ryuk | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

Analysis

max time kernel
204s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Size

193KB
MD5

21256f1e6fef12bb963fff955d5f4531
SHA1

45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512

835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

USUDPfv.exe

pid process

996 USUDPfv.exe

pid	process
996	USUDPfv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

USUDPfv.exe84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	USUDPfv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1628 icacls.exe
1400 icacls.exe
3320 icacls.exe
1276 icacls.exe

pid	process
1628	icacls.exe
1400	icacls.exe
3320	icacls.exe
1276	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.211715"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4240"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899859291863226"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250255"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.432897"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exeUSUDPfv.exe

pid	process
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
996	USUDPfv.exe
996	USUDPfv.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
996	USUDPfv.exe
996	USUDPfv.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exeUSUDPfv.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Token: SeBackupPrivilege	996	USUDPfv.exe
Token: SeBackupPrivilege	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exenet.exenet.exeUSUDPfv.execmd.exenet.exenet.exe

description	pid	process	target process
PID 1852 wrote to memory of 996	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	USUDPfv.exe
PID 1852 wrote to memory of 996	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	USUDPfv.exe
PID 1852 wrote to memory of 996	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	USUDPfv.exe
PID 1852 wrote to memory of 2204	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	sihost.exe
PID 1852 wrote to memory of 4068	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 4068	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 4068	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 1432	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 1432	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 1432	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 2224	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	svchost.exe
PID 1852 wrote to memory of 2276	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	taskhostw.exe
PID 1852 wrote to memory of 2528	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	svchost.exe
PID 4068 wrote to memory of 3872	4068	net.exe	net1.exe
PID 4068 wrote to memory of 3872	4068	net.exe	net1.exe
PID 4068 wrote to memory of 3872	4068	net.exe	net1.exe
PID 1432 wrote to memory of 1712	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1712	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1712	1432	net.exe	net1.exe
PID 1852 wrote to memory of 2712	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	DllHost.exe
PID 1852 wrote to memory of 2816	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	StartMenuExperienceHost.exe
PID 1852 wrote to memory of 2948	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	RuntimeBroker.exe
PID 1852 wrote to memory of 3024	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	SearchApp.exe
PID 1852 wrote to memory of 2172	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	RuntimeBroker.exe
PID 1852 wrote to memory of 3372	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	RuntimeBroker.exe
PID 1852 wrote to memory of 2932	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	RuntimeBroker.exe
PID 996 wrote to memory of 1276	996	USUDPfv.exe	icacls.exe
PID 996 wrote to memory of 1276	996	USUDPfv.exe	icacls.exe
PID 996 wrote to memory of 1276	996	USUDPfv.exe	icacls.exe
PID 996 wrote to memory of 1628	996	USUDPfv.exe	icacls.exe
PID 996 wrote to memory of 1628	996	USUDPfv.exe	icacls.exe
PID 996 wrote to memory of 1628	996	USUDPfv.exe	icacls.exe
PID 996 wrote to memory of 3128	996	USUDPfv.exe	cmd.exe
PID 996 wrote to memory of 3128	996	USUDPfv.exe	cmd.exe
PID 996 wrote to memory of 3128	996	USUDPfv.exe	cmd.exe
PID 996 wrote to memory of 3816	996	USUDPfv.exe	net.exe
PID 996 wrote to memory of 3816	996	USUDPfv.exe	net.exe
PID 996 wrote to memory of 3816	996	USUDPfv.exe	net.exe
PID 3128 wrote to memory of 2976	3128	cmd.exe	WMIC.exe
PID 3128 wrote to memory of 2976	3128	cmd.exe	WMIC.exe
PID 3128 wrote to memory of 2976	3128	cmd.exe	WMIC.exe
PID 3816 wrote to memory of 2544	3816	net.exe	net1.exe
PID 3816 wrote to memory of 2544	3816	net.exe	net1.exe
PID 3816 wrote to memory of 2544	3816	net.exe	net1.exe
PID 996 wrote to memory of 2176	996	USUDPfv.exe	net.exe
PID 996 wrote to memory of 2176	996	USUDPfv.exe	net.exe
PID 996 wrote to memory of 2176	996	USUDPfv.exe	net.exe
PID 2176 wrote to memory of 2164	2176	net.exe	net1.exe
PID 2176 wrote to memory of 2164	2176	net.exe	net1.exe
PID 2176 wrote to memory of 2164	2176	net.exe	net1.exe
PID 1852 wrote to memory of 1400	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1852 wrote to memory of 1400	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1852 wrote to memory of 1400	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1852 wrote to memory of 3320	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1852 wrote to memory of 3320	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1852 wrote to memory of 3320	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1852 wrote to memory of 2572	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1852 wrote to memory of 2572	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1852 wrote to memory of 2572	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1852 wrote to memory of 388	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 388	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 388	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1852 wrote to memory of 3332	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1852 wrote to memory of 3332	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
"C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
  "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1276
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:2576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1712
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3320
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4484
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4256
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:5184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5304

