c8136915e572b144246ae42142486d7c12f1aa553f575bfe94855370999884
SHA512 1cb6e2a250378e24e1406574c2dae939f638164e830641b615754d1dfce595bacc5de4cc2a6657bf1a152d1aa18126ca23da7f3d1e45df784601fbffca3a78cb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.RYK

MD5 4caeb62ba9202cf032549b0ece66be8d
SHA1 061185b8ab97ed236fab2be502e43438752bc73a
SHA256 8e6aed06e3aea06de9b4ab438b69c6972cd69fb5d00d1150d343676a5a523e24
SHA512 7278018e51a710b85b084f46462e00bc21b918004e5cb59bc99f258f5cdc241feae314f4d0a85885dd1b07aa067085ea4e4ce622468574e4b748d9bcfffb1a95

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx

MD5 bc178c31b2a6624d550c2056c5c1772d
SHA1 47661320da6d07424a351cd0010d8f5c9ccae3cb
SHA256 ed22a57cce790ddb27f54d4f46a4e72a3af4f883a94fcbd69d3900a102fea739
SHA512 bc6c85f02d7f9bb2d68342e4852aa6124832241bf9c4a9c89c43cf95437fe74e0bd1e454bd13efa9330d954e3fc83bf2640c9f44bcbd2df0fcf5335a871c4206

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp

MD5 48ce28613d74befce37174f5cbfa9f44
SHA1 92a733e02a05bb1a28d336b5879eb9adada1df3a
SHA256 98b5156f9c74bee2938a6dcfe9d4cfa5f8806f76e6b75a4a080870cf6c736c7f
SHA512 6b04fcc95a8dfb6826ce79b67922f88b04649b6465d2d043f686b5b03a39bb57c912d7cbd6434c2779b4931a97174f8ec4589249663010c99f042b38491ed965

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx

MD5 bc178c31b2a6624d550c2056c5c1772d
SHA1 47661320da6d07424a351cd0010d8f5c9ccae3cb
SHA256 ed22a57cce790ddb27f54d4f46a4e72a3af4f883a94fcbd69d3900a102fea739
SHA512 bc6c85f02d7f9bb2d68342e4852aa6124832241bf9c4a9c89c43cf95437fe74e0bd1e454bd13efa9330d954e3fc83bf2640c9f44bcbd2df0fcf5335a871c4206

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data

MD5 c935ed1f454802602feab049875c44ab
SHA1 3ef9d65001618dae1c8113cc50902dc4cefb83b2
SHA256 b93f06232fb133cf2556c454aa207b74ef772452325b67534d51b1b0a834c729
SHA512 01d299436423266383f9a0162467db20a649f1d89f513b6832f703abe65f1c3145255626f5ef37bef4b2880bc81d5352e2a57cb853abbf88771c96e0a7ad04d3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Web Data

MD5 1d1080837c225971c4cf0f2c8607df71
SHA1 a1aa6cba221a70b8a455cb1ae2334bf79f98beeb
SHA256 582d4a3f3814f6a51cfb00deac60158cd9659892292d0200134a62de89c36ef0
SHA512 dc191e780c38b88c8ee4ca651e976908ef8cb48bc31f04eda11619216226dde2777f1118cd70ea62c56bae9eab4c7bec39de2c6da97651ab4d6bbf839556dff9

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 55b3bfb09c9b34a5800004bbc9cd87d7
SHA1 43fcc0be9f710cb7be8358908127cb31753f38dc
SHA256 3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4
SHA512 b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

memory/2740-195-0x000001B6B83C0000-0x000001B6B83C8000-memory.dmp

memory/2740-196-0x000001B6B8330000-0x000001B6B8331000-memory.dmp