ryuk | bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9

Analysis

max time kernel
169s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
Size

207KB
MD5

7899090dd1b61fc2d85b50473e500d8b
SHA1

9c972c2696d68d3d29726cdba061e31c51663c12
SHA256

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9
SHA512

b976e2f12bcb13ff10fb70338fac775356fb40ba36d11c40c72028c723d452e49128050dc30bac9d66e205162f2994d0f07aeb74a271fd494fd39cd1718b9c6b

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 5512 created 1884	5512	WerFault.exe	backgroundTaskHost.exe
PID 5224 created 2820	5224	WerFault.exe	StartMenuExperienceHost.exe
PID 5208 created 2640	5208	WerFault.exe	DllHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4612	2640	WerFault.exe	DllHost.exe
2000	2820	WerFault.exe	StartMenuExperienceHost.exe
5596	2640	WerFault.exe	DllHost.exe
4900	1884	WerFault.exe	backgroundTaskHost.exe

Modifies registry class 16 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3784a334-4a56-42d5-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e7c23a02-b872-40bb-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005ac4c2f20b26d8015ac4c2f20b26d8015ac4c2f20b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054545d1d2000666334316531613961626566333839333562643065303962663537653039306235613238616237346434353835353861396461353036343566663537306235360000b20009000400efbe54545d1d54545d1d2e00000000000000000000000000000000000000000000000000a6c8c900660063003400310065003100610039006100620065006600330038003900330035006200640030006500300039006200660035003700650030003900300062003500610032003800610062003700340064003400350038003500350038006100390064006100350030003600340035006600660035003700300062003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000592f5451000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66633431653161396162656633383933356264306530396266353765303930623561323861623734643435383535386139646135303634356666353730623536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6c8e39b499083ec1182d0de0fc891f8e3bad9b5dc40371b4eb595e9fc647d27d6c8e39b499083ec1182d0de0fc891f8e3ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\23f28542-9dab-4512-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3d175fbf-d3e1-4390-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65f8d178-2eb7-46f5-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b6444093-9932-4804-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = 665ad1f30b26d801	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exesihost.exe

pid	process
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
2112	sihost.exe
2112	sihost.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
2112	sihost.exe
2112	sihost.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
2112	sihost.exe
2112	sihost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exesihost.exeStartMenuExperienceHost.exebackgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
Token: SeBackupPrivilege	2112	sihost.exe
Token: SeBackupPrivilege	2820	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1884	backgroundTaskHost.exe
Token: SeBackupPrivilege	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exesihost.exeDllHost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exe

description	pid	process	target process
PID 3696 wrote to memory of 2112	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	sihost.exe
PID 3696 wrote to memory of 2128	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	svchost.exe
PID 3696 wrote to memory of 2180	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	taskhostw.exe
PID 3696 wrote to memory of 2436	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	svchost.exe
PID 3696 wrote to memory of 2640	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	DllHost.exe
PID 3696 wrote to memory of 2820	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	StartMenuExperienceHost.exe
PID 3696 wrote to memory of 2884	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	RuntimeBroker.exe
PID 3696 wrote to memory of 2972	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	SearchApp.exe
PID 3696 wrote to memory of 2464	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	RuntimeBroker.exe
PID 3696 wrote to memory of 3384	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	RuntimeBroker.exe
PID 3696 wrote to memory of 828	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	RuntimeBroker.exe
PID 3696 wrote to memory of 1856	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	backgroundTaskHost.exe
PID 3696 wrote to memory of 1884	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	backgroundTaskHost.exe
PID 2112 wrote to memory of 2252	2112	sihost.exe	net.exe
PID 2112 wrote to memory of 2252	2112	sihost.exe	net.exe
PID 3696 wrote to memory of 1524	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 1524	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 3392	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 3392	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 2112 wrote to memory of 2868	2112	sihost.exe	net.exe
PID 2112 wrote to memory of 2868	2112	sihost.exe	net.exe
PID 3696 wrote to memory of 5104	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 5104	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 2640 wrote to memory of 4612	2640	DllHost.exe	WerFault.exe
PID 2640 wrote to memory of 4612	2640	DllHost.exe	WerFault.exe
PID 2868 wrote to memory of 2960	2868	net.exe	net1.exe
PID 2868 wrote to memory of 2960	2868	net.exe	net1.exe
PID 3392 wrote to memory of 5124	3392	net.exe	net1.exe
PID 3392 wrote to memory of 5124	3392	net.exe	net1.exe
PID 2252 wrote to memory of 3720	2252	net.exe	net1.exe
PID 2252 wrote to memory of 3720	2252	net.exe	net1.exe
PID 1524 wrote to memory of 5132	1524	net.exe	net1.exe
PID 1524 wrote to memory of 5132	1524	net.exe	net1.exe
PID 3696 wrote to memory of 5416	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 5416	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 5416 wrote to memory of 5532	5416	net.exe	net1.exe
PID 5416 wrote to memory of 5532	5416	net.exe	net1.exe
PID 5104 wrote to memory of 5540	5104	net.exe	net1.exe
PID 5104 wrote to memory of 5540	5104	net.exe	net1.exe
PID 2112 wrote to memory of 5684	2112	sihost.exe	net.exe
PID 2112 wrote to memory of 5684	2112	sihost.exe	net.exe
PID 5684 wrote to memory of 5740	5684	net.exe	net1.exe
PID 5684 wrote to memory of 5740	5684	net.exe	net1.exe
PID 2112 wrote to memory of 5760	2112	sihost.exe	net.exe
PID 2112 wrote to memory of 5760	2112	sihost.exe	net.exe
PID 5760 wrote to memory of 5812	5760	net.exe	net1.exe
PID 5760 wrote to memory of 5812	5760	net.exe	net1.exe
PID 3696 wrote to memory of 5928	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 5928	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 5928 wrote to memory of 5980	5928	net.exe	net1.exe
PID 5928 wrote to memory of 5980	5928	net.exe	net1.exe
PID 3696 wrote to memory of 6000	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 6000	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 6000 wrote to memory of 6052	6000	net.exe	net1.exe
PID 6000 wrote to memory of 6052	6000	net.exe	net1.exe
PID 3696 wrote to memory of 6076	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 6076	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 6076 wrote to memory of 6128	6076	net.exe	net1.exe
PID 6076 wrote to memory of 6128	6076	net.exe	net1.exe
PID 3696 wrote to memory of 5156	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 3696 wrote to memory of 5156	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 5156 wrote to memory of 3876	5156	net.exe	net1.exe
PID 5156 wrote to memory of 3876	5156	net.exe	net1.exe
PID 5208 wrote to memory of 2640	5208	WerFault.exe	DllHost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2820 -s 3104
2⤵
- Program crash
PID:2000

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1884 -s 3344
2⤵
- Program crash
PID:4900

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3384

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2640 -s 1020
2⤵
- Program crash
PID:4612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2640 -s 1020
2⤵
- Program crash
PID:5596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2436

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2180

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3720

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5740

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5812

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:5572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
"C:\Users\Admin\AppData\Local\Temp\bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5132

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5980

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6128

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2640 -ip 2640
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2820 -ip 2820
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 1884 -ip 1884
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
35fd40462e4010741d9a53dbb0a7a9d6

SHA1
562a58b7302fec5de2af21867ff4ffcf9163082d

SHA256
b37917d482da76b8466429412c93c7ee2ef80fbf5cbedbb8b523f598b0916c9a

SHA512
03023096db262eca9e1cedfef61d7db989d23bd09e9e3ccfbc1f37a6ae9cf1d49b743a6d11d95aee9f7578fd9684be19eb691a9914e4e2ed7bc71822a3f3c5f1

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
be445726623e463c01ad73e20e8c9155

SHA1
fc0c1a4a1b2863aacfdcece3797d448283b91c9e

SHA256
b258af59116623d44502537409447a1bfb5443711aeaa0ff1f450d178c9679c2

SHA512
07fa0b325847d6cf665295ab015b4473e3202a4305ad9ab0a27f64a1627fb82a8eb87929869939593c2eb4983f598d07c3106b94197e3b07d4ee1fd61fe91e6c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
050fe2ea77956e14f4dc76f5bfd38d0a

SHA1
5c274cdb12421f83b394ab3bab452920540979aa

SHA256
e4fbeeaab669cb17025fa47f12250c9837c2a5dd2ec26de74fd5ccb2402ee9c4

SHA512
9c316adfcfc9b4acb7750e3809dfc94a70c3a279c9deadebdd35274394ea04bb90f5fe12ddd879d40fe7900c35c8a3e591e00ee07bee977061bc9605bfcdcfca

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
e0b72934a6fb396061dac59e7f2dd8a9

SHA1
7bc0d2fade98d6624a29e0d880f24793dc09c992

SHA256
07ae656eeabaf724c278526cb9580684aece808f4c1ea8722350f8140e62fe73

SHA512
141234a8d882049af86317629b28124519ebeac2b07c19861bcda796553fe05938ab79c2f5caf1857234e58272abc69426a6beca23015a4dd3df526f575c1b47

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
d5911ea49221c8d4164938aba620f8ef

SHA1
93c1db182bb7fd73d77deef5faf75c9facebb11a

SHA256
2b201913100204a241512105a8bb89849b603ee22157f9f3ac9a274dd0862ac2

SHA512
e702e27522f426d78b6ef54c3376df5b08f42fb32beee036a7d93691f3e173fefa8f707ac99631e2fc4e91b07800f4f4d15abf79b8a96f1bd7892455f937c674

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
3b2130f6a81a6450ccde8293915e2fda

SHA1
ae8c546ad0f4c6c0589d663b59823ad887a673b3

SHA256
8279d7cec0a6852753abf3e4db161b8ce37fd6012743560d6c8a87c706f011aa

SHA512
d25587396cdf8c1a17c455934457c8c643cdf87265ddb72f17f88ee7d1d921890ec4a59073a53f25ab7ae6a6cc3219e2f0aecce803e3ea75717d495f536b9763

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
18766a9419ae5133b9fe7149e94d20ae

SHA1
d18838d85bcca7be03da59548bb9bf6a7094c7ad

SHA256
fe7406a299d02195bbdefc7e3bbebe35c2b9f6694e13006230a7257d59df0bfb

SHA512
97fbb1104629bb46a3d7d254f045db0874ad82cb382747f25ea923cb33dd9c7a770a0111752804d41f4f656ed09ad68c40b9c3c541684c1edd400bb58ec51bc1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
ee136acc4edea97b17f43005ff1dbeed

SHA1
9fbf4e13f64adc43e8a6361721f0f55e825e3d61

SHA256
2ab2cdb897d390d571cac56f4f7ab5a6f92a2e93a37e3fca621b68bbc1f2e2b0

SHA512
7f82493d2a5f981e0b7efe298b065f51e5ca275d145aab04b70805b1b70cce95b3bda5e4edee77bdd1679531f312b1609587cf1b6452da49dfe6badae7d4c5d9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
a1aebb7011214fd6fd1d6b9fe0d92871

SHA1
3212de873be2313b445b982d589ed8aabd4c1501

SHA256
a1fb8a99bb4f345113f611088fcbc20c2c2f4631bdf64b2449cc227bfd005cfe

SHA512
0461711274eb9e235d2bed2201c85db31aa1ccb4fc91999c84a339c3de9d601d19d7cfa8a48018645b3c9d76602bd691c3713782086d33c954fd957a90c11ee3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
e1d9fd3587b34f6a8250ba46df0e26f4

SHA1
060d02f9f5ccb51a668f5ecf072de740968db2cf

SHA256
73d53a781c9508a6791b2c9f0b0c7c08dc179516c05768f34de9eeaaec643c66

SHA512
cf7748c25a1e49502aace6a831b39b8eb98016c66ce63167ccf9d7ea75048747edc88ef28e91cf484d12e2d1f3d691266a4a99a4ca066982150a2fc6b6fc509b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
5f743dfc44765cf904bd595cbf8e4fc3

SHA1
ecff6e5dfe910fec25bf87cf7869b815147b9fbd

SHA256
d91132bf7f272e788e9116ad71144829e8bdaf2ee53fe04dea7465c8e2543df7

SHA512
176c200b9ca845c82eed35ec2c5fd25601af1fde509d47a1e0b6dc1750d6415e3f4f5d2de0e424bb9c8268bf90e5cb770895a5538abf127fbdc49567417e7e62

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
521bf9929d7de8d2424dc640c3d574ee

SHA1
d260c2db6b374d65ecd7d394aca37a510838c3fc

SHA256
a0bbe8e3e5cbc2060e99e231d684c4be704aeabc9fc2296a8130c0d65a1a8623

SHA512
d565bf7f90c7ca13c170f97a4c692fef12b76459291ab47c3fc88885a9b6f295ae505b5598b34957a590d2c069a63d647805b2e82ba02d7042531e4647612ab8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
88e364e5f7f92e12ad9c370ca0fb7952

SHA1
0651f2d33bf6625d02d472359903d053f01fbe1a

SHA256
e2dbfde2e81f8184f026510db5bc50f377efdbedbdf5391a6e71f5c4487f51d7

SHA512
bd2c2cd18cb210cc8c8c2b9bd74399150d8f1ce3c0cb2c483ee37a2f48de4a810b4b2d16b5b646bf2f048e3f47e3dd2942d1d53418e8a5ea43626423a2b21b9b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log
MD5
c024596d57f5bb1ef361e567d88a64ab

SHA1
e9eb3132aa243f029869677e3bc2df7602854818

SHA256
03382938aad75d981226b8c6df081b021b459da1ea87cea91b2051b15dd9c20b

SHA512
df3757daabc2099831667f4f8c4a881600a65cc66a4e17de5aadaaf101ffcd59195f6cc790bcb651adcbe249ee541f5f4094862f364ef7269dc6d75f2e607ff0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
048d10a704a567ec9a1834c549e6f7fa

SHA1
1b67c11e0009dc45ae172e7c96903b3fe8c1339c

SHA256
9fdbcfaccd3721832174ed6a997ea2f63c3ef3800d0628cc0e6ca2435c056356

SHA512
1348eed44bb5047cc14d07271183bbbe413a35b71eb0b649feb53412da7be6a902f32d8402742a707b36161974daa4a7035d2e8fac7750d8d9d1a24a198e72d1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
fdfa4c774aa5911ff645ef7fd4f334a9

SHA1
4381bf1618ed0aefcd65ddb01f9069675953fd25

SHA256
4334a563018619bd55e64ef23d55a94f34fc6c0f873e801786085dbec7e5e111

SHA512
cc0ee9683fbc1f1ecd891e40387f2e105f18df8461c2052ea584fb8305db0fb48949d7cff74274cc43a170dd96dfd6f152356bc7402c1a3146ceeaa33ac1f488

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
185489a80afc3a9b47fbd2b9839472b5

SHA1
cfa76b143f5afbb405559c8bf8a91cf2b8285259

SHA256
61824d96fddb96c095a6046775b6b508d2b953fe122c4a249aff8e8b7b8461c5

SHA512
8f1f445a18293cc88b4d3058de3cd705fe0d5e8e741f47461072d43a47b540c7b264ab7034e87f22e5e23dcedf320118550c0ad4d60c744d0a24a1f6fac79204

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
c8356ecfa6ffe934145f4a2fb12e5886

SHA1
e8f87243e788b9b4144442e06e834af3006eeca3

SHA256
3756987a6c6b91fb201072affffc6919bd99b16fc0661b1f7ac274c0095d5a9d

SHA512
48d40dd6730f8292771bb32b1303ac121fa2c088e6fbb6ca856c43186b47aab8bc3eea2b3314037e52d2cbd95a01679edbaece53a8153f11453c12252bf7b653

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
147888cba0354fc6a3ef57faad3e49d5

SHA1
58f0e5d0b962d796fc453c76bc857c6544c5a7b8

SHA256
e9000ef37d970b229479c3725e2dcb6e42b1efd7723ae8925244f8b93671c9a7

SHA512
59a7da8e2cccd78c857cef79c683c31a3fb0c16a7857d787588bacf42c2d0f228ce6e5dac2951b328b5716adc44e85c7f1feaf881705391ccaa63e824f8df930

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
b2fe043ba0ccc005f05285a0b4cf0b27

SHA1
6657ff2402f600bf9ad2f95923db956e0e61756a

SHA256
c94edda492f6dca680610c48dbffc9df2f653e8925b8d141b94706780f2bdd8f

SHA512
581288da03b669fe696a019a7444e8b0ff9ee0853400fd173c72f78e5063ee0915243cf10fa99c29361569fba3b09961157f4784ccce28a367e8458a641c7aed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline
MD5
11b39b40dd24320dbab0e22993720c40

SHA1
e5ac1fae95590e3d972cf0b95365c2c573d325b9

SHA256
3766974a61e5ab1e6cd520709cda13c996660c089b096b4cb7679f574a26ad16

SHA512
12ac6407a785a0f14da81892ce2ee143edfbb41eb0736b41ce12047f482e63d8597eb705a914535928d88ab5c15c2011686e1d6f1862bd64fe668617632d371f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp
MD5
40b59e83a5eb7b623dcd5ab3aae963a3

SHA1
305268cc1fca49d2935d71af1a309318fe0e0236

SHA256
8cf3e5bec3af407f67db7f6d12543eaf20c90e77d27f4939cd89a483a61c3701

SHA512
58a859b405c29eec3a3844ff0f12e1721117fba9c8110d70536c290b8335d208f0ba09a7c820b3e852c08caa1fe612f7fc17423a679e0f2a86486711f3355e5e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp
MD5
4af74de35c2876aaf995b05e6184c108

SHA1
9bbda8e5f67f1f0737d240821c14bf103949b83a

SHA256
3d065dcd6c71d979346f54dfccd192bb962031ba2ee05894cd2d70c9389da99e

SHA512
ac09d3c4d94caefe15d51f58711ce539e7f22fa9c90293db17ccf8be000604ba6958e0bca9ea3c9dd1f5ef2f8ecf3c321bb5b11c753381c38ce375f8d7ecc118

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp
MD5
81381f0be92e7e7359071fe76a018d06

SHA1
534038f4673708a06a8c4068a403eaffdd8cc6f4

SHA256
8afd090888efdd6df39de68ce370d017e37fe6aa00814b9e10374ee2dd3d60b3

SHA512
cd45ccc4787a8c9199b7468ecfb463193cb8cc8b02d16206ba636a822f2f731cf6d51bac8930af60cfcd17824577de79263c11fda62ee58664935c10e76915da

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp
MD5
0db6f90a2d109c80f1903875bf1bfb74

SHA1
16eda30e8658d68e27c0372819ac989feadd03bf

SHA256
62326ce2a75f3f26c6b16bb789e5c326fcf23f01149d656e7ed995c5f1779bbb

SHA512
ea664a5b09a2c63346ef12873c900969c1f5eed7655cf7635acd36da7f64014e1306a2606b33734457e9bf27effdb95be24a237a84bfedf63f2fdb193155eb43

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp
MD5
8f6c6d3ba14c47244c835d4472dd0263

SHA1
f260284898f84bccb3e696ae4b5f6ea54beff2a8

SHA256
6e6cf878abfd528fa3292485e39a3d754230321093678e2c32183ef0b756297a

SHA512
79a84fbafc7967c14cf6bd5d2a1f3a94a7be7999aa50669b1f72498def361697abf4db20e1b6b0373ceb50feea059712dcd178051f896b0a5691d65aaea6dba4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp
MD5
d358738b7e2dd0bc1184b05c1fde90be

SHA1
3df2cb68bca0caa072aa39a86db1ba7ac0725fc0

SHA256
560452033100e577218d164c217e261a0eee4fd02b129dc839be270f78b7a885

SHA512
0776dbdca95de3a27d589cedba37b660e6c7445e6a97f1b2623952a7ad2088730377b84f462e7ff8acc2276042f7db3a76d3c4c9f3873dbc3cdb98d734e7b50a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp
MD5
ad0c094d98daf07a0d2f20bddbde455d

SHA1
27d2480a14f80316b39626dedb79d3e0f9aa8375

SHA256
163b76ff72386302315a308dacbbc68159f97345dedce33daad8fb4c59b0bcfb

SHA512
d77ed50949bf82267320d133ff3b98661a497c3f3f517714afd010f82292d6a062996c85e1e0d511cbbd4e5a23662dad5e9a1f4b4199461469e1063ef23dc768

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp
MD5
84f1206973c5bb9511fbf9349168891c

SHA1
87a6b0eb7cde7d457cd2ee9e4596fc30d3440fde

SHA256
0185e4559e11ba0ae7e7c2a5f1d73328ec566f619c08f526c51105c7301973b6

SHA512
fdc63d7ecd8958b099db45ebdf5cfd2fb9cce4df5a339adecbe1413a602729032bf8533a7f2d861cf7969b71a59789d642bb2a94dbf9467115ab8f02ade82530

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
3ad493ac26d48c5e52c4d3bb9e8f5ee6

SHA1
71687aa847a95e042b6a776de16bedbdf0495ab1

SHA256
3e3bfdf6d6e72f9f73ae6401b0787fc974f0cbfdd5ecfacccb537d4b28247bcb

SHA512
0ef78dea9605d03a1d01f7aaffe78c90253107b38018f52d32f838a48ba7f430ed3cd2bdfc0737d82d90ac7f4104a20f32850dd71d055b2a75e0a38df7dc82b1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
3ad493ac26d48c5e52c4d3bb9e8f5ee6

SHA1
71687aa847a95e042b6a776de16bedbdf0495ab1

SHA256
3e3bfdf6d6e72f9f73ae6401b0787fc974f0cbfdd5ecfacccb537d4b28247bcb

SHA512
0ef78dea9605d03a1d01f7aaffe78c90253107b38018f52d32f838a48ba7f430ed3cd2bdfc0737d82d90ac7f4104a20f32850dd71d055b2a75e0a38df7dc82b1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
MD5
6adc0fabfddbcb54dcd4b55940bf53ba

SHA1
33af85f5d08c9c45afefa21fb9b61634a1710a56

SHA256
266876aacedab4958d5139d2d3abc5d0f788a6911f2944f0a59cd080f2943ea5

SHA512
13b71a1479b7cedacfd965c642eb6c3ab9e8036b55297795ffba1c49d60e76422d7b519b455a264f42fb632a2e27cb2d7b123bce29a1de7e3239b5224863e3e3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
memory/2112-130-0x00007FF60C870000-0x00007FF60CB4B000-memory.dmp

Filesize
2.9MB

Download
memory/2128-131-0x00007FF60C870000-0x00007FF60CB4B000-memory.dmp

Filesize
2.9MB

Download