ryuk | cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c

Analysis

max time kernel
191s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Size

204KB
MD5

b2a8e087a58b7ae25ac3c85f8d468ebb
SHA1

d3d39b86f3fafde2c21f4d304a04ad579965f19e
SHA256

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c
SHA512

032a2b686215d1c108397c8af88420550fb9e5cb0d91d24539a3d9385dae816dbc45f409372cb3056e87fd23c32fed0469a27e7c4f48398c3c7108ce8e376c0b

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4916 created 2592 4916 WerFault.exe BackgroundTransferHost.exe

description	pid	process	target process
PID 4916 created 2592	4916	WerFault.exe	BackgroundTransferHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sihost.execb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4696 2620 WerFault.exe DllHost.exe
4704 2592 WerFault.exe BackgroundTransferHost.exe

pid	pid_target	process	target process
4696	2620	WerFault.exe	DllHost.exe
4704	2592	WerFault.exe	BackgroundTransferHost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe

Modifies registry class 17 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeStartMenuExperienceHost.exesihost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003591ee950826d80190f299990826d80190f299990826d80124b206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054545a1a2000623637366339313136623964326231626335373038396635323263653362353262396136633035363430366232303265363738376235303136653963316565370000b20009000400efbe54545a1a54545a1a2e000000000000000000000000000000000000000000000000004d053f00620036003700360063003900310031003600620039006400320062003100620063003500370030003800390066003500320032006300650033006200350032006200390061003600630030003500360034003000360062003200300032006500360037003800370062003500300031003600650039006300310065006500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f5945cf1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62363736633931313662396432623162633537303839663532326365336235326239613663303536343036623230326536373837623530313665396331656537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60992324a9083ec1182d0e6101b3923d5bad9b5dc40371b4eb595e9fc647d27d60992324a9083ec1182d0e6101b3923d5ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{1377E13F-070D-4F09-ABB9-EE3005778683}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = 6282229d0826d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b676c9116b9d2b1bc57089f522ce3b52b9a6c056406b202e6787b5016e9c1ee7"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exesihost.exeWerFault.exe

pid	process
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
2096	sihost.exe
2096	sihost.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
2096	sihost.exe
2096	sihost.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
4704	WerFault.exe
4704	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exesihost.exeStartMenuExperienceHost.exeBackgroundTransferHost.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Token: SeBackupPrivilege	2096	sihost.exe
Token: SeBackupPrivilege	2728	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	2592	BackgroundTransferHost.exe
Token: SeBackupPrivilege	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Token: SeShutdownPrivilege	2888	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

5224 StartMenuExperienceHost.exe

pid	process
5224	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1928 wrote to memory of 2096	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	sihost.exe
PID 1928 wrote to memory of 2112	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	svchost.exe
PID 1928 wrote to memory of 2156	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	taskhostw.exe
PID 1928 wrote to memory of 2416	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	svchost.exe
PID 1928 wrote to memory of 2620	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	DllHost.exe
PID 1928 wrote to memory of 2728	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	StartMenuExperienceHost.exe
PID 1928 wrote to memory of 2888	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	RuntimeBroker.exe
PID 1928 wrote to memory of 3032	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	SearchApp.exe
PID 1928 wrote to memory of 3108	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	RuntimeBroker.exe
PID 1928 wrote to memory of 3460	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	RuntimeBroker.exe
PID 1928 wrote to memory of 2880	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	RuntimeBroker.exe
PID 1928 wrote to memory of 3300	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	backgroundTaskHost.exe
PID 1928 wrote to memory of 2912	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	backgroundTaskHost.exe
PID 1928 wrote to memory of 2592	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	BackgroundTransferHost.exe
PID 2620 wrote to memory of 4696	2620	DllHost.exe	WerFault.exe
PID 2620 wrote to memory of 4696	2620	DllHost.exe	WerFault.exe
PID 2096 wrote to memory of 5116	2096	sihost.exe	net.exe
PID 2096 wrote to memory of 5116	2096	sihost.exe	net.exe
PID 2096 wrote to memory of 4456	2096	sihost.exe	net.exe
PID 2096 wrote to memory of 4456	2096	sihost.exe	net.exe
PID 1928 wrote to memory of 5232	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5232	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5240	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5240	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 4456 wrote to memory of 5260	4456	net.exe	net1.exe
PID 4456 wrote to memory of 5260	4456	net.exe	net1.exe
PID 5116 wrote to memory of 5272	5116	net.exe	net1.exe
PID 5116 wrote to memory of 5272	5116	net.exe	net1.exe
PID 1928 wrote to memory of 5296	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5296	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5304	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5304	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 5240 wrote to memory of 5524	5240	net.exe	net1.exe
PID 5240 wrote to memory of 5524	5240	net.exe	net1.exe
PID 5296 wrote to memory of 5512	5296	net.exe	net1.exe
PID 5296 wrote to memory of 5512	5296	net.exe	net1.exe
PID 5304 wrote to memory of 5572	5304	net.exe	net1.exe
PID 5304 wrote to memory of 5572	5304	net.exe	net1.exe
PID 5232 wrote to memory of 5580	5232	net.exe	net1.exe
PID 5232 wrote to memory of 5580	5232	net.exe	net1.exe
PID 4916 wrote to memory of 2592	4916	WerFault.exe	BackgroundTransferHost.exe
PID 4916 wrote to memory of 2592	4916	WerFault.exe	BackgroundTransferHost.exe
PID 1928 wrote to memory of 5548	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 2096 wrote to memory of 5540	2096	sihost.exe	net.exe
PID 1928 wrote to memory of 5548	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 2096 wrote to memory of 5540	2096	sihost.exe	net.exe
PID 1928 wrote to memory of 5536	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5536	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 2096 wrote to memory of 708	2096	sihost.exe	net.exe
PID 2096 wrote to memory of 708	2096	sihost.exe	net.exe
PID 1928 wrote to memory of 724	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 724	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5500	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1928 wrote to memory of 5500	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 5536 wrote to memory of 5640	5536	net.exe	net1.exe
PID 5536 wrote to memory of 5640	5536	net.exe	net1.exe
PID 5540 wrote to memory of 5660	5540	net.exe	net1.exe
PID 5540 wrote to memory of 5660	5540	net.exe	net1.exe
PID 5548 wrote to memory of 5648	5548	net.exe	net1.exe
PID 5548 wrote to memory of 5648	5548	net.exe	net1.exe
PID 724 wrote to memory of 320	724	net.exe	net1.exe
PID 724 wrote to memory of 320	724	net.exe	net1.exe
PID 708 wrote to memory of 1980	708	net.exe	net1.exe
PID 708 wrote to memory of 1980	708	net.exe	net1.exe

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2912

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2620 -s 940
2⤵
- Program crash
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2416

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2112

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5272

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
"C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5524

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5580

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3856

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2592 -s 1100
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 2592 -ip 2592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:4920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
579ebe82e5ef8ea8049c7bc2642728cb

SHA1
6b218529072772a6c8fb996b3a198642cbe54d98

SHA256
dcb31fd576f93c3a9cec91a67f3883cd5ab9495996533f55b8347fdd67d9dcf4

SHA512
8d1fbf88bc151bbd41e3965e79a550600cc790942058d2ad8dc97c9a1aeff55e5637bb21852b25ee2c0ce01fa538eb0dffedbecf0c0fa4880a8fc7ad4cb53b7b

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
0d675de1af0c1d187d0bab1bde726bb4

SHA1
06c0cddb8f40ae58582a1a259966d265cea40ff8

SHA256
71adaf61384c167f8148a93ed443fc65c51a4f4ac0390ae7b2fe00a2c6148a50

SHA512
d7beacc193c14eb236f61d3d08e12e3b718eed56a74e2010ea8eafd7c4a13505aac9fe56a2432bc6b9ad447b5ff7f96ed717879d8349e0b251a4a56d5418980a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
MD5
deb1728ff30f4ce3bb640c812be80091

SHA1
aa11f11336b7a1e90ebf8071cff2fb83da524971

SHA256
d41135d80a909b588e093c6fbdb152ad12a20e1549678b83b895a889e0c2486c

SHA512
d94469c42fc1c0b932c753fe2c3ad39cdf6cb2d972320e539dc10c4b235558d9d6d3668c0d562b2023c30d36056cb0a857bf3fa0d266de377a61fccbc8da7bc7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
518a0c5bbfc66b3de7650c3ab54bfa65

SHA1
a5af0591284b60550a1dfaef0cad1b9ddd4348f2

SHA256
c2dab2f65228bd2bd4f4bb35392dcbe5bdf3dc6ec51013a434d3c957c0284535

SHA512
096183b814fc93bc720e80f1fd9d2d9db7d053da64938d9049beeb08c68649d9594e1bf6d97056441660af2f8b7fab1a8fb6fb53551fdddbfabf9926987c7c29

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
a0f1a450da474f2eded47a41da40f28c

SHA1
5768f70c7af917f871b9ffbe80df489c8bd7aa35

SHA256
835fffdf9f6242465384fc1f5775fb4a97aebe6d9bdaf062385ea0bc4a0ab916

SHA512
5308bc82620afd08ce7f07f9be9557146e589e39c7c6d8d9240d4f0b0f721a28c463be1ff389e4b4be1dc9e91098e05dc72995b21473e0468dc16aada395c9fd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
bbb902761a6bf265908e2f26db24a762

SHA1
46c20ef6a6a9b06723e7b049fc60e6192bb6f0f5

SHA256
7652daf699ec5654d6204288877bc5808058b6ca47d384e277fd0c7503dc5f56

SHA512
7825badcc94a365ddfe19d21e8ac0f64ece321e088d2605798da91e16a35eb566804b320bfb844e28ddc6d06542fac130994c009e1ca7e1c8790382b0c50398b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
MD5
6740b37edd9d9e5bf519d3b4010a9a5d

SHA1
8c3307a34e6520e67c6f20624e55e645c77af975

SHA256
3a71e08d35c9dc391cb00e6eec3b5d38144af9738ac113fd6b558e9f5d299eff

SHA512
daa97b2d521ce5a6c55a7ae48892f4ca38d4e25a4b7b623148f65614b88da85fce244779680ae71fd2c6e0924224ed1bfc866746cfa6035db9e3df86db9efeae

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
3f60cfd53c3418dd6d7cafbb9bb8bbff

SHA1
3eb1d66a62157ebf75a711057a68e12b4b2e7168

SHA256
1250dc7b99f2895af24f9ef54b9061ffc74ae9fa576320f8d668f18d040e7c45

SHA512
be662a6b7642e27022449fa59cc381354bdce5e9c6cc82d06ca227b0082153db8cd8c1a1a4740d7dd2c0132e217678ea02920caea70b418693dc66b0b46dd2a9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
4ecfc68584cd8b87d90e894eed3eab23

SHA1
54cacf32553920ae3dd31791f09fffd0ed38bb0e

SHA256
7ed440453ff27dc3e4b694c44b3384f831008eea1018af35eff377bd580fd865

SHA512
c0ee3cc7fe8ade5c10957c559468e313d8b1f6f24bbc8cc68aa5ba4f65df377ecfe85e9aed73a178267d217032b850de4243ed0e4be5c283cc7f6137ee79fb16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
0bf575157383e9aa46042c2e468338aa