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\ProgramData\USOShared\Logs\User\NotifyIcon.6a3e1b01-1d47-413e-bced-6904454828e3.1.etl

MD5
07b53b0b91437b8f4ee31fb4c875c751

SHA1
4e37041fcfeeaee0bc2e81a6a0a72a231d3ae5a9

SHA256
6456c5ea7db0392c123962826d2bb4de0cbfaa2fb748d5a245798b0146987754

SHA512
001d4d1522a4c8d1906b858ebbc6391b0d12a1368597df82f2b2731da66f0dd9e7db5899416eac069001ea906196eb102ef368e65094ec284151c5983d8c4d6f

Download Submit
C:\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5
2088fd252365eb712195f803940888fc

SHA1
3394d864aead4dcb79f5aa047712a14e6371a1b9

SHA256
e021b3ee42f5ec90258ae1d12b6609ddf6e7e173b344d87e0c9fe31026ac325c

SHA512
8678312f2d57d808315889e3cd5e3d77cdeeeda0d7dffbe24127ef389524254abbbca938da6d5b02d322d5688c4182f7f89bad7c32e424467c69e5b542f959ba

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\3D Objects\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5
3b9b430ac942dbdbd1f9f92c4026b98b

SHA1
942e82ea0220378071f3fa44e1b1cb462f34a119

SHA256
893c903455ec58826dc863988bd1fb2cf2fe293da334ead5a002521bf3742d9a

SHA512
28a262a2e94441e001477e1165ad44032b6565bc3a4fa7cad3af10666e881bed041fef5069b7071957f6353a850da056a1d7246592ea58fdd904d031aea313c8

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5
2689218f8a25d44a88d6ad6682eea762

SHA1
6044c1f5cab9f1deab735110d11cfdab518267a4

SHA256
689b87cb075cfab6747c0f93f4d671d621b9307aed730d432149f08d01e9ea01

SHA512
380f899549284b768ede4570b834f4766c18cabf5bed17ee2404855eac02ecad8fc9219b102780cdf67693deb64a5087fe4a732ce40abe7f1d132f4809ed41b3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5
682469eaa051fccbb6906592b1bdd2e2

SHA1
29b9d5e5712a7e1f014ceb9b01d2ac38278ac718

SHA256
c5b8db655eba3fcddb4da0c260fef7956e413717925839c45a6262258b5228f8

SHA512
58765537e1c1b08270dda3cd02f391a732402b278a7529297a81bf93b17927a868ac82ad7ca59483174815dd68cae54c6488055dde9302ed041d82c1c48a9f02

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
bc8234f034521e8a4817c9d4704d5c9d

SHA1
08af97e1db654002b313884963605b8d12f7a677

SHA256
e09919b0136b2899d0b71e20350946d417b631f1785c6c8a327bc70fefb085fb

SHA512
be1af3a67fc69b59bd55bfb2dc81da8572fb6d6b173c82eb4a336d2eb384f91e8789063e130cb2aa5f82da2c7969da775eb7c29728fcd14b8a135e6e12e28d10

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
b45a38c7f13821c9379f25548c4b6488

