ryuk | 6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619

Analysis

max time kernel
190s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe
Size

123KB
MD5

170e82abf8cd1e4c2f360795eeb4e78f
SHA1

1b7864fe3338bfdc312c0159ee5cb3054d9d3add
SHA256

6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619
SHA512

83d9558a7b3bef56af0833f016f75f7b649b21ef300d0369ad0e2bb5bf11818c1a9cbe632c062fa7c896fb266392e595957806e9f90b12d42444bccfe3ee5639

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL Ryuk No system is safe

Emails

[email protected]

Wallets

12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4764 created 2908 4764 WerFault.exe StartMenuExperienceHost.exe

description	pid	process	target process
PID 4764 created 2908	4764	WerFault.exe	StartMenuExperienceHost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3392 2720 WerFault.exe DllHost.exe
4736 2908 WerFault.exe StartMenuExperienceHost.exe

pid	pid_target	process	target process
3392	2720	WerFault.exe	DllHost.exe
4736	2908	WerFault.exe	StartMenuExperienceHost.exe

Modifies registry class 56 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000512512802b26d801512512802b26d801512512802b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454993b2000643663393765666439633266653162623634346463333762323562663430363735646339613536636661373934663534623061306631333739336130613665660000b20009000400efbe5454993b5454993b2e00000000000000000000000000000000000000000000000000af7f1901640036006300390037006500660064003900630032006600650031006200620036003400340064006300330037006200320035006200660034003000360037003500640063003900610035003600630066006100370039003400660035003400620030006100300066003100330037003900330061003000610036006500660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64366339376566643963326665316262363434646333376232356266343036373564633961353663666137393466353462306130663133373933613061366566000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d64062f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d64062f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57713a26-dccd-42ca-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f304052-ab4c-42af-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004668c97b2b26d8014668c97b2b26d8014668c97b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000376531336532383736356238303330323438626435343638623838373538623665356431313965653336633732633232306438323339623730313838646539610000b20009000400efbe5454953b5454953b2e00000000000000000000000000000000000000000000000000ba889d00370065003100330065003200380037003600350062003800300033003000320034003800620064003500340036003800620038003800370035003800620036006500350064003100310039006500650033003600630037003200630032003200300064003800320033003900620037003000310038003800640065003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37653133653238373635623830333032343862643534363862383837353862366535643131396565333663373263323230643832333962373031383864653961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63b62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63b62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000aa8ed07b2b26d801aa8ed07b2b26d801aa8ed07b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000666137336639663930623139643732656162393139663231343533616463366566383963333062313264643064653663306231373937636530313765326538660000b20009000400efbe5454953b5454953b2e0000000000000000000000000000000000000000000000000056629600660061003700330066003900660039003000620031003900640037003200650061006200390031003900660032003100340035003300610064006300360065006600380039006300330030006200310032006400640030006400650036006300300062003100370039003700630065003000310037006500320065003800660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66613733663966393062313964373265616239313966323134353361646336656638396333306231326464306465366330623137393763653031376532653866000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63c62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63c62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002218da7b2b26d8012218da7b2b26d8012218da7b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000316136306537343136616538353062316132346630396530346165663131386263316134663836306265343364316635653065633235323465373138363462630000b20009000400efbe5454953b5454953b2e00000000000000000000000000000000000000000000000000ded88c00310061003600300065003700340031003600610065003800350030006200310061003200340066003000390065003000340061006500660031003100380062006300310061003400660038003600300062006500340033006400310066003500650030006500630032003500320034006500370031003800360034006200630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31613630653734313661653835306231613234663039653034616566313138626331613466383630626534336431663565306563323532346537313836346263000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63d62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63d62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5bc0835-8aa6-4fd8-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = 586ee67b2b26d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\096a872d1ad5c25c2d1fa193f9a264eaa28bfbb1786b4559c5fa010ba7b54ff4"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d6c97efd9c2fe1bb644dc37b25bf40675dc9a56cfa794f54b0a0f13793a0a6ef"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8c30684b-fb7d-422f-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = 61f9d57b2b26d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = 46e5377a2b26d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2c0d07861a4bd0d7e6b9923908618e90d8884b23fdae2e6a13f7738f5a7df5fa"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5db22646-d76d-456e-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = f38bc97b2b26d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000031cbb7b2b26d801031cbb7b2b26d801031cbb7b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000303936613837326431616435633235633264316661313933663961323634656161323862666262313738366234353539633566613031306261376235346666340000b20009000400efbe5454953b5454953b2e00000000000000000000000000000000000000000000000000fdd4ab00300039003600610038003700320064003100610064003500630032003500630032006400310066006100310039003300660039006100320036003400650061006100320038006200660062006200310037003800360062003400350035003900630035006600610030003100300062006100370062003500340066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30393661383732643161643563323563326431666131393366396132363465616132386266626231373836623435353963356661303130626137623534666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63a62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63a62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1a60e7416ae850b1a24f09e04aef118bc1a4f860be43d1f5e0ec2524e71864bc"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fa73f9f90b19d72eab919f21453adc6ef89c30b12dd0de6c0b1797ce017e2e8f"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = 03771c802b26d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000074e7d8772b26d80174e7d8772b26d80174e7d8772b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454923b2000326330643037383631613462643064376536623939323339303836313865393064383838346232336664616532653661313366373733386635613764663566610000b20009000400efbe5454923b5454923b2e000000000000000000000000000000000000000000000000008c82fa00320063003000640030003700380036003100610034006200640030006400370065003600620039003900320033003900300038003600310038006500390030006400380038003800340062003200330066006400610065003200650036006100310033006600370037003300380066003500610037006400660035006600610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32633064303738363161346264306437653662393932333930383631386539306438383834623233666461653265366131336637373338663561376466356661000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63862f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63862f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\038f44d1-1143-4956-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = 06c2ce7b2b26d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7e13e28765b8030248bd5468b88758b6e5d119ee36c72c220d8239b70188de9a"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca-	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe

pid	process
1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe
1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2428 Explorer.EXE

pid	process
2428	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exesihost.exeStartMenuExperienceHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe
Token: SeBackupPrivilege	2216	sihost.exe
Token: SeBackupPrivilege	2908	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe
Token: SeShutdownPrivilege	2428	Explorer.EXE
Token: SeCreatePagefilePrivilege	2428	Explorer.EXE
Token: SeShutdownPrivilege	2428	Explorer.EXE
Token: SeCreatePagefilePrivilege	2428	Explorer.EXE
Token: SeShutdownPrivilege	2428	Explorer.EXE
Token: SeCreatePagefilePrivilege	2428	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2428 Explorer.EXE
2428 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1632 RuntimeBroker.exe

pid	process
2428	Explorer.EXE
2428	Explorer.EXE

pid	process
1632	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exeDllHost.exeWerFault.exe

description	pid	process	target process
PID 1808 wrote to memory of 2216	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	sihost.exe
PID 1808 wrote to memory of 2236	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	svchost.exe
PID 1808 wrote to memory of 2280	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	taskhostw.exe
PID 1808 wrote to memory of 2428	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	Explorer.EXE
PID 1808 wrote to memory of 2520	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	svchost.exe
PID 1808 wrote to memory of 2720	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	DllHost.exe
PID 1808 wrote to memory of 2908	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	StartMenuExperienceHost.exe
PID 1808 wrote to memory of 2972	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	RuntimeBroker.exe
PID 1808 wrote to memory of 3056	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	SearchApp.exe
PID 1808 wrote to memory of 2812	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	RuntimeBroker.exe
PID 1808 wrote to memory of 3344	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	RuntimeBroker.exe
PID 1808 wrote to memory of 1632	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	RuntimeBroker.exe
PID 1808 wrote to memory of 884	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	backgroundTaskHost.exe
PID 1808 wrote to memory of 3984	1808	6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe	backgroundTaskHost.exe
PID 2720 wrote to memory of 3392	2720	DllHost.exe	WerFault.exe
PID 2720 wrote to memory of 3392	2720	DllHost.exe	WerFault.exe
PID 4764 wrote to memory of 2908	4764	WerFault.exe	StartMenuExperienceHost.exe
PID 4764 wrote to memory of 2908	4764	WerFault.exe	StartMenuExperienceHost.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 2100
2⤵
- Program crash
PID:4736