SHA1
c29f8054648810d314e6ba789254f79972a23e65

SHA256
9d969f4a9cb789e9ef92a178ffeba0e83790999cf754fb342d9cc0cca3a2bdd7

SHA512
db9068089ae9eaa814857145f5ccf436f5dbb280b930b666b8dfcf2cc3e934764aadfc4892ddf62fc48fb4191a0715e1c7e54c23a0c79f357782450b7dfb4ef5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
68d2ea35cf34974a3edc714be6ebc5ed

SHA1
1f1c778115e0e9e8f16ca8c270d35aee81e49273

SHA256
8134e41d7e34fa1c39bc116a51da2fd28ab1df7b8a690951c4130747a954a305

SHA512
261d5ae373a6a478afc565f223865808bc9445f09ccfe27e3e9793430eda6d73386fc58557402984166b746b22fa44f9402e8f682cb52f23d31b2b5acf8e5f35

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
71c20f3084c2c36a4e885b7d247e836c

SHA1
3a797614003583079fa590b325f033ad129ed852

SHA256
b57689ed8b39931459616bbae1e857248cd956d1bc0ceafe73a0b78f8aaa0ddb

SHA512
3b9d92c175f82632fd3841ebf443c291445f577c5494b945d889053a79eb0f214690860f4c41d27970dbc72e3f29f7c68a7e1c26664b62f47f9901c01b5d8daf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log
MD5
5f12a3207ff4e8f96118d897de708cc9

SHA1
c0b3523c192a7ef90b6ca9ae1c9aa0e425efd00c

SHA256
fd775575362c5788d8fa63386dcc2dace1c203a1f9a3af0719e25f811d2621ff

SHA512
be24fbe4071e946279a31a44fbdaf0c22056bc91b9d37dda83296b3bfd9a9eed8e5aa776bbe01fe36c21610c2eb7a1ccc1135f63d50c80adb54b8420d5ca9ccb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
ed79f3b664904ed6b2ba21d67356c39a

SHA1
ea1ebd6a9e52fd5bcc72a7acc61775ecb66fef9b

SHA256
c16852bb1060f286c270e15323c77139b765525708edc11b8d6094d7d73d7221

SHA512
4e81d2d987e880d2965fdb6d6527176ac409570b6dc8f88c104aac66d70c910b0fd947cd90d37641788440d804c27fd23f93a25ce71c351de9b045733e8545e5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
59a1eface17e8d4016bfcbfa6e503eee

SHA1
9967c756f3c74440e332e67b6bd64c6a84bddf7c

SHA256
41d2e1ce9aa984fedce664c7ebe4bac349485f07a3941bb6bda71838a3ec55a4

SHA512
e7aae5db46ba37e5b2daddb2739110ec36c62c0e1be92ad2bef49abc95aed0cb84ee759a92a1407cd605a03b6b3b545503ccf5b5a57249a6c629559923c58313

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
ee70adc005f726f33a99ec8393611feb

SHA1
c7d5af04a3c72766fd7c6030a4bec2ec4c4f1780

SHA256
0453dd8109a57ca8dae4d8a0cbeb8dbae31edc025e34ded980da55c9e88434f7

SHA512
103a3b35524c64e2f82350566c3380a4d018826a4c1c916a8e373e46beca8412a787e8dcf630cc2bd1fa1792a65713a96c3ecd84e87720a6731834aee6b2e63c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
31d5421264ec07dd3ed6fba5751a4b6f

SHA1
a8e18a8f66b3c90135e166fcfad5c8be70b18c39

SHA256
cbaa273fe99b6c0da13ebb6972ee05cd8afd82def8226ad33c9517750db23c1b

SHA512
c7f3c3443091de929e6a2c77cca286b706cab37372ab3ca6a1728ec99d7475d5da4c049ac52301153bf8deffe78fad14d93cd33b9b763f4b44d0f6755f66a8d6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
2f88eb431024cf3d8ce0d97f08f81a2f

SHA1
d90fcbe41934a0d5f142ce824ca8a5f8cb2111d8

SHA256
48a5f2f5467ead420a9c83f3f5ce72da9d9bca9bab859c4ea46e469494db483b

SHA512
320886485082e6e43712937d9dbd66f3dcec2ce37e1b6ff6f9296b0a1e0316e2d9c0f90c11c9ac79561810b06f7f1a153a7bb6292a67fe4b46ac603a1a1cc500

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
79b069abcb653df551ed1edd67a33eab

SHA1
e963f05e294e2fb6356542d7a59095be75fe296b

SHA256
96dee88c372971c081bf948659c3c461810cf0024ca7e4f047ee541c5afcc361

SHA512
02548de88433ed701199288a3e465a251ebde70ede8e02315063790bf1c810e7dbcbf74e02befab71fe822d1911be826a49cdf654ec58ff96409a795c94d310d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.RYK
MD5
ac466936247b4f90e8ddd4bf975650b9

SHA1
7ad384ffc42b37f3fdd622af25962855678ffa2e

SHA256
be59c6b7a68894a8cadb6f6e1056e3eba679f1324a7cac026c46d8cdde8df9c3

SHA512
4478bf8d5ac3bd43cd1d797052d66d51db990eef3b0c77160041f07b3f99454264c357ab8b90cd7223260af5952c3517d4dc8b0fa89d997afa9c7a595b5f4c85

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
MD5
24dfdc0b43b3b558df0320e79e3fb3af

SHA1
1796789c292ebd1448c6575501d45bc50552f967

SHA256
7276275ae7904cfef681e1dcf7508f61a5bc0a32f1151aa5bad4602295f189bd

SHA512
f49820699ffb9308d03f642a32be18889968d89a9902ae3dd017c0fb44f65df8c8a4a7d082d3bd4de13aab836efd7de627afcc52c8b740c5ae8ce2c5c9274b15

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
MD5
5ba7e5d02b6f9d2550e71f6b63fbe5fa

SHA1
c9e9562446d260fdd6012bcbc30ec2e9022537a5

SHA256
b1a1f41564f5ff441f3e930b8544014b1db79f1cb73b5949a10c683317458f49

SHA512
c322c9d69bec2216cacad593417582168682013a1b18c8f3417f348fe6178f19119d56caaf7cd6ea654bc2b48c5350112b70ed5f774409d329c729db72fee10c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
ba83ad8802ec6541fc5cf9dae872358f

SHA1
7e1a2d4f183c2426da55388e6b921ed743bb0a30

SHA256
93da1453aed1f6f8c9d557f22335114b36e90ba8570bd90186fd91bec5ddd3ba

SHA512
a5a8d00ebd2b611cfb7a6d637c1bb36e2159099d512f60ffa34f1b80bf559967b11783f1c0106279c7d18aa7a7c96da9f8072ba164fa9bdb13ddc334f9b87038

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\README
MD5
9844d44a85397e7fdb8bdd9cf6c83836

SHA1
788e154b90d2072acb8241cf724adcb1b3a6f3b7

SHA256
94dd9df6a189ab9d0df4fc654022a55c240e07ff10ac904609e1ccc4ad08a921

SHA512
c0971462cd82251f34d6330ecf190dbe6c24d2a0af2bbcc0f2b48c19586cab12cfe27eb07b1e2e38a122094c26dc882239c93fc967bfc213fc71bf87d3fd4a1f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
memory/2096-130-0x00007FF67D600000-0x00007FF67D8DA000-memory.dmp

Filesize
2.9MB

Download
memory/2112-131-0x00007FF67D600000-0x00007FF67D8DA000-memory.dmp

Filesize
2.9MB

Download
memory/2620-199-0x0000025991890000-0x0000025991898000-memory.dmp

Filesize
32KB

Download
memory/2620-200-0x0000025991880000-0x0000025991881000-memory.dmp

Filesize
4KB

Download