ryuk | 88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5

Analysis

max time kernel
173s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
Size

190KB
MD5

e8c26344b4adb62a9a42cf6480c88d05
SHA1

41f926e43e9686382f8c84da42880c47999645fb
SHA256

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5
SHA512

287c49f05e2a9928c98986130e875af96d2690097ce00780bbd51034a1a5396c56d20e90ca267f8eb79c440d9b2cbf44e0082910807d934c5edad036d6277d2f

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4816 created 2904	4816	WerFault.exe	StartMenuExperienceHost.exe
PID 5008 created 3580	5008	WerFault.exe	backgroundTaskHost.exe
PID 4996 created 2744	4996	WerFault.exe	DllHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4824	2744	WerFault.exe	DllHost.exe
5796	3580	WerFault.exe	backgroundTaskHost.exe
5808	2744	WerFault.exe	DllHost.exe
5828	2904	WerFault.exe	StartMenuExperienceHost.exe

Modifies registry class 42 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = c71d22e52326d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3601b870d48ceb7579abcab9f303901675a24e8675f2f82fcf456e9d697fc282"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = 13a44be62326d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\f1de2112a781cf82df7a8a7763adecc678f6c395f22b664cfcf2dd8d2c0eab0c"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = c7684be92326d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = 2f7ed2e82326d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\87d7637bc207a81bdc50fd6c4b9162b8de395cd65525d1f68df3e641fa9d1c17"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c0fe93c72326d801279ec4de2326d801279ec4de2326d801c0bb0b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000393434363962376337323836316637653064633932353537393233353030636363313366376334646533323363616264316234646162323035666133643763660000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000b6f9ff00390034003400360039006200370063003700320038003600310066003700650030006400630039003200350035003700390032003300350030003000630063006300310033006600370063003400640065003300320033006300610062006400310062003400640061006200320030003500660061003300640037006300660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39343436396237633732383631663765306463393235353739323335303063636331336637633464653332336361626431623464616232303566613364376366000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6172e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000fc2a3ec72326d801610f45da2326d801610f45da2326d801e5ef07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000333630316238373064343863656237353739616263616239663330333930313637356132346538363735663266383266636634353665396436393766633238320000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000dae8cd00330036003000310062003800370030006400340038006300650062003700350037003900610062006300610062003900660033003000330039003000310036003700350061003200340065003800360037003500660032006600380032006600630066003400350036006500390064003600390037006600630032003800320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33363031623837306434386365623735373961626361623966333033393031363735613234653836373566326638326663663435366539643639376663323832000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60e2e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d60e2e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\94469b7c72861f7e0dc92557923500ccc13f7c4de323cabd1b4dab205fa3d7cf"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "8324"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\abf84b93-a970-4e94- = 57dfb2eb2326d801	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e2ad002f-01cf-4770- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000029768ac72326d801204019db2326d801204019db2326d80190fd0b000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000663164653231313261373831636638326466376138613737363361646563633637386636633339356632326236363463666366326464386432633065616230630000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000d1210701660031006400650032003100310032006100370038003100630066003800320064006600370061003800610037003700360033006100640065006300630036003700380066003600630033003900350066003200320062003600360034006300660063006600320064006400380064003200630030006500610062003000630000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66316465323131326137383163663832646637613861373736336164656363363738663663333935663232623636346366636632646438643263306561623063000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60d2e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d60d2e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f1d358a-f0cf-486d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\986c937cba011afe270827ad7153a4fc7500b99715f4f31bd930ef76e2e1b462"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2f277b11-1ca2-428f- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000615083c72326d801e326edde2326d801e326edde2326d801c4730e000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000393836633933376362613031316166653237303832376164373135336134666337353030623939373135663466333162643933306566373665326531623436320000b20009000400efbe54543034545430342e000000000000000000000000000000000000000000000000006d98de00390038003600630039003300370063006200610030003100310061006600650032003700300038003200370061006400370031003500330061003400660063003700350030003000620039003900370031003500660034006600330031006200640039003300300065006600370036006500320065003100620034003600320000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c39383663393337636261303131616665323730383237616437313533613466633735303062393937313566346633316264393330656637366532653162343632000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6162e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6162e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9f43dbe1-0abe-4ec4- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004b6458c72326d801a37a14db2326d801a37a14db2326d801054a10000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000545430342000383764373633376263323037613831626463353066643663346239313632623864653339356364363535323564316636386466336536343166613964316331370000b20009000400efbe54543034545430342e00000000000000000000000000000000000000000000000000b447ef00380037006400370036003300370062006300320030003700610038003100620064006300350030006600640036006300340062003900310036003200620038006400650033003900350063006400360035003500320035006400310066003600380064006600330065003600340031006600610039006400310063003100370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000dfba3e1e1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38376437363337626332303761383162646335306664366334623931363262386465333935636436353532356431663638646633653634316661396431633137000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6152e17f19083ec1182d076ad6bda0df8bad9b5dc40371b4eb595e9fc647d27d6152e17f19083ec1182d076ad6bda0df8ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exesihost.exeWerFault.exeWerFault.exe

