ryuk | a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622

Analysis

max time kernel
190s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Size

208KB
MD5

fb61f86d2ea604337ff2da9aaf4585c6
SHA1

c5c63525bda35a317348adf7f2bd7eae9dee6de8
SHA256

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622
SHA512

a8f03d7c63f974556b9c7a2ec12ddc14b7f6124f8ec74520afb0a00e124fc932f07050d1ae64d5be600d08bc5f518a7c458d5ae4813234c32e6ed6b3a982bc69

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process	target process
PID 5232 created 2916	5232	WerFault.exe	StartMenuExperienceHost.exe
PID 5372 created 1720	5372	WerFault.exe	BackgroundTransferHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sihost.exea93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4808	2740	WerFault.exe	DllHost.exe
5828	2916	WerFault.exe	StartMenuExperienceHost.exe
5820	1720	WerFault.exe	BackgroundTransferHost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies registry class 22 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006f0a9ab31426d801a6a17bb71426d801a6a17bb71426d801e78e08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454af252000373732626338623330613061376237373337343232613632306536333634663434623532353539313835306664396333613537313132393563626235396666340000b20009000400efbe5454af255454af252e00000000000000000000000000000000000000000000000000acc47e00370037003200620063003800620033003000610030006100370062003700370033003700340032003200610036003200300065003600330036003400660034003400620035003200350035003900310038003500300066006400390063003300610035003700310031003200390035006300620062003500390066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000dd3c6761000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37373262633862333061306137623737333734323261363230653633363466343462353235353931383530666439633361353731313239356362623539666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d687fb99499083ec1182d072fc3795919bbad9b5dc40371b4eb595e9fc647d27d687fb99499083ec1182d072fc3795919bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = 905f85c41426d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = 8a6b2dc31426d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\772bc8b30a0a7b7737422a620e6364f44b525591850fd9c3a5711295cbb59ff4"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000435989b31426d801ad7783bb1426d801ad7783bb1426d8016f7309000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454af252000613439323131633833616662313164653134323636363662376332343139373263623334643939373135643633353837396136646363373333316161323939610000b20009000400efbe5454af255454af252e000000000000000000000000000000000000000000000000000e278100610034003900320031003100630038003300610066006200310031006400650031003400320036003600360036006200370063003200340031003900370032006300620033003400640039003900370031003500640036003300350038003700390061003600640063006300370033003300310061006100320039003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000dd3c6761000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61343932313163383361666231316465313432363636366237633234313937326362333464393937313564363335383739613664636337333331616132393961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d688fb99499083ec1182d072fc3795919bbad9b5dc40371b4eb595e9fc647d27d688fb99499083ec1182d072fc3795919bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a1247a8-6ad6-4a7f-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\76e95318-de76-43e0-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a49211c83afb11de1426666b7c241972cb34d99715d635879a6dcc7331aa299a"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ce1db9a6-b422-49e2-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38830855-1fde-4809-	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exesihost.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
2224	sihost.exe
2224	sihost.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
2224	sihost.exe
2224	sihost.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
5820	WerFault.exe
5820	WerFault.exe
5828	WerFault.exe
5828	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exesihost.exeRuntimeBroker.exeStartMenuExperienceHost.exeBackgroundTransferHost.exe

description	pid	process
Token: SeDebugPrivilege	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Token: SeBackupPrivilege	2224	sihost.exe
Token: SeShutdownPrivilege	2980	RuntimeBroker.exe
Token: SeBackupPrivilege	2916	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1720	BackgroundTransferHost.exe
Token: SeBackupPrivilege	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exeWerFault.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3472 wrote to memory of 2224	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	sihost.exe
PID 3472 wrote to memory of 2244	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	svchost.exe
PID 3472 wrote to memory of 2296	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	taskhostw.exe
PID 3472 wrote to memory of 2536	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	svchost.exe
PID 3472 wrote to memory of 2740	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	DllHost.exe
PID 3472 wrote to memory of 2916	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	StartMenuExperienceHost.exe
PID 3472 wrote to memory of 2980	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 3068	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	SearchApp.exe
PID 3472 wrote to memory of 2772	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 3496	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 2924	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 1720	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	BackgroundTransferHost.exe
PID 2740 wrote to memory of 4808	2740	DllHost.exe	WerFault.exe
PID 2740 wrote to memory of 4808	2740	DllHost.exe	WerFault.exe
PID 2224 wrote to memory of 2480	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 2480	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 2496	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 2496	2224	sihost.exe	net.exe
PID 3472 wrote to memory of 3024	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 3024	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 1424	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 1424	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3024 wrote to memory of 3892	3024	net.exe	net1.exe
PID 2480 wrote to memory of 3516	2480	net.exe	net1.exe
PID 3024 wrote to memory of 3892	3024	net.exe	net1.exe
PID 2480 wrote to memory of 3516	2480	net.exe	net1.exe
PID 1424 wrote to memory of 3444	1424	net.exe	net1.exe
PID 1424 wrote to memory of 3444	1424	net.exe	net1.exe
PID 2496 wrote to memory of 2220	2496	net.exe	net1.exe
PID 2496 wrote to memory of 2220	2496	net.exe	net1.exe
PID 3472 wrote to memory of 4980	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 4980	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 5132	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 5132	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 4980 wrote to memory of 5252	4980	net.exe	net1.exe
PID 4980 wrote to memory of 5252	4980	net.exe	net1.exe
PID 5132 wrote to memory of 5260	5132	net.exe	net1.exe
PID 5132 wrote to memory of 5260	5132	net.exe	net1.exe
PID 5232 wrote to memory of 2916	5232	WerFault.exe	StartMenuExperienceHost.exe
PID 5232 wrote to memory of 2916	5232	WerFault.exe	StartMenuExperienceHost.exe
PID 5372 wrote to memory of 1720	5372	WerFault.exe	BackgroundTransferHost.exe
PID 5372 wrote to memory of 1720	5372	WerFault.exe	BackgroundTransferHost.exe
PID 2224 wrote to memory of 5648	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 5648	2224	sihost.exe	net.exe
PID 5648 wrote to memory of 5708	5648	net.exe	net1.exe
PID 5648 wrote to memory of 5708	5648	net.exe	net1.exe
PID 2224 wrote to memory of 5728	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 5728	2224	sihost.exe	net.exe
PID 5728 wrote to memory of 5780	5728	net.exe	net1.exe
PID 5728 wrote to memory of 5780	5728	net.exe	net1.exe
PID 3472 wrote to memory of 6020	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 6020	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 6028	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 6028	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 6028 wrote to memory of 6104	6028	net.exe	net1.exe
PID 6028 wrote to memory of 6104	6028	net.exe	net1.exe
PID 6020 wrote to memory of 6116	6020	net.exe	net1.exe
PID 6020 wrote to memory of 6116	6020	net.exe	net1.exe
PID 3472 wrote to memory of 3784	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 5124	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 5124	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 3472 wrote to memory of 3784	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 5124 wrote to memory of 3900	5124	net.exe	net1.exe
PID 3784 wrote to memory of 4552	3784	net.exe	net1.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1720 -s 1264
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2916 -s 2804
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5828

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 1004
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2536

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
"C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3444

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5252

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6104

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4552

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2916 -ip 2916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1720 -ip 1720
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
b6ed168733f05b4cd80ea6e8a6756a9d

SHA1
3a12afa7167e1ea367eec2b4689e41e22da69185

SHA256
1509ae2ea9e4a8cd9149db51034c81307cde7dfd46aa18591df3aa5efb82ef53

SHA512
442dee4c763e605a9f7e6261e9f3cd043487cba739b4314a3ac66b8ec1006c1920c45a2e86eb9cd41dace31e819b6421d05b010d42d438152945e17485671dd2

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
1b7deacafd6d553beda85d5ca192dcda

SHA1
7f5cc602f7f8eb5439a452377d070f30d3ff2bf1

SHA256
a3cb6bebbc1243a61e09ddb8659af73fbb7960edc203000199971aa073f3947a

SHA512
87a098481a61529c0e1bd086fc2df63f37054b99df2deab4c54b87efdad3da0f2512a1fcda4367efd3b93c7651e0928ff23f0007fd7b0bc84f8e5f8290ed54b7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
fc22ec035825d0bd7600dd39a996334f

SHA1
74cb8e4d96184956a46eb469de198f72204a6293

SHA256
a718b388d708b07b6c8874b1c86b00cb1375550367289f239b0353dea453fd34

SHA512
a9f10b0c59e870a1b38113d46aa9c676e637f93a75fd3e55c4797f64a7d1c4fbcd8a55810af641e7064df449682106d07e1e76bbcf43aca2fe31e49dd20f1edb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
b5a3d196612e2400f1d428cd57613e6a

SHA1
e4e28ac0f5dcaff154165979b56ce833edb854b4

SHA256
48fe5f4b54343c35323800f08e1e1e859b18f01ec16be03a404d1999093668ea

SHA512
f261657f6c97d819d7ad01945814ba9b55d18373ac45a4d974259a2904e9883bde48cb695b981271b2e70ece9c78280f983227854b4cdc9aec6c66c2abc8f635

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
c5b0e3f3fd3a2880b24a52f79630da7b

SHA1
99777e33d3333ade87a12e14d9dd98c68fca6584

SHA256
268d20d5b17233c54375ec9995e05fd5604feb45076b25a9c4215d16130bb4d4

SHA512
558990b3b0d0f781f949cc3228dc863fba1c237ed9391abdbcaf02b354df130562689b1a4261ffc04a9b23670a9ba335baf3f704f59d8f38960d35dbb25b4c57

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
2cb75afcf9f00fa14120704f5d6311b7

SHA1
a40bb7678cb985f6b88fc23f18549028b037d7b6

SHA256
6c48115d000e4b697a1b5ee201b8398fa05c5c144b74b397fa7c10dea7faf1d6

SHA512
80ca64f28f5a0a45475493713984e91ace0b6d7b969c4c5c0ba55438f05ad963e3cad8e9d79859f57c9be0252f5e18f710fc698b03ac24aafab9976b34e7bbfb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
0a28785f4cef5fb18a53d9fe87600417

SHA1
da37d6cb208798af4541cc4fe3a5cc00f6e85a34

SHA256
b6807bb19e409bfaf510a1258fcb8790b1e9f3cfcf15c10b7b2d814c60224610

SHA512
3341656dbd15d22ecf6605d2f5701a30c74b0e5fa1dd1c444f456533b6d97d1461e5e7125ddc196c79ab654209401c71bd7d39d258a820d83ac7e25b1f0de224

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
85f1c0efa79222a4f72505b47385a11a

SHA1
b7e14e7a07b9728273aa90f17b9ef76db72e0437

SHA256
78711837d132cd997b2efb1485a7856f16fcb23c635e84de506edd4c34baf4c7

SHA512
9e765ba4701b146c311929a491cce121d5be596408fcd9a059fb66d1a12773298f8aad1c9c8b30a66576220e1291a4ad669058a0b78c5ef99fc2d81e0495c3eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
411c0dc168d7cc4ed7198b256b8aa933

SHA1
1499c72ae12bbc622081332d19c962b7be6cb88a

SHA256
72798e13fc164e68637d9a82b0a4ad50a942ffb73a3741b55358f02dae25c671

SHA512
c15d73eadab856e255ce3a4c3f081720a92b5ed2c608092bd947bdfa5f306a54fa09288b3776cd72656c4ee4ba61cbefc7104f5f34f2364c271df92b355c4f46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
9198c7b56355fcbb2070d31d2dd4af15

SHA1
cbb004c4171fa0df536203590f61053f22e25edf

SHA256
784ed6721ea059b2458addeaba18b4ec62a80e14464f5ac74297db4619c4a7e9

SHA512
cbe0b3b8544501142015231411ff86af53e14f0a9168484031bc7edb95c666180a73480ddd169054ee59083484e332cba2c908c72504481d28d764ebda4b0086

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
6d808f951b802d46c3361ee1203e0706

SHA1
5689b23fb711bd66d8c87afeeedf36f4528c816d

SHA256
a40ded1a2d6aff65fbbc6ced8b728cb8aded0040274d7e56f268647be979d718

SHA512
49ab3819da28e8be3fdcac3c449ffe27cf6348fcb3ea808e8a3aba838c4cdecccc1e37f1065a0be006e892fb8052503258d60ec5b0752e84894c03100804abd3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log
MD5
b8c67169480b15e8022e6afd638bbf30

SHA1
9fc0a5c29ab9c7763a3b119ef33fcba4302c892e

SHA256
4588776fcb835691133a541200b0530ebe30f81e3ad89c0b6fc0b87d87bee5f6

SHA512
33236b36e15248fb44f932f171a5c5cbbf754d1977dd9909705a86e8f5368d1e5f14d3b5862bb67041a3289b64b8ba86837f7fc93899b29c67a343b44b478a27

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
2a7ba2b3b117d8170faf97c70295c8f2

SHA1
80cce8909e01955bfcffeee4295336dd2adbc6b2

SHA256
42ee8edb79896f36c78f51d4283439c1b1e5fe17890196e9a064e11b5ac66ab2

SHA512
bda50f92fe8c2863f6a457d79518b685910bd930d94f4e381e85b121eeb57d820b046fee65cfd2b0c92820d86d094141ced4a1ac0bdee05e57bd586b21ad1b75

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
b07476c878ed01d6d57c7e9c6682049f

SHA1
251e06b9f6902977b298559ff8b5f50f3993643b

SHA256
d5e8aaf0a1af5a4a5d516fd38d8b6b1c3dbbc122c0f28af23274dd1d88aef813

SHA512
42b355090993791bdd85e88347d713974fe31e1928955057fb91f83faa83e473430e5dc40b7678cb763b7875eda1a330512a6702bf5e41dfc8a11cee0082c436

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
4cbffb796b64d018dcbad715a7eae1a7

SHA1
4cd2a7d24fa6cfdf53925098e042615cea403c4c

SHA256
9823e95f6db826977f2534e8bfca89d83aa0aad955aa7ca8c0fe1faada189cd8

SHA512
13bc4a089019949bdda77f2c77c1f56d4ffba86ef9f5133a0e41f6cb94a45dd27306013e673c42f14b623f48faaa13c2abe6a84d3b293123c90d4b224dd41b0b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
5996360ee760280ad864c889fe5168d2

SHA1
473fbbc77d57d200e00a3bd962380c14442423e5

SHA256
e6348816340509705f5a226a685badea8b6ae5d2200a7ca468cc4d894ab19b9e

SHA512
86a8022b292c919a6feafe87c59c9b83cf3b7eb6378b43dd5190a39986e185dc4ae680d20f4061fe9cb57a4371d60a7c2b40781404d5f5a5206fb7a3cfe64411

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
a34207a8c5c25a0ee9fbfb3bb205a052

SHA1
656d6e9f1eed36eca08d2480344ea7d89bbb49b4

SHA256
35da6ec4ecc91abc782be86340dc6c75545d827ed0a0202bea45e9184a0b7ef9

SHA512
5de818343aa068366f3b259517e2d46f2f235b867f0ed28d6bab408f26a58b0824e85240be1256e0bba566d8362f1df2a92f66c6cfaa7b232b0b9c6f9b7cccf3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
29c338a6621a9f8613da0fa0ead5c8b2

SHA1
ff69a4e3bb65f9bd0561fc4b090b8dd71c1d5f17

SHA256
8327b850437a48f8ec57908dc210ef605106e85be9d8e081b04f864f0bb135ee

SHA512
6669e691fe1284ce954a389a8664da977a57882068155e8eac19acaa64f42b3462585eade5cd77b8e480bce4186dcb25ff82bb6da5090eed9ae2e46bdcbee413

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline
MD5
e1dee09a89f28ec3a8b914312d6480fe

SHA1
4e40159367f6af6dc686940eb4396ab04b9db8f4

SHA256
49d7d34770b840cb8be73cf4069bf8a40186aefe908defd27a365a137f017805

SHA512
9d7c6e39e0c7df7dd6e5bd1687b1364514dd6b77d102884ece81ef92769914996698649c36f477158979a41fe7b37342ebb82d8daea1f0bcdba5ad7b66972581

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64
MD5
c4bc25e91857334019d8a450a8cfc302

SHA1
af53706ef85de6ed890a1352932197f8ce245447

SHA256
aee922ac5a61047bc65dffe3a51c75b5d5438d426aeee6df608f5f8ec69310b7

SHA512
2cf23cec32702bd03b40e72a3fcc4337fe581c3e07c08e39ac715328614d99b6ec73190006da19c11a2b4bf2be620daaf506d28c2ac55dfa9c4ad499c12e83d8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp
MD5
364ec7e90186ee63dd777c688c1ec11c

SHA1
44a18a7d57d675f2d966fb316f6cc01c79f28da2

SHA256
19e85a5794ba47ebc475d399b58dc17a28df5fe877445faf84ebf67f4f5aaafa

SHA512
5bf40e5e4e4969aefd31c7245ca3bc7388353d6dd05fcea613ff0e8616fc1018880068c48e70fff9be3c8e309eea318ad7dbd756b2193c15ede37f0b0a05e872

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp
MD5
1ac36f00b6561049bec5091b0212cd70

SHA1
11042eb58f9d1a9b7c82f079ec6b79eee6c93d11

SHA256
72f9669cffa4db72466af3f429b177a15c46444cdf1b5f16445816bea8f225ba

SHA512
6156cbbeac3411a6b32faa9b0e77b47fa66b9174c016839d506c1eaa4af44e2a6ce6361ddd31a656588ea1795911ad17b4d103bc70e880ff6cb1d2e4a57e2cd7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp
MD5
40d8da44f9686f783ea47fbd9471fe61

SHA1
03bc0930cbb3de32ebe3639485eba0efc3f5dd24

SHA256
c130f3035ade7b7b14afd3d6303251d2730fab3e3e3926b27edac57973a27f5a

SHA512
27def5d9f50223deeca62fcb17421abaa86e9e086798ba37caef3212034b766ce34ab29405129b02e848c32a682cae9f8611906b05f6ed6c368c0149a1a805df

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp
MD5
d9976d93c95276417007f8292fef27c2

SHA1
dec1ada0f0cb9a8870224f0a92f44be5a18111b8

SHA256
63a9ef792c2db16c58c2faac355b1e7b815a7d3c2e7ffafe97f3067bee44d5a8

SHA512
3ed8d8d46722fbe6cfe74c72e33d10b30b24b83d8cd95e2be026af58119f4e49fd8ce358873205fb9707f87dbb4f247c9d198d02554b4af4dea31f437e79c23f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp
MD5
d794d1783cd83e71da90582b4f5eaf18

SHA1
8a26584d69ea8aca817fa7189d3b58ad2415367d

SHA256
24ec014aec1a9c117a9c33fc17600f5112a7911a424d13d922d43acb09aec4bc

SHA512
c0ee78070bd91287c304159f7780f3e066f0625a17b3d3d74ad4e44af95884f433e3c64bd3f32ef76564a8d1b83f281dd58266e13704f1ba98c72579c4cb798c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp
MD5
e9b55b291283316801b7743727462a63

SHA1
642742320be65b1e66ae1d312fdddc3393952851

SHA256
5f16852eedcc10e3578fc50514ef61eb6df88ff6b2a455c8b720b7c47e353300

SHA512
6be8e470c582eaaa444e4484b63ec6f2d105890d6c6a9d96e574fbdb6e69d434468dbac3521f6ae771961b6ac33cee2bd9ca72f312f7bf2dc2b47552b679fb17

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp
MD5
bdcb2d8986304791e3d2d0b97931c959

SHA1
72375f8cfc6835c6aab83bf864f6b78dc2130391

SHA256
f489095a0309d99ab6a0af134b2832733130b5ed98939aff0196a5f6aa3d8085

SHA512
8cd2892c3513b2093deea55ef975e651f7269fc1eb1f6407a8d761277f758b527de28e4b98f3025d7b79555003a941310f68664498ae61abfaf766b1ec4e55f1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp
MD5
4c2e36eab6d18fea006dac4629fe89a7

SHA1
7b8cdc31f6232f0572600f2b2110aee83cb6ab98

SHA256
67ca2c2792d3bb9599a5b6d8c03c5ba50e2262ce4408d85098f5fccc77f4507e

SHA512
ab856e8fe4e76c63502f7d6a651aa31a796b0518811bfa6b3a0bcc467abdf9573212a78eddfa5dce11c56c32ed7230a6d721789e4e01a040384db9430d39018b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
764c5a111d5520ac280eff05901bee23

SHA1
89c488002b4e3ca53fb423b63e183abe29bfbef6

SHA256
38fec6d2024aa04494afa33362c2158396535874289b60b3c799f6f741be1d43

SHA512
a188dea5b796aeca602b93eb272e01215e59d1afd85203ec7a01bdf2dfcc9d49e44ce0a06bca5e5aba57f28a6c7048b41cf4e2ef61a22081535f6661a16d5140

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs
MD5
0f456abef8a526f3320cc821736116fd

SHA1
9396f263c858a0bb7aea0d407990b3416c248f73

SHA256
a17d762cd21d8e9f5279ecdd119981d2dc88ec6e1afb2584dd9d3634dc038126

SHA512
64b5d7828931346a26aadbd84be5199c9925b43163e78ef9da48654f43c468de53af1eb59a1ffe7b8f52178feb6084cf26a474b6f496b055c0071cb55501a29d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs
MD5
0f456abef8a526f3320cc821736116fd

SHA1
9396f263c858a0bb7aea0d407990b3416c248f73

SHA256
a17d762cd21d8e9f5279ecdd119981d2dc88ec6e1afb2584dd9d3634dc038126

SHA512
64b5d7828931346a26aadbd84be5199c9925b43163e78ef9da48654f43c468de53af1eb59a1ffe7b8f52178feb6084cf26a474b6f496b055c0071cb55501a29d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
MD5
6e0f5c4bf287a659191ae0b3f5b455ae

SHA1
fb6ebf0207d0a002edcc3be0b593d00797b862eb

SHA256
1f4edc0fcb36d225115c3f5a7d98ad508898dd87cd480b5ad0c736ffc8e25a6b

SHA512
d97d466e7953ca0710cc800e52c133e8f2929d8c3625470fb79fe595737e92ca5a3580b935972b3958c06c3f2139065f0bd42cfe2c1548f3786fb1d232ab2849

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
3d3fd9dba833a366c3f7f18c5c1869f8

SHA1
b6e8feff778a59bf48ca23cd22f3fa76dba7f8e6

SHA256
faa474a5059f9acf0734a00c3e9eec1b617f8c2551697f24d9eaa1e38fcd602e

SHA512
2bd1ca9782c6bb02a89495cbe95173fc1796409f031a8e20ed8d0e266d93759dd4ef721b5d9d8848b7b28666e7c000933303f27494ac1fb5e9db3194fa2396fd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
memory/2224-130-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

Filesize
2.9MB

Download
memory/2244-131-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

Filesize
2.9MB

Download
memory/3496-132-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

Filesize
2.9MB

Download