SHA1
50ad4caa5839f41bc150679956dbc8999a58e019

SHA256
812490532c6f11825d96c935f2ca06e4a4c1901701bcfc972e6773b73544eb11

SHA512
3112a61c1144cd987c45f3f19df04674929a6bc0ef3b559f5d79766976d419420df4043ab7f24f8fc81ab32411431c91fa2b616af121a8978ba4abda8d67be11

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK

MD5
63cb8d04f285576497b71b0f5471f999

SHA1
e479f714bd171811fe39a5089034581dfb9f9c10

SHA256
7430aeb4a694def52d37518af04b2b04fb8437d654ac998bd6d4fb7162d4dde8

SHA512
1178186a301ffcdb62e3b02914bd6bd4929ae7b7c7ba8eb713e28b7a76a9eef48d8ada99d5ec18a4f4fd5a2c9f64873653b1496fb71fe6ce44a37d099e4bf767

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx.RYK

MD5
a6874daed050c35eb4036abfa137d395

SHA1
d3f0a09b201dd0f9b5fe8a99ff76b1bb3ec788b3

SHA256
1ddbf1623854541a9e88fe087f30b886458b573a49851d0061eeb2bff1eb6e66

SHA512
d6f10b6918210c86e7f55065eab8a6d197b6008263916e976eee469f8a03abc30f84cc6f0a906f76975fcb7ed6bb23914ab8140d0b69d7c4d9b9ba3bb14122ed

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.RYK

MD5
8787e73fc71957ca6da2b967057d1b1e

SHA1
b17b5baa57389a3fe0c981c54a08b33211c4225f

SHA256
ae6424ef057d199c47162736f9d62366b9f83ec29d2e6b7f7c83bc5695505ed4

SHA512
cd97815691ecfa0c7da19459e6717d9af44de33d39fab2e05af2dc1ec3660c1756f70d8f95f468bb74346921caf5e632c3a714f27161571deaa9a291e24c4e17

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.RYK

MD5
50365d291e266c35d90efce26af3a830

SHA1
e5124f39c797365cc87f29e3881e19c94dec1c93

SHA256
3dad868176f0d705706bca9ad65772f61b018d650c028b8e791c816d370499af

SHA512
0566eb98e328e69a51e5b32bee62dd018e4b570a2a26c06e7af42243c4e9d5c7b86c4e0198850c1ffec094ed26cabd18d80e572b9cd4ca8a88e664ac615f2c98

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx.RYK

MD5
501142f3d50b33e90eb41970aa669542

SHA1
d76500886ba12d30db19c46d1311d290c3a0c2d4

SHA256
f0b75f5b763eaa4376191d0e4e0020b49972556d0d4885e7acb15e065c49e4f7

SHA512
2a7f024d60d5ad1611a3332771ef7fc7655df8b823a9c38284f52d1f2477b9427d60dac455aeefbb4b32959a5f3d8f00a2d8d438eb20c6321d5613e17f69dcff

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK

MD5
14fd16ae52c8ee02a9bd220304e968bf

SHA1
158a5bdbca3e4b34c434c5fc5951cc3b020305a2

SHA256
ce7eb2fd52412c41cf558bb282159c9b5cbc622dfdfc36405b067e64c21423a8

SHA512
e846e63fde343b4abcddc6c253c174acf0fc41ab10d19a356a6282a0ba7bfbdb0f92d56e86bfe1dd2efce02e9f1aeb98db864eb6542e96851a01a2bcb8d521cb

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol

MD5
f5f4b4052de128530fec13ea7bdd710c

SHA1
365e0ab308e9e7be6d8271f4e93c691582f2b242

SHA256
929a18f013b0de56ddc3563b577626f3ffb1cb122b5a17a3388c80e78071316e

SHA512
b01ef88d7180086ecd7936598e43731f5d9f5541b9da0bd02d827d9655547a158a15922f5998f8d2ffb41884025ba317e2ef7dd7c439dec0fd8aa4da968e93fe