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3984

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:1632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2720 -s 996
2⤵
- Program crash
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2520

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2428

C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe
"C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2236

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2908 -ip 2908
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
3411fa4ef87d0f0e51804cf2f58d2f5a

SHA1
4c8c7d495c89b43a4fe75a9374d299daa245a26f

SHA256
97b25244ba6eae1474a74a29e5ec2d9eb6d8b615ba6a278ebcc45f6137c11371

SHA512
48aa7f1b3692c143dcec9ab02fa5b56f0650e441dbd596ba4b2e8a818743e0b5f0204f46a7523f574c361266037ce9476223b1c88bfeb194130dc9c72f7d34c6

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
e5032e194891ae3453830d3a0728b665

SHA1
04b07e8a96bf023d244f4cfb3f8ffbbfd77a4af8

SHA256
8487d2d7707b0f563957dd84208432f9269ebe5bc6261c2825988d8edb3a48b7

SHA512
1f855e61fcbbd722e4923076d7f9d8ea018fd00b5f878d87c3bf2221a18d8431df561acb574832fad5d52c948c744a2852077fe58c67c9d35f89a35c7061b2dc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
09b682bcc838d6d6598b964b3b4e6ba1

SHA1
d2f902933fde3509f218759ef49a849f708650da

SHA256
b96a533a8c4034b94f573cb3ffbb35d9490b0e3696ee335c8abc9efafcce8223

SHA512
2451a1ff063cb8d208a079eb5ee01f536bf5f90c1635b7b35f28e6cafa79a0fb901cf53eecffbc108ea14371f352cf151fe338e8896e531e9daab2a86d978912

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
2ec14fc503032776adff7813ef14c589

SHA1
9c6cf0711f83fb5044b18a42e4fc826790dd8231

SHA256
0abc89ef0298ff9ca832b0879bb3f412765409e7e2edfaf12d060b740dddcd4a

SHA512
b63e7bd7fdc7a67a6bfd80f2731b111a1ecbb145c67c5d13447a52ff42c9eb72eb8b1dce727a8efa0e1ca01e8123463b3ed08b97018bbd030e3e6e16e39383b6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
14367068cf2e8fd2f945af71a46da352

SHA1
6cf710568d3f2568e050e1ace650ce79cde23987

SHA256
d5c8e69c59f451a9d3b883aaee672faa676abb200cff92bb77340688a0d9468b

SHA512
f630a120702917d5fb22ecf739dc7c354cee830794c92ffd07adc8720d035e80fa4e818e4b607542303e55d9dbe7f42865f155799eaceae225cfc1ced133864d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
ed857797a865a89f6110a99e3e2e0249

SHA1
4b28864750daf752dd3f976c081a7d77b81ef5d0

SHA256
a0ee31dc7a369f5ce5f56e495e0e2f90dc4fb1e0f9e2da321b8d178cd5e19940

SHA512
474c151795b949b87acf3790736d7543286045781bb847e1f749a456ac7105990d4fd26982025a9cb56413698a096bec405cba14bc5a4a326ff7c6b560e9cee5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
5df92ea0b8a731960fbc662c06b7c5d6