pid	process
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
2228	sihost.exe
2228	sihost.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
2228	sihost.exe
2228	sihost.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
5796	WerFault.exe
5796	WerFault.exe
5828	WerFault.exe
5828	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exesihost.exeStartMenuExperienceHost.exebackgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
Token: SeBackupPrivilege	2228	sihost.exe
Token: SeBackupPrivilege	2904	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3580	backgroundTaskHost.exe
Token: SeBackupPrivilege	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exeWerFault.exeWerFault.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3748 wrote to memory of 2228	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	sihost.exe
PID 3748 wrote to memory of 2244	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	svchost.exe
PID 3748 wrote to memory of 2296	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	taskhostw.exe
PID 3748 wrote to memory of 2528	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	svchost.exe
PID 3748 wrote to memory of 2744	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	DllHost.exe
PID 3748 wrote to memory of 2904	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	StartMenuExperienceHost.exe
PID 3748 wrote to memory of 2984	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	RuntimeBroker.exe
PID 3748 wrote to memory of 3064	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	SearchApp.exe
PID 3748 wrote to memory of 2628	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	RuntimeBroker.exe
PID 3748 wrote to memory of 3324	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	RuntimeBroker.exe
PID 3748 wrote to memory of 2572	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	RuntimeBroker.exe
PID 3748 wrote to memory of 1648	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	backgroundTaskHost.exe
PID 3748 wrote to memory of 3580	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	backgroundTaskHost.exe
PID 2744 wrote to memory of 4824	2744	DllHost.exe	WerFault.exe
PID 2744 wrote to memory of 4824	2744	DllHost.exe	WerFault.exe
PID 2228 wrote to memory of 1012	2228	sihost.exe	net.exe
PID 2228 wrote to memory of 1012	2228	sihost.exe	net.exe
PID 2228 wrote to memory of 5196	2228	sihost.exe	net.exe
PID 2228 wrote to memory of 5196	2228	sihost.exe	net.exe
PID 3748 wrote to memory of 5320	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5320	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5328	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5328	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 1012 wrote to memory of 5396	1012	net.exe	net1.exe
PID 1012 wrote to memory of 5396	1012	net.exe	net1.exe
PID 5196 wrote to memory of 5420	5196	net.exe	net1.exe
PID 5196 wrote to memory of 5420	5196	net.exe	net1.exe
PID 3748 wrote to memory of 5436	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5436	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5532	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5532	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 5328 wrote to memory of 5648	5328	net.exe	net1.exe
PID 5328 wrote to memory of 5648	5328	net.exe	net1.exe
PID 5320 wrote to memory of 5640	5320	net.exe	net1.exe
PID 5320 wrote to memory of 5640	5320	net.exe	net1.exe
PID 5436 wrote to memory of 5700	5436	net.exe	net1.exe
PID 5436 wrote to memory of 5700	5436	net.exe	net1.exe
PID 5532 wrote to memory of 5708	5532	net.exe	net1.exe
PID 5532 wrote to memory of 5708	5532	net.exe	net1.exe
PID 4816 wrote to memory of 2904	4816	WerFault.exe	StartMenuExperienceHost.exe
PID 4816 wrote to memory of 2904	4816	WerFault.exe	StartMenuExperienceHost.exe
PID 5008 wrote to memory of 3580	5008	WerFault.exe	backgroundTaskHost.exe
PID 5008 wrote to memory of 3580	5008	WerFault.exe	backgroundTaskHost.exe
PID 4996 wrote to memory of 2744	4996	WerFault.exe	DllHost.exe
PID 4996 wrote to memory of 2744	4996	WerFault.exe	DllHost.exe
PID 2228 wrote to memory of 5924	2228	sihost.exe	net.exe
PID 2228 wrote to memory of 5924	2228	sihost.exe	net.exe
PID 5924 wrote to memory of 5976	5924	net.exe	net1.exe
PID 5924 wrote to memory of 5976	5924	net.exe	net1.exe
PID 2228 wrote to memory of 5996	2228	sihost.exe	net.exe
PID 2228 wrote to memory of 5996	2228	sihost.exe	net.exe
PID 5996 wrote to memory of 6048	5996	net.exe	net1.exe
PID 5996 wrote to memory of 6048	5996	net.exe	net1.exe
PID 3748 wrote to memory of 6104	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 6104	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 6104 wrote to memory of 5216	6104	net.exe	net1.exe
PID 6104 wrote to memory of 5216	6104	net.exe	net1.exe
PID 3748 wrote to memory of 5084	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5084	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 4860	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 4860	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5484	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 3748 wrote to memory of 5484	3748	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	net.exe
PID 4860 wrote to memory of 3512	4860	net.exe	net1.exe

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3580 -s 3180
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5796

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1648

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2904 -s 2780
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5828

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 996
2⤵
- Program crash
PID:4824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 996
2⤵
- Program crash
PID:5808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5396

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5420

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5976

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
"C:\Users\Admin\AppData\Local\Temp\88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5640

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5216

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3580 -ip 3580
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2744 -ip 2744
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2904 -ip 2904
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
78adc372328854abb4f79d601dfe7b18

SHA1
e9873d545a30c76335795102cccd34fc797e0457

SHA256
ddad2fb51ae08f411a4175a77e768d385bee79a3a47cf0095597bf840451d5b8

SHA512
0942e0aa3f823a798032a1464585b67b1a3819667b5733e84707c3d9f55a4412440a03b6000aee1fe09503af8fa7600c4991bb8c805bb715e21d750e8de62eeb

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
3fd2a5cca8e5529b083244552870b192

SHA1
6c0f6d57424883af336de38abf29d5faa5a09376

SHA256
2a6eb79d1091d76b995b5f6604f230af01bcb16b5865fa25475feab65f94cc87

SHA512
9cc4607019062198423e5a3c6c46980b86148a42117bf0e697d813bde07ce5c1e92b7feb64d808bb3f31667d7e8cec8afe2ab64590f6813cffc3b432b4e24a8a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
9a3e8a2c43799c30026246e0fdb4ae70

SHA1
2af63cc0e70dc5c3818f801df977b5853ffd3c58

SHA256
e39fe6d5421dbe6895a39805f45e17b46e3540c7f636a912e1349658721b3e4a

SHA512
0c74bfb180e0d7340025aa2fa0505ebe8722ef2860b7e06d02d0b99a83789da0c5efca8335fa76ffa5427dd062fcd6272a0f510d2ec4bf7cfd6a4088e471cbcd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
839248f29c2d9d9da95720f7b51214d6

SHA1
586ab32045c7b017065dc86ee877f9a7bba97701

SHA256
b8374c336b73002f7bf9579b32836706ec5b266881a96cbf5ae933099cb29933

SHA512
9b3d1d28915d20397bd257e356cbc5361b1d137543f0a3bdf27171abdfae526f69ff869170feaad9de55201ff564a3cfa4d2e7096041b72ec1ccaa5e25ae3152

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
387fee04e77a07706e4910d44763cd05

SHA1
548acaed3ec81562152e4289e5079bb17b0e2da2

SHA256
2463b43592438dba8eecdf29dc89bf5cb5525a42a930e77ace85414c092c75dc

SHA512
bcdeb750bed7d45126c128006ae2b0d9591e273fe29adb193002ed1abc8510f8fd84eb86946b599025fbab09ac608a46f8a5fa292c892376360f92c3e2489140

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
67af85457372b3c51df7917e9b63473e

SHA1
e8e667c6f9fe4daf82acec946aa6d67c820b52bb

SHA256
fb3ba436652d636beb4ac31befb6671b2fd477b375c433dd2a1cf7912024d720

SHA512
db87bfe2f35c1e996ae0a5c705e6d448047f2dc2daa924dc6c1a2e420af88ccec217410190b90300481d2b7314e78ae7d42495b0d616f2b83afdc692889fb8ac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
645731b3d588c4c28eaced56cd77a1c3

SHA1
fd37c0f5f11de1001edca140905597868133c9b4

SHA256
1025ff6f01c54ec444435682e5611932d19452da35e2e20ac31dee76c84e4d1a

SHA512
6357797b73e290d02d3e9b8a1402a3c9df83f76052f6ac20f7d08b2c417ccd352b11813bbc46d69aa16922fc2cf88d2e52dde9e9836ca4f339bcbbb019b2577e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
e460d595da253a4f3a33877e6fe41bbf

SHA1
45def70b3ffcf73bfeac98391014081f0dfa38af

SHA256
e7e99a8b706a4506f2db44a42336da1674f3e71ddf5fa9dedcf23860dc25f164

SHA512
8738c6751edafcb605aa79e6a1c892fa9b19b2b0dec105bc9795ccf6203baf24e943c8839983127ed4b8b2797f45525e33e9a846f3e90e065734a8dfa7952ca0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
c5c20e9408ce8a3e2778ef099cce6b4e

SHA1
ab710c8a818f1991879ca9bfe38526d1aada898d

SHA256
935dedb825aa64f4f33580986fd17899f0c981effbaeb5805fa9d7c00527e9ee

SHA512
1ab729c7408d03d08249c30fdf2248db242ad8ac009d6405decbba2d6c84b8d202cd5b41f3911077156cc430b019ee57b808930c1174e3ad461a97f1bb2fe0f9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
7419d0e0d1eb8ab902890421c456225b

SHA1
5dafea563a0829b0866b5fb8252975f81b40ed7b

SHA256
da5b60c62ba9363dc286e220b7f043d72c92160a7f28d2bd78b3ca6339d430bf

SHA512
69bf1eb7b0676aaee6e203d7b1dab05da472afc87252102bb05d8cab5898cb688c5ebb42c7d6412cb5fe07f3da909a0643cef07cc7f21077f4cd840d24749fc1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log
MD5
8aa6a097b416feef51d01dfebeeacd71

SHA1
d91b6dd81bab6b206363171c7a8e70048dd360d9

SHA256
54e9a070354edadab028eb2fa33c228c2d435ba2c3b876a0c4441efb5fd88f2c

SHA512
2895b26f3e2a69be78e364def2d358ccdb0dba8b40889ba23d4618921af26ea1a6e1ee4918182adc193cb83b68cc404e875c5265910323f1c69ac8ed98d83e74

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
4b6f32df6a553afee363f39b419ad5f5

SHA1
aee8b4c1c9ff9f2b421b694a289631bb953af871

SHA256
12783065b2b64bac220795a5e6d5eab7518e2693a1b5a29c3239d6735598f2f9

SHA512
01945160da30397caad0198c6789f11dcf62ab5b3ef02d8239009cf26a8c364213196ecb47c46036991f6d0cefc4fe8f2bba640fadfa60a9afc2212648111cdc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
a0f8815676411477d25cc0d7d145be45

SHA1
95062fb09184bed6f5893fa19b390b790b3e5d4a

SHA256
f4dc9e0f9b6de912066bc59a73d975eac6991819f64bd748d8d08c7e0f33683e

SHA512
f869c5acb951992cd153f52bbcfb9db5529b6ef6bfd7451f9eb22cf3b703eb09390768e60bdce4aee04797f190f065eee6612bfc5a5bb366a8751985bbb8e9b5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
c952050a88b5ce47aa5668eeef0325b6

SHA1
d56223f590770a6a15dd4f7e381dcd5435802179

SHA256
f3b759a63dac4e881271d613225380a27af0009c1870f62443c28892f8eac4ca

SHA512
0b62db77e722e67484041c20c63e7f688956fc716353dc33115f124d84b9e569bb5d16656e1c57e95c0152f318c451622f9dcbf55e7bd8d0f43bb8c21fc5dd43

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
de5544ccab1e5f29a69f0260069022d0

SHA1
d47251502daab071da15009af0c411d254d973d9

SHA256
f4f5389684fb2cc46c54e92718c791b328f54d4790c1ff9f9894fde29d8e46dd

SHA512
03ed481419ba8ed011f7849915753fbc2b71f3ed59de451a593240322fe1868d1f28aeab7dc315c8e4605fcefd8216de844874ab90f7aa0f6d88cdc790b0f8dd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
2d8a6e97b046b1abc007e5f1a06738c4

SHA1
12827ea174f1df4b0c93beec41a9f7b49231a3be

SHA256
a08169de65ae46055976697bb403eb0497055d0e4163419975eac7557862f2a3

SHA512
3347a932789307749da6af02d10fbed0bff165eecdb0e7b300ad2d1c63b969ed13f42ad59ef4759a7bf7d8a4ef9a624191cba7a9138e7c4c1d178e1eb0d39da5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
5a0fb6310cda7228c597bfcfd535a5d6

SHA1
f6cf3da90b13d6938bb334fd19de8550c8930497

SHA256
ad261275dcfbe25e749616c2edba3b789dff61d6fda9ccaf1dc4b6cb8af65fc1

SHA512
292264a7e5e6d3250ac9492530a12a255c43a0809ea1cc580865f9e6a8055abe5d5eb224545fd7059f18284b4093176ce9730366bf3a249cf388987de41fcf05

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
ad8427cd88f1f0ad4509f4ca20e744d5

SHA1
e27330e49584a3c83dd3230f1a36b3a26f99738e

SHA256
338476eaf98c87acacd26c6be52af3c1d8a6425312c6907a3b51733910a9eef2

SHA512
a519840f44015c4cb9a869d65bd3b3af493c9655a7bc88b25f664ac310d8d54575b22d2bfb565a024305736915b4982c87c63963b30e6e52020c78087ef09151

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline
MD5
fdce2c0cbccb155d2e0020e4ba83534d

SHA1
8971ea40ff535aca81606bc9a11cc8f0d71499f3

SHA256
5be9a234c0555ca919aae3d0579f1713b9e865ee947d4ada2571bf8d5ded60a7

SHA512
4842943670aaa493931d3d65c561f2e680626371200c5766acbde4fc9db2044d1158ceeef55a83876b00b8b76c7e1cf0dac18f50e45ae0b95758a85bcaa01156

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp
MD5
7f09600c690dce1075f45b4db7d72af4

SHA1
a059ff56804f81cbc06d48373d56481e9fdf3dd7

SHA256
a41ba2a70df51eb5ba26f4760b15ea70a0b738febc8b28f9bd40804e3efea656

SHA512
988a15fb7e1f7808d2959b0ae22d4242fa78694c7f4198ed7bdf2ea8346c071783121b71ae70ea7f6bddc2ebfc66c668aae72ff6077d543ba2e3850f54d9fc3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp
MD5
db8a021c29caf768fbb6304804361e33

SHA1
9e66be4cbbcf5a567eb24e121122969b062d1f10

SHA256
8378421e4f2ea199ca617a24b0b8a23e20c632513ab85ff4cbb25fdd0167f420

SHA512
1e3d7c327da6361a0df03eed2d62667faf0aeeb65c008d6a1de234dec47b263cf5955ba63023a24bb4a2bb41bce862e4449c65e85ee98b90268f61d559a40ba8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp
MD5
97bde76492358d8393cc1fc2f5359e27

SHA1
4d4660bbe3d1630ca36beeadee96e293a72cdfcc

SHA256
88e0bd8f90841df6225786750a80af498c3e9e913b08d3da3c933097eaffaa2e

SHA512
3fb51f4aff11523d9976465775040fd6772e3e3596f5377288cf6b2c1a0f64fbf3e455c7fc3e1dc727be3c1689a9eac18e33ba517c99bf23187a38b1e6469e8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp
MD5
3ea4ff3693e2256e3f7c84283d0a9205

SHA1
603d7586bfa4ddb7a4c12778decbf3b659898844

SHA256
78487184f8d46d57a7ee364607e0106e0cba23a12e62bffcb9621a214a8f29aa

SHA512
904e912e56b99b82e6729b24d2366c5f087db9d9fa66b1333e7929b2bccf170d60c3cd3b455eaf4a230835d2e7719f32a817c2f9a32b29048f3304e986bdde39

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp
MD5
0161cd4477714848ae626fa786a6a407

SHA1
59fb2303bf80a4c329610e81ee400c586a9634e5

SHA256
3a93e3256aba04f74b7b6cc334096cd4fbb88c19359091af34a79b168af921cd

SHA512
5a791cbe927afa8711855b93fa902688a2d7c7d69cb6f50f5f6accebc4b98f34be2a671aa0e123939e7f09c6e3a85b090aa3a2c44eee8fd6cf660cbc5380efa1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp
MD5
20c4562e6dc5b88fbd7f00627c1fbda1

SHA1
c11cecac241f4f4f9d2d58f74cd7680d48ef6170

SHA256
be4bec58ea658ef317a1ada8152917efdb59864e2c7b52e049d7d85c99377744

SHA512
e0844b8876d929a82e95c34c4393af75bc8bb5ee32c77e48d3e2bc4e43feac3bee163699be3cc160200da24b9e7f9e62e393b38c8e2eb6092a286ab35939834b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
341583fbed6e6b99fdccac65c3e21a88

SHA1
658563ba320e99b6c82e7ae8922412045dc81864

SHA256
ba52f8d8a988a928493d8d1f635ea6e1c03c011dd3de2be2b656a614cbf0f5c0

SHA512
519bffea65b3da6e005fc408ac90b5fda880263cd954bf3090fbb775efd9cf899310af2dd9936380f0ab37274f48838dcf6e407fdb11bd29a6b9484b44b9fc01

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
MD5
b836b58df28138769eaaca56551c9fc2

SHA1
94dc8f93c44dba5866792f9de821fd872a571d7a

SHA256
17f9cc2e50917d9d43d956d928dd7c59fc60960187a6190c688705b7b226fd6f

SHA512
e4c4b37341ac029eef23774f9e1d2782a82618f1be5c078addecad1fb6ccfc4d97b34c97387eb9914eb160cf00f503224851147d1e726f432ff4c047b809e700

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\README
MD5
e6637c5a014738e077dac83d37327ce2

SHA1
6da73f1fb507fa780e02197ce849b6f3b76ab385

SHA256
773b8d799afcc4f6473e4828c7b971b1ef9993053381a2c0d8e401e58ae30e11

SHA512
59bc2b593cfc0476f60b22703572f41fca77829b03e58efee0b6a4ef6cdfe1cee4d7ba6b23be3e3b010de5995e4145787f348fe1ab0baa2e4111cf3412605b60

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
7373dc609ac5b6ed53c10072ae1dc899

SHA1
d00092e9f72355b4b3e671276d4d7e8d6dd95128

SHA256
a74f1bac618947fc4bde62fd70a02fb323592924ef70713e98cea6ea334febec

SHA512
db8f4f552164f3da656ecb003e272f0d44547cb0e9f508ee687afe62a61e9dcf36bba56b0718b8364a2ede9685b3a6a9b9e47b26097293ff9c1bf3d2d2e2ca0f

Download Submit
memory/2228-130-0x00007FF6701A0000-0x00007FF670475000-memory.dmp

Filesize
2.8MB

Download
memory/2744-180-0x00000265DB1F0000-0x00000265DB1F1000-memory.dmp

Filesize
4KB

Download
memory/2744-179-0x00000265DB200000-0x00000265DB208000-memory.dmp

Filesize
32KB

Download
memory/2744-195-0x00000265DB2E0000-0x00000265DB2E8000-memory.dmp

Filesize
32KB

Download
memory/2744-196-0x00000265DB100000-0x00000265DB101000-memory.dmp

Filesize
4KB

Download