Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-gqechahdc7
Target 6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619
SHA256 6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619

Threat Level: Known bad

The file 6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Drops desktop.ini file(s)

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-02-20 06:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 06:00

Reported

2022-02-20 06:30

Platform

win7-en-20211208

Max time kernel

180s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Searches\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini C:\Windows\system32\taskhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe

"C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

Network

N/A

Files

memory/1256-54-0x000000013FC70000-0x000000013FFF1000-memory.dmp

memory/1256-56-0x000000013FC70000-0x000000013FFF1000-memory.dmp

memory/1360-57-0x000000013FC70000-0x000000013FFF1000-memory.dmp

C:\Users\Admin\Desktop\ReadInvoke.vssx.RYK

MD5 16f72dfefaae2c17179555d282f57d60
SHA1 a25ccabf8d156d5f7c862987a147bac30083a77b
SHA256 fb71ef85255191228611f05dca7c8b556a9d223100120dada6f629b2f22044fa
SHA512 a2146a9e04b5aaabf434c03008d8fa7176c88845e842c43b47ca38f0de91f6c0236dd52357987b93f3ce186fca7fc1fdecf4c5c953c8af5f154b35b3a4862ada

C:\Users\Admin\Desktop\ReadUnregister.temp.RYK

MD5 8b75eae6f79f5421263c3720a273ec00
SHA1 988d14e1a6011353cf50855af7e13db75ecf5587
SHA256 7f26310e097c218e9d7e27bf80c3f43444aee09e003ef5b015ecfd98aaf2676f
SHA512 f59fa04f005e242b48b818f466801d30b456ed1129cfa9d1c3493981331eb316e2f4b9f3e9814824b098c76b82503964e133f43cff1e178e795a0798a23204be

C:\Users\Admin\Desktop\RedoCompress.pcx.RYK

MD5 3ee6157fc0e07085ece9dbdaadef5a1e
SHA1 17b2e5492ba4ddf2ae3ed3aec2c9fa437be8cbe3
SHA256 d65b96165e9faf85e26c8a329163e4a5ba221158de29fdb4a29cc2e854794c95
SHA512 b583e270764455ef1528176fd291564c05b15fddb872d6427689dd36a6db58a802eb43085489ada07e482b79958a52aacdde8329916667338921074309e9e545

C:\Users\Admin\Desktop\ResolveDeny.xlsx.RYK

MD5 09dfabcdffadbb6ba85d4f4fe2cf3f54
SHA1 1fde44621fdb3d19b8e7cec99bebb934af078e2b
SHA256 6477305d8662fada40f2fa4e3ecd3f1e6a0a654baf7b885719343cd9828a9724
SHA512 1cd0cac376e3d744b9c0feb61273690a3dc8c77ab0fb4a955c0d0124533d4f14116b4054fe1571014ec41e1bb229e29867800d2633d654fa476fcd18d2e97aa7

C:\Users\Admin\Desktop\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Users\Admin\Desktop\SelectConvertFrom.xlt.RYK

MD5 9a67deb388c3a0aa002355c442849a55
SHA1 9bd6b8eb9262425cab11ca61acfd703bd8ecf66f
SHA256 07d45c1b2910ad6bf47884a681f441acd1784a17432e5579aaf71557f2d52e3e
SHA512 4ee1e46c5df22d1d3e0964c080cf0c949694ae7521d54b7f8e04a695ddab9bcc22ad0d49145ea878ee298d8733b6fa98642c0801dcc5248b213a8c77f88a2783

C:\Users\Admin\Desktop\AddGet.TS.RYK

MD5 77f9cd4a5fc9bd64eb0923f9b53b93a0
SHA1 462efa89a4420a52df9e74333bad80548587914e
SHA256 9c66291f308f2ace83678e9a883d44abc22aff0f7a6d35bd77215d3b71aa69ef
SHA512 e8c0927e2b050bfa87f8666cd7eaf322e43bbc54576e29e12e690959d1bdd077586d1c5ef50140282f8725f30e877692025d54519de737641fa1ecc1a5bd293d

C:\Users\Admin\Desktop\CompareClose.raw.RYK

MD5 0f24decb3c39ded309043652d0148357
SHA1 34723720350262646a72f0f9aa0acb8cba065fa0
SHA256 baa7e3bb721f138595fd529e30b4501860157117a6ccdd1a798992a29ca5314e
SHA512 abd42325276788b10b5bc92a8a371d90adff163fa5d727c681b670227c4e3f1f0686df8c294986303d67e4c85a391e6c2214d48f5e27d1a15a59ba6f7adad1cf

C:\Users\Admin\Desktop\CompleteImport.3gpp.RYK

MD5 d82e992489073ccfaa07ea10ad674f4e
SHA1 49fb71a114e32472967467451f294c086cb24ae7
SHA256 f1e67e338f56fd7a30eb56b15c79659fe03958a7c1e803540178313ec6303641
SHA512 06e7835c2776b24b3a79b75aaefc9642be6fb80677c2887a431cbbf1eb3b885edc3139199c42b58993981f4a494e913e5b52fccd9eaf5a97a8022ba744e8cafd

C:\Users\Admin\Desktop\ConfirmInstall.html.RYK

MD5 9df2242a888324c08e232f19165b6ecf
SHA1 093846f2b86ae2c5d4911c3783b937888ee9d799
SHA256 e414e5d097cb19f305b7af90eac1a27db0f7256a8152a1f977029c1222ed22ef
SHA512 697e5a454596f0d9a069d483f7ac34459de6871e8858190de233b78c8be7cddcde736fd43ddbebc846873bb34532d7064380352fd3c0081d7d50d9cbe8d42ecd

C:\Users\Admin\Desktop\ConfirmOpen.dwg.RYK

MD5 5347a316afbb6b4aeef376fbd2ca74fb
SHA1 9fb5cfbe41dd6dca76ece00961cbc081a0bc3a46
SHA256 4d6dff45636ef0529c83af28dae6f73577a89175312749a6c47655c6718c5335
SHA512 fdfd9d223defd77377f7e15cc451b7f257f9e8c26ac1faa3f69962e51daccac0ea24beae06e52d0977f383a57a5ecb643944b96b9431165977d5c1624f94529f

C:\Users\Admin\Desktop\DebugSwitch.vdw.RYK

MD5 c1085df14337586104169841a7cead39
SHA1 b687dfa1f57e35b73a16366cc76ea39b7df97198
SHA256 594fe12bb648591ab5bd634cd4c5c35bae6f5031c79ce7f4fdda63f09542ba65
SHA512 88d5fd9be6c468b9535fe67cfc5225972dc80561aa4224f2dd8647f1d74e51d6114965015a82fa482df25ac51ba2699ff45335a5cbdfccf89e7dd7561203fa78

C:\Users\Admin\Desktop\desktop.ini.RYK

MD5 ae5d26935ed13598319d5e19e9667754
SHA1 fa96a484e2e01774908f69d6ab418ea37a0c0e34
SHA256 ac757cce5cee2d536e88698a2b3af213e78095410540947ea6753337a16b0809
SHA512 cddf0fc093cd30b87cebec3bb351b5f122cbf65c821f1bb866cdb0dded64943b1b3797f8e4f922dd6cb47a6c3abaa1d0642ddb4f4dfbe0196e4f8f49c271cd1e

C:\Users\Admin\Desktop\EnableRead.xls.RYK

MD5 28eafc8742ad0ab56c09eab4e499aa5c
SHA1 8f6dcaf2dda7792d7256a7cf2da912b0e0e60731
SHA256 a7f143d36dbc42d3a30a66980933d3f3525e37e8dbed0dff51afd2550583071c
SHA512 bef69269761cb319a5403ae4a69222ed6eadd5b03525d41b7e60e6346be5e6df66d8ca843da65e71b144a3ce7d53bb79cad3f7ccb2dc2d0030a81cf2c5ec6d75

C:\Users\Admin\Desktop\SkipEdit.wax.RYK

MD5 73abb93f077f89d86e719b8e9c178b1e
SHA1 630af5d996b3e43e1cb750c6a7ebdb12e2858de5
SHA256 9c429e804839243ff0a760a9ca751d124f21c89d925194800d01a5ad47f419c2
SHA512 ded270eaeef6c73b8a8886f675603033060f006d8b1929a10fe55009d051cc7346df80021f31953596be2968e41933e92035265dcade64073aae31abf0e86f53

C:\Users\Admin\Desktop\ExitMeasure.7z.RYK

MD5 8ccd984f1d4d5e70f2824f46de00d8d2
SHA1 99a295fac5be217708148c2bb45f5f13b728a94b
SHA256 85a396b20a97eb6fd0eb26cffc3b4bfaf8e708ea028673092b4185123563a712
SHA512 9891f2aea1ed87391f378755e31ee60364e7436b321da373685176c9aea39c297ef5a2dddc7e79375f88b0069647ec742520cde88747047a7132be58709d63cc

C:\Users\Admin\Desktop\FormatConvert.php.RYK

MD5 091f9f402e6d5eb34af7ad3910bddc86
SHA1 0e2270833e721c7cc0d243f124f2dbad0e0ce08e
SHA256 90b9b3ba6921dcd9609fa96826181fab9a230d43a8a5ba9f88b803a78e134034
SHA512 c919d04145cd70c4a6c44b56c24b2c572a1b7cade74a659aebd8647ce165a7752114ae8cf61d31da0eeab8686059dfc519d0ab257fdc200567f64cc085656f97

C:\Users\Admin\Desktop\ImportNew.xps.RYK

MD5 316094e6b6ba8cdc3afaa6558ae7290f
SHA1 d3c5a00bccad1c1a28b2f26e63203875525a3c74
SHA256 1cc61e0c5cce004d45378aee44c0e0f1a6f9dcf047094bb3f2c6e9cecac51559
SHA512 f0f064cc8d14352ade439a938cc01b6e3d050e89c0ba60db9a225618b56769b9accea259f56e283a71ead7c1e82080c1e26bb3a89025bc933b8db56f04302126

C:\Users\Admin\Desktop\InstallTest.mhtml.RYK

MD5 224b59a3b2b53a660f4dd284c0777197
SHA1 7a103822faf5fe52c0fc82a66f83c7ea9c6e9d81
SHA256 f4e002bfc5366b182cbe3b4a9d42e9adee653b3d21c402b1284292768c18e921
SHA512 352b32aa29ff3d83928c3a7a3ceadca6bc34b732b2827b76d65a6f029fe67ad0460608e8c0e7fdaec5b8d8fc2ccb0ac58e8465e9d070013dee779aa7435de23d

C:\Users\Admin\Desktop\InvokeConfirm.pptx.RYK

MD5 f501d84724b1b4c3461c5dc6d8aacaf4
SHA1 6118ccdd98e38e16f73651a2f60270307bf195a1
SHA256 2ea7740b7b262284474e302e49c7896b52e58f43c3314d7cf4ff4124c73c310a
SHA512 c3a5bb57f04b1701b532af37cabc9ca3a9da4955c0b095622ce4b6388e8e4d705e79833120034c82061447500256058b34afa9f644474ba87f651e79810ea8f6

C:\Users\Admin\Desktop\JoinEnter.raw.RYK

MD5 d6975d109d936118df05e79dfcf25076
SHA1 b8c200e211de34a8d01368659885805af6010db7
SHA256 6748b40c8a8b30944170ca919a60ab6e4bdb6f9f8ea04b28f7e0e2afb8a1de61
SHA512 3f0181d86ed3a245c70550ff6555a5a7afa444716f07dd5099d927913c37e7bf929eba9832ea5503cd199238e9d00762c38c6e6c2045f3db85530de3305f137b

C:\Users\Admin\Desktop\LimitUpdate.ogg.RYK

MD5 a6c10797e85026197b3689ad9cf7bd67
SHA1 baf28b050e64203965ad8d9114d4e43c4acee157
SHA256 7a08cf4467ba41fb3022ffa673332a6605849604dd8e5cee1c5a5456a4b46bd4
SHA512 5afc65bdbd66532b64d4d5fdde9f1f48bfc6c1591ebb83d101bec7c406734352c5ac100facd49023bec7135e38b3ce4249658b0ae673e741f64d8026a8f45537

C:\Users\Admin\Desktop\LockSave.jpg.RYK

MD5 b0248b0ca222bb212b55fe6c5e29f020
SHA1 e9ed0ca996c4f5ded2aebe91f877ad5549c80e87
SHA256 72ca1116663a08912f808b2707da6821d270481ce6d532a974f495509a42d0c9
SHA512 1b0579b7b0f52c814f6fad2ddc58343454220e954ab8678f79b2a477488cbdfafdfa9ca5037e6d19e339251fd67fa8388b51d97d6aa71f5d25a1c5aa00d5c285

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Users\Admin\Desktop\MeasureExport.dotx.RYK

MD5 6609eddbee1fce4aab042af83f7fd287
SHA1 7530d37dfcb56ff68c2702ee487542a5f69321b7
SHA256 e2f0db9624640a4e21e11427cfdc4bc80c233ec85c5e69979c55b544871ba372
SHA512 01461380749a821c1cc91890247f4d5801f987c0b453a01fca0f70e144de305e59312f3901c8b28368d9b87d7fbfd7ca106bf3609213e25b816eedc1412eb0ee

C:\Users\Admin\Desktop\MergeUnprotect.emf.RYK

MD5 88c9f704794d86f6651dc81a9970db08
SHA1 2e9ececc8bce3bc623d595f3dd3152ecce9f3261
SHA256 2eb74f78aeda0468c0ea91b2ad611ad913749ac9d10cc08adbaf88ab76b96c23
SHA512 9bd1857756dd7cc79db6efd9c481f3c5750e0e00bcdb6b4f0f85b48e11c39787c62d1bbdcbcc5bcb5394e56298d8e687e55079f5ef7e337a7d6868a2ba563a42

C:\Users\Admin\Desktop\MountImport.wvx.RYK

MD5 036da0cac3aff00d98ef1295700bb794
SHA1 a2f04d6a61e1020aba4a4d9d443cd1a1bdbcaeeb
SHA256 d2d94baa8d599bcb88e2e7a8de0bcf822e231bc8530715f147f0f8f8ce3560cd
SHA512 8f8f69c8166cf45a8e5cab010acba7848d529cf8daa1be6db17982dbe3d7bcdbd3b36d0e288f75c9d47550f489a6e13d055dd1e6cf5d9ee4feca1e1251788156

C:\Users\Admin\Desktop\PingPublish.htm.RYK

MD5 45de5bb350be022b98522ebba161be20
SHA1 a98dca063d736b08c1bf6d7a3b8e86825f108bbd
SHA256 1423e3334a20c649c4b0213d5c82b0632df31966c9e65fb2523a7facb6319eac
SHA512 4ff22fe700b9b792cb5a0411eefa60b59be5e4f794fbd3e88f5d032803eabbd098532e42409be65d47015b71ab6d57aecdd5141e37eaf79474978aecc489f5d5

C:\Documents and Settings\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 f08988ca7242105afb9420ece71b13f9
SHA1 e755cf46e0eddecab03e54d8bdacdd25ebbe01b1
SHA256 48b548776008536c9732bc6349ccad63c3e83181c576c554893cf9b2a16ac062
SHA512 94ef880d5348237676c08724b74dc7210068ab66a083ae103945cd3eba0823f2523ad8e586c322139bb50ab7a75938a28f51bd9d82957d81aaea31e7b22aa2f7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 47c1f2064aacc816ded9c86466ab8b23
SHA1 bea7490ad075ccbe5be81dc7603ca2a3d6980e10
SHA256 797468ae93d9cc533f72e3b89dbe3f62ebd93053d55f2c66719b5b28b88f495d
SHA512 12ddced674e666070fbac5eec26d4f767c53eccd7ce24d3b426444b55ee37e8dfbb174e41510bf62a084bc1d82426afc061d070a43ff9fe15f806a140be6990b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 06:00

Reported

2022-02-20 06:30

Platform

win10v2004-en-20220112

Max time kernel

190s

Max time network

215s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Ryuk

ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 4764 created 2908 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\sihost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000512512802b26d801512512802b26d801512512802b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454993b2000643663393765666439633266653162623634346463333762323562663430363735646339613536636661373934663534623061306631333739336130613665660000b20009000400efbe5454993b5454993b2e00000000000000000000000000000000000000000000000000af7f1901640036006300390037006500660064003900630032006600650031006200620036003400340064006300330037006200320035006200660034003000360037003500640063003900610035003600630066006100370039003400660035003400620030006100300066003100330037003900330061003000610036006500660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64366339376566643963326665316262363434646333376232356266343036373564633961353663666137393466353462306130663133373933613061366566000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d64062f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d64062f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\57713a26-dccd-42ca- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4f304052-ab4c-42af- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004668c97b2b26d8014668c97b2b26d8014668c97b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000376531336532383736356238303330323438626435343638623838373538623665356431313965653336633732633232306438323339623730313838646539610000b20009000400efbe5454953b5454953b2e00000000000000000000000000000000000000000000000000ba889d00370065003100330065003200380037003600350062003800300033003000320034003800620064003500340036003800620038003800370035003800620036006500350064003100310039006500650033003600630037003200630032003200300064003800320033003900620037003000310038003800640065003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37653133653238373635623830333032343862643534363862383837353862366535643131396565333663373263323230643832333962373031383864653961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63b62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63b62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000aa8ed07b2b26d801aa8ed07b2b26d801aa8ed07b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000666137336639663930623139643732656162393139663231343533616463366566383963333062313264643064653663306231373937636530313765326538660000b20009000400efbe5454953b5454953b2e0000000000000000000000000000000000000000000000000056629600660061003700330066003900660039003000620031003900640037003200650061006200390031003900660032003100340035003300610064006300360065006600380039006300330030006200310032006400640030006400650036006300300062003100370039003700630065003000310037006500320065003800660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66613733663966393062313964373265616239313966323134353361646336656638396333306231326464306465366330623137393763653031376532653866000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63c62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63c62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000002218da7b2b26d8012218da7b2b26d8012218da7b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000316136306537343136616538353062316132346630396530346165663131386263316134663836306265343364316635653065633235323465373138363462630000b20009000400efbe5454953b5454953b2e00000000000000000000000000000000000000000000000000ded88c00310061003600300065003700340031003600610065003800350030006200310061003200340066003000390065003000340061006500660031003100380062006300310061003400660038003600300062006500340033006400310066003500650030006500630032003500320034006500370031003800360034006200630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31613630653734313661653835306231613234663039653034616566313138626331613466383630626534336431663565306563323532346537313836346263000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63d62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63d62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a5bc0835-8aa6-4fd8- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = 586ee67b2b26d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\096a872d1ad5c25c2d1fa193f9a264eaa28bfbb1786b4559c5fa010ba7b54ff4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\d6c97efd9c2fe1bb644dc37b25bf40675dc9a56cfa794f54b0a0f13793a0a6ef" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8c30684b-fb7d-422f- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = 61f9d57b2b26d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = 46e5377a2b26d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2c0d07861a4bd0d7e6b9923908618e90d8884b23fdae2e6a13f7738f5a7df5fa" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5db22646-d76d-456e- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = f38bc97b2b26d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6071f8a2-df27-4502- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000031cbb7b2b26d801031cbb7b2b26d801031cbb7b2b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454953b2000303936613837326431616435633235633264316661313933663961323634656161323862666262313738366234353539633566613031306261376235346666340000b20009000400efbe5454953b5454953b2e00000000000000000000000000000000000000000000000000fdd4ab00300039003600610038003700320064003100610064003500630032003500630032006400310066006100310039003300660039006100320036003400650061006100320038006200660062006200310037003800360062003400350035003900630035006600610030003100300062006100370062003500340066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c30393661383732643161643563323563326431666131393366396132363465616132386266626231373836623435353963356661303130626137623534666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63a62f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63a62f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1a60e7416ae850b1a24f09e04aef118bc1a4f860be43d1f5e0ec2524e71864bc" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f181c53f-7438-48b9- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fa73f9f90b19d72eab919f21453adc6ef89c30b12dd0de6c0b1797ce017e2e8f" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = 03771c802b26d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\738d1a1f-560e-4045- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000074e7d8772b26d80174e7d8772b26d80174e7d8772b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454923b2000326330643037383631613462643064376536623939323339303836313865393064383838346232336664616532653661313366373733386635613764663566610000b20009000400efbe5454923b5454923b2e000000000000000000000000000000000000000000000000008c82fa00320063003000640030003700380036003100610034006200640030006400370065003600620039003900320033003900300038003600310038006500390030006400380038003800340062003200330066006400610065003200650036006100310033006600370037003300380066003500610037006400660035006600610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001a9260d51000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32633064303738363161346264306437653662393932333930383631386539306438383834623233666461653265366131336637373338663561376466356661000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d63862f5e69083ec1182d0c268fe29ed74bad9b5dc40371b4eb595e9fc647d27d63862f5e69083ec1182d0c268fe29ed74ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\038f44d1-1143-4956- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = 06c2ce7b2b26d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ed363204-dd6f-44a1- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\8d188ba0-1ff3-4acf- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7e13e28765b8030248bd5468b88758b6e5d119ee36c72c220d8239b70188de9a" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\0248cbfa-3a45-45ca- C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\sihost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\system32\sihost.exe
PID 1808 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\system32\svchost.exe
PID 1808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\system32\taskhostw.exe
PID 1808 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\Explorer.EXE
PID 1808 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\system32\svchost.exe
PID 1808 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\system32\DllHost.exe
PID 1808 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1808 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\System32\RuntimeBroker.exe
PID 1808 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1808 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\System32\RuntimeBroker.exe
PID 1808 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\System32\RuntimeBroker.exe
PID 1808 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\System32\RuntimeBroker.exe
PID 1808 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1808 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2720 wrote to memory of 3392 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2720 wrote to memory of 3392 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 4764 wrote to memory of 2908 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4764 wrote to memory of 2908 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe

"C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2720 -s 996

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 476 -p 2908 -ip 2908

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2908 -s 2100

Network

Country Destination Domain Proto
NL 92.123.77.56:80 tcp
NL 92.123.77.56:80 tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
US 72.21.91.29:80 tcp

Files

memory/2216-130-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

memory/2236-131-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

memory/2972-132-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 14367068cf2e8fd2f945af71a46da352
SHA1 6cf710568d3f2568e050e1ace650ce79cde23987
SHA256 d5c8e69c59f451a9d3b883aaee672faa676abb200cff92bb77340688a0d9468b
SHA512 f630a120702917d5fb22ecf739dc7c354cee830794c92ffd07adc8720d035e80fa4e818e4b607542303e55d9dbe7f42865f155799eaceae225cfc1ced133864d

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 ed857797a865a89f6110a99e3e2e0249
SHA1 4b28864750daf752dd3f976c081a7d77b81ef5d0
SHA256 a0ee31dc7a369f5ce5f56e495e0e2f90dc4fb1e0f9e2da321b8d178cd5e19940
SHA512 474c151795b949b87acf3790736d7543286045781bb847e1f749a456ac7105990d4fd26982025a9cb56413698a096bec405cba14bc5a4a326ff7c6b560e9cee5

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 5df92ea0b8a731960fbc662c06b7c5d6
SHA1 36cf63d4b6265e7e81cb8b51b9e62a1ea1429a67
SHA256 484749fc6b06f22d17b21b946b2b07d95565c10bdf7b1cddbedb1620a1da0c71
SHA512 7b327ca4b2e3462d96d4bbb4e25a4ab52b3e469eb7a37aed63dcb0101d65bd84822ee96d85bc755a16f846d0bbe089375b159d499513dccfb1b95f53d323bb70

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 2ec14fc503032776adff7813ef14c589
SHA1 9c6cf0711f83fb5044b18a42e4fc826790dd8231
SHA256 0abc89ef0298ff9ca832b0879bb3f412765409e7e2edfaf12d060b740dddcd4a
SHA512 b63e7bd7fdc7a67a6bfd80f2731b111a1ecbb145c67c5d13447a52ff42c9eb72eb8b1dce727a8efa0e1ca01e8123463b3ed08b97018bbd030e3e6e16e39383b6

C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5 e5032e194891ae3453830d3a0728b665
SHA1 04b07e8a96bf023d244f4cfb3f8ffbbfd77a4af8
SHA256 8487d2d7707b0f563957dd84208432f9269ebe5bc6261c2825988d8edb3a48b7
SHA512 1f855e61fcbbd722e4923076d7f9d8ea018fd00b5f878d87c3bf2221a18d8431df561acb574832fad5d52c948c744a2852077fe58c67c9d35f89a35c7061b2dc

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 3411fa4ef87d0f0e51804cf2f58d2f5a
SHA1 4c8c7d495c89b43a4fe75a9374d299daa245a26f
SHA256 97b25244ba6eae1474a74a29e5ec2d9eb6d8b615ba6a278ebcc45f6137c11371
SHA512 48aa7f1b3692c143dcec9ab02fa5b56f0650e441dbd596ba4b2e8a818743e0b5f0204f46a7523f574c361266037ce9476223b1c88bfeb194130dc9c72f7d34c6

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 09b682bcc838d6d6598b964b3b4e6ba1
SHA1 d2f902933fde3509f218759ef49a849f708650da
SHA256 b96a533a8c4034b94f573cb3ffbb35d9490b0e3696ee335c8abc9efafcce8223
SHA512 2451a1ff063cb8d208a079eb5ee01f536bf5f90c1635b7b35f28e6cafa79a0fb901cf53eecffbc108ea14371f352cf151fe338e8896e531e9daab2a86d978912

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 17742cc329848ad44b8fc30ef53f0f2a
SHA1 3d9fc06f58d19d823892a9e766a51e51f3695f7f
SHA256 115e4acd6966cc18718c56934f383c8de5efc0a39d5350b0a7ab32f4580367b8
SHA512 a3510ab7f41a795aa7bc64b3e2a5f0b41615f3a680b1525b989a5d643567512f6e17f751c2033b0c2ffec3fb6b074fdc5cb19918572c2056ab7cbcdc2a757a81

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5 416ff40c7ff29d6ca7aa4aa76f9f9fe6
SHA1 7682c67a5bb13c3e35aea03934d2b39c51edacec
SHA256 5325032dbbad57247a7478e190b2832322a90719d2b3d39bd9bc64922ad28722
SHA512 b3fc560dd476ed8882e60c12f2d6c35cdf500d0719eee2e93c53832a6a57148430abd3058e1a40bf798ac9db189cd5f04ce7a120c86a07d6a77e6e1311759a9a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 3601708eea0532ca9463d7473202742e
SHA1 84875a50268a8bc1fc388999962472c1e97c220c
SHA256 9c542a1b5dd00fcc16e99a6e5d881546977f3ac8f2dfead68ed2e35f07feb34f
SHA512 d64a88e54dff7a07f14104f8dc4b1dd25786735b82703f8198a737c453fa0509e5cf5c9b6ad9009ff98241794e29bcc8c26a42323d595aae84535a966ccdd3b2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 8d0bb540fa70db2609e5f58268899d5a
SHA1 666c5905c6891b53203d8cbfc4ac6d60cf542cd2
SHA256 f562e10088abd94116295e95def12b517217923e249305da6d4b3d067792d3ab
SHA512 0538ac8844bb513cd44d781b35eb994102f349cfa5bbe0f00808c342d00b80d3d622ca693dc3ba708f7e2ac1aea92eb8a32efe5108cd0f2284a34442ba8bab0c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5 be2512aa1935a9978d2833a2b4e66d1f
SHA1 980989e5ca4d2475a94b298c43b1372632f6ba4c
SHA256 98013acee2d4db676bbb05d13cdaa1ca117c7e45ad9ea9b609337030dbacf2e1
SHA512 5d3239f8232b65ac758e03db2faeffdfd2a08f63e4f88de640c512ecf16242c599b6ad7f14fccd4fed9c3b9b2c2c83569d2b21209926ba956310edc39ec8f39d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5 734aff526b64106462de918fe8440b24
SHA1 88cf782d5552d1b3360f1a89c10bc5076354840c
SHA256 0135deaa219efb8d46b258aff709abd940b16f29639a3bca9b7ce99fa187ffe0
SHA512 6f9f29d49a8253d399c08793663971da1fab3a99ccc064d67d9033cf1191da88074660c24df975762f219e43f30f4ec033a9150c26581e8ca0f266c429f68742

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 8ad997d81b20d1ad1405ae4f2982a37e
SHA1 53d0cdfb3a176dad977e0476439077289fcb28f4
SHA256 59098a1031b43c71488dc949763bcaef78c9194ddbb78349887ea0a3e0471612
SHA512 77800eed58474983588476be12051bba9832fe4452c27975161cfadf2c03d86bf8959ae1c93dc1fdcbbe5aa4874e4bb66c4b852b828cb1f6ec315d0b0cec3570

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs

MD5 27be4812000724255dd84013c11ab6eb
SHA1 998b7071e786866ec647ecf3ec5d0f0f49fc560a
SHA256 6cab8175b414c9f1aac47778bcafaeebffb5321dc95cb167d1fd87c71b7d1a26
SHA512 6f3b40dda0a315fc414eae3a130a64227190a377be548f850cf93bac84a31c2bbd48af26e5fe66bf0d2f23430b120f425a84595d66aad128121585d2d79d05f6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 8b2c9cc4dc5f800f95a76106e2760eaf
SHA1 9c8b150c3f6d6e253c4cd2bd461f0adeaee6044c
SHA256 8871ecce4fc05e83dba2f154beb10857f5195feb14541e7c118f8abe42fec498
SHA512 45b3d2f6f9a53b488f4c0fc5ac7f3fcfe85c57ba2662a6e7cd5e62da2ac1e74ed2afd621aaab0520e2cce2e24818d95a6c0fbcaeeeecf8bd79fbc9fb986457cd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 0ebeced1f19e159ea23f4f3f2b5f785e
SHA1 8ec990c764d38953185cfbed3205f93b440fe04e
SHA256 e49888976c4cdabc8fd7e3162627d4ccce6fc8a0510c4834d8e509b213c21fe5
SHA512 26c56ec2c5fdb2ac68700b017393d938e46735705137ecf5df4649b71bb74fa75e9823765b8bf949ee465043fdab51e40ddfa352818cba73725e3de7d7d6637e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs

MD5 27be4812000724255dd84013c11ab6eb
SHA1 998b7071e786866ec647ecf3ec5d0f0f49fc560a
SHA256 6cab8175b414c9f1aac47778bcafaeebffb5321dc95cb167d1fd87c71b7d1a26
SHA512 6f3b40dda0a315fc414eae3a130a64227190a377be548f850cf93bac84a31c2bbd48af26e5fe66bf0d2f23430b120f425a84595d66aad128121585d2d79d05f6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Web Data

MD5 ede30f536b7449fc68d92440d3c67b61
SHA1 bcff29892f1094bdd2c756a37b9bca5f3d2730db
SHA256 cea1c5be65a1e6ba6419ee7a16fb429179e372f02045fb04e5e0521dcf719e9b
SHA512 b58e1f8ca6e64edd5e0ad484da9da5b2aaf19b75ab3a8617ce72ba518d45a3d113c9b18233bc792e6689e5b3bfa2cb2ff50b72a6fbc260557cf78f867030bc59

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Favicons

MD5 c2cf2751f7684357bc52f1de6ae025b1
SHA1 d684001ae70317973bb7bf5f7e6f591451d714a4
SHA256 3381479a005d6f916fca1520d760864306b6046e18cb3763930f148724d59378
SHA512 126ffabc76a98ebece7e1a872bd700a3b6d9191ad02e1ce803f299f0960c51bda732d5bd3538e8f3b6b4bce44371ffec77c60a065251b9006d82cd46860a6328

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\History

MD5 e1faf1c6ec7edff82b36ad853adc190a
SHA1 994784ea9da4b15224515b18e8ad2e8c1640c747
SHA256 9b10e9f36a4897b3c6c9e97fa37902179a22fdbfe235cd9f502b74e25ed9e1d7
SHA512 d3885dd264117a9bc859745d3672de16dbac4c293bf2b97bbf4907c249cb49f7b7589c361ac94ac20aa220f93c301eb20dada22fb66f736e156d8c369fc15464

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LB\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txt

MD5 697717913c380fcc0fa51c080587d09f
SHA1 ff8d9cd0dc02f0e088595ed90a2b28a0cd5a71b4
SHA256 d60544ef96ce4e3de24d3ddb83de99e20db1388e7722c7fcc08eb54d1cf975df
SHA512 d2d9e4e28e4639181e1a1a0ad644bc7982305f448b24016c4ea56c59a9bb26ffef1736e4955e40d490dab37d73d54edaae0b23ee813542f3534a96cb863bce11

memory/2720-197-0x000001BC45A90000-0x000001BC45A98000-memory.dmp

memory/2720-198-0x000001BC458D0000-0x000001BC458D1000-memory.dmp