SHA1
36cf63d4b6265e7e81cb8b51b9e62a1ea1429a67

SHA256
484749fc6b06f22d17b21b946b2b07d95565c10bdf7b1cddbedb1620a1da0c71

SHA512
7b327ca4b2e3462d96d4bbb4e25a4ab52b3e469eb7a37aed63dcb0101d65bd84822ee96d85bc755a16f846d0bbe089375b159d499513dccfb1b95f53d323bb70

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
734aff526b64106462de918fe8440b24

SHA1
88cf782d5552d1b3360f1a89c10bc5076354840c

SHA256
0135deaa219efb8d46b258aff709abd940b16f29639a3bca9b7ce99fa187ffe0

SHA512
6f9f29d49a8253d399c08793663971da1fab3a99ccc064d67d9033cf1191da88074660c24df975762f219e43f30f4ec033a9150c26581e8ca0f266c429f68742

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
be2512aa1935a9978d2833a2b4e66d1f

SHA1
980989e5ca4d2475a94b298c43b1372632f6ba4c

SHA256
98013acee2d4db676bbb05d13cdaa1ca117c7e45ad9ea9b609337030dbacf2e1

SHA512
5d3239f8232b65ac758e03db2faeffdfd2a08f63e4f88de640c512ecf16242c599b6ad7f14fccd4fed9c3b9b2c2c83569d2b21209926ba956310edc39ec8f39d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
416ff40c7ff29d6ca7aa4aa76f9f9fe6

SHA1
7682c67a5bb13c3e35aea03934d2b39c51edacec

SHA256
5325032dbbad57247a7478e190b2832322a90719d2b3d39bd9bc64922ad28722

SHA512
b3fc560dd476ed8882e60c12f2d6c35cdf500d0719eee2e93c53832a6a57148430abd3058e1a40bf798ac9db189cd5f04ce7a120c86a07d6a77e6e1311759a9a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
17742cc329848ad44b8fc30ef53f0f2a

SHA1
3d9fc06f58d19d823892a9e766a51e51f3695f7f

SHA256
115e4acd6966cc18718c56934f383c8de5efc0a39d5350b0a7ab32f4580367b8

SHA512
a3510ab7f41a795aa7bc64b3e2a5f0b41615f3a680b1525b989a5d643567512f6e17f751c2033b0c2ffec3fb6b074fdc5cb19918572c2056ab7cbcdc2a757a81

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
8d0bb540fa70db2609e5f58268899d5a

SHA1
666c5905c6891b53203d8cbfc4ac6d60cf542cd2

SHA256
f562e10088abd94116295e95def12b517217923e249305da6d4b3d067792d3ab

SHA512
0538ac8844bb513cd44d781b35eb994102f349cfa5bbe0f00808c342d00b80d3d622ca693dc3ba708f7e2ac1aea92eb8a32efe5108cd0f2284a34442ba8bab0c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
3601708eea0532ca9463d7473202742e

SHA1
84875a50268a8bc1fc388999962472c1e97c220c

SHA256
9c542a1b5dd00fcc16e99a6e5d881546977f3ac8f2dfead68ed2e35f07feb34f

SHA512
d64a88e54dff7a07f14104f8dc4b1dd25786735b82703f8198a737c453fa0509e5cf5c9b6ad9009ff98241794e29bcc8c26a42323d595aae84535a966ccdd3b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
0ebeced1f19e159ea23f4f3f2b5f785e

SHA1
8ec990c764d38953185cfbed3205f93b440fe04e

SHA256
e49888976c4cdabc8fd7e3162627d4ccce6fc8a0510c4834d8e509b213c21fe5

SHA512
26c56ec2c5fdb2ac68700b017393d938e46735705137ecf5df4649b71bb74fa75e9823765b8bf949ee465043fdab51e40ddfa352818cba73725e3de7d7d6637e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
8b2c9cc4dc5f800f95a76106e2760eaf

SHA1
9c8b150c3f6d6e253c4cd2bd461f0adeaee6044c

SHA256
8871ecce4fc05e83dba2f154beb10857f5195feb14541e7c118f8abe42fec498

SHA512
45b3d2f6f9a53b488f4c0fc5ac7f3fcfe85c57ba2662a6e7cd5e62da2ac1e74ed2afd621aaab0520e2cce2e24818d95a6c0fbcaeeeecf8bd79fbc9fb986457cd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
8ad997d81b20d1ad1405ae4f2982a37e

SHA1
53d0cdfb3a176dad977e0476439077289fcb28f4

SHA256
59098a1031b43c71488dc949763bcaef78c9194ddbb78349887ea0a3e0471612

SHA512
77800eed58474983588476be12051bba9832fe4452c27975161cfadf2c03d86bf8959ae1c93dc1fdcbbe5aa4874e4bb66c4b852b828cb1f6ec315d0b0cec3570

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs
MD5
27be4812000724255dd84013c11ab6eb

SHA1
998b7071e786866ec647ecf3ec5d0f0f49fc560a

SHA256
6cab8175b414c9f1aac47778bcafaeebffb5321dc95cb167d1fd87c71b7d1a26

SHA512
6f3b40dda0a315fc414eae3a130a64227190a377be548f850cf93bac84a31c2bbd48af26e5fe66bf0d2f23430b120f425a84595d66aad128121585d2d79d05f6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs
MD5
27be4812000724255dd84013c11ab6eb

SHA1
998b7071e786866ec647ecf3ec5d0f0f49fc560a

SHA256
6cab8175b414c9f1aac47778bcafaeebffb5321dc95cb167d1fd87c71b7d1a26

SHA512
6f3b40dda0a315fc414eae3a130a64227190a377be548f850cf93bac84a31c2bbd48af26e5fe66bf0d2f23430b120f425a84595d66aad128121585d2d79d05f6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Favicons
MD5
c2cf2751f7684357bc52f1de6ae025b1

SHA1
d684001ae70317973bb7bf5f7e6f591451d714a4

SHA256
3381479a005d6f916fca1520d760864306b6046e18cb3763930f148724d59378

SHA512
126ffabc76a98ebece7e1a872bd700a3b6d9191ad02e1ce803f299f0960c51bda732d5bd3538e8f3b6b4bce44371ffec77c60a065251b9006d82cd46860a6328

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\History
MD5
e1faf1c6ec7edff82b36ad853adc190a

SHA1
994784ea9da4b15224515b18e8ad2e8c1640c747

SHA256
9b10e9f36a4897b3c6c9e97fa37902179a22fdbfe235cd9f502b74e25ed9e1d7

SHA512
d3885dd264117a9bc859745d3672de16dbac4c293bf2b97bbf4907c249cb49f7b7589c361ac94ac20aa220f93c301eb20dada22fb66f736e156d8c369fc15464

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Web Data
MD5
ede30f536b7449fc68d92440d3c67b61

SHA1
bcff29892f1094bdd2c756a37b9bca5f3d2730db

SHA256
cea1c5be65a1e6ba6419ee7a16fb429179e372f02045fb04e5e0521dcf719e9b

SHA512
b58e1f8ca6e64edd5e0ad484da9da5b2aaf19b75ab3a8617ce72ba518d45a3d113c9b18233bc792e6689e5b3bfa2cb2ff50b72a6fbc260557cf78f867030bc59

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LB\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
697717913c380fcc0fa51c080587d09f

SHA1
ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4

SHA256
d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df

SHA512
d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Download Submit
memory/2216-130-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

Filesize
3.5MB

Download
memory/2236-131-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

Filesize
3.5MB

Download
memory/2720-197-0x000001BC45A90000-0x000001BC45A98000-memory.dmp

Filesize
32KB

Download
memory/2720-198-0x000001BC458D0000-0x000001BC458D1000-memory.dmp

Filesize
4KB

Download
memory/2972-132-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

Filesize
3.5MB

Download