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp.RYK

MD5
282e965e50c0b7c42aceca9f4e7bbfa9

SHA1
73ee08c53e889a3094442e13b8b74ec68c7f3857

SHA256
03b028ca841cafa3619dcba663a024cbed79d9d5ba72a7d25aac7569a24d3a16

SHA512
e05fdc47c91d895e7b2fe5670f1410012105bc68c61d62ca39940c99f67903075bb2ba333246f8bddd3650dc407f43545f674c3c9ce2c091e67596a4f65e9576

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5
741131f72f8b8bcb5d9257646e578582

SHA1
b8a066e84103dfc56dd22d5f91a40fc1fc9553ea

SHA256
8fa1fa85b143f0cab7d925080a0118316c3e9058fa9689ecfdab52c26f1a29bd

SHA512
acdbfa4e61cb1a5994b4516b84ade652055d813f1166f54d5eccdcf203800c8f736b4828a85652732b52717989fb1ce292dc7712d03f7e450c461284e5dac6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5
44fe0e3bed28a88779367fa67d1878b9

SHA1
d352c614d928bd7f289c76f81d5ebd776442aa9f

SHA256
6e9e35e622207f4b1be228d380440ed63710015a5ba75b29b4115edeef2e41dc

SHA512
29552f6a04e79a7828405123b1cb51e0d024f3fc3d2720f8544fba821ec8a2d9fe9de1cba26851f4e15e5227ce4d000544ea00301a53822928bc225ff6ace4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5
ed1518762497f11da0b40a60222abf1f

SHA1
8675dbb72c02c18b874526c3934b74b0c114124d

SHA256
2168633ea9f9a8f77dcb85080b6845f43b6dba0f14816ece7a9d802657b9b721

SHA512
7f934f32091d497677e94ac9f0e4f09eb9a969c9063c9843abb651b7d8886a9224d91e0bd74283f808f9274ceeb0e9b03e896d1da0af28103650d038239e1668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

MD5
b50cb12810627f3f8d7c3c2b058e5851

SHA1
ecf169145da5c456bbebcce7bbbd70be67f2972d

SHA256
455a1bf20c7ebea551cba02de87dd9205f08cfe68bca280c0e472b420c3c5c5f

SHA512
c6f9cfb89ce5f61892ef710326c110ea337e2cc38c446ecbfbc902e76d1a1fad97f0851588427360a91c330860b173c25126572f780c634822fab9e7eac2a1b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK

MD5
6d4db47132624b42f9bf9efc81a0e673

SHA1
d7b5a7da352a8bc52b28e444fed1a733b4851d6f

SHA256
de7526db3da33b40c8de79616213eb4daedf1f8f5463b10dfc110ac9899b8b90

SHA512
f58ffc25c15b78188dd4eaf5bdb27e80e50e555ea022ceb6f9ee32b6e5cd3827c127826f4fb5da6a85aad13dbe79faffe0c0c2076200450f9de07d43203d1d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

MD5
61f5ce864c427d353712eaa37baacfbf

SHA1
0311720285d08ce1915a7cbeb892e0a12401a9fe

SHA256
a3110c64f894ad51963a465be90700490a49109c2d5112c22673885577340b3a

SHA512
ff4b55cc2f5950c508870b44606c2c1ffa5b9eb82e9a627b88f2c4e867db982c6157de26c6f6a7cd1d874885715e5e1a33418de5fa19889bb768513ad75e6aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State.RYK

MD5
8ba8c003d34d1ae78dc04445f96fa090

SHA1
69ec8929c6b2795b6aaf567d994710aaf0a2bdba

SHA256
85b6a90d771498988f23579a23a583e27b1e4be332fb9efb16e1e9d5bea29466

SHA512
ccd4c84af31e5f88fcc6a55a88d0e459200e78569ee0082e4e6cf932e722c8cba4d55d31388c56d5013a911c7fa088833b17881590e495d41626b5d6359a4768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\GameDVR\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe

MD5
21256f1e6fef12bb963fff955d5f4531

SHA1
45f2ba25a028bb4756e37b810b96a32bb359b339

SHA256
84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

SHA512
835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Download Submit
C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe

MD5
21256f1e6fef12bb963fff955d5f4531

SHA1
45f2ba25a028bb4756e37b810b96a32bb359b339

SHA256
84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

SHA512
835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Download Submit
C:\Users\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit