ryuk | 748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43

Analysis

max time kernel
214s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Size

205KB
MD5

9a93f9da4f9556fde6ba47ed634bf5ca
SHA1

56d1f6d60411119dbd5e58581af2440cc6acc78d
SHA256

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43
SHA512

9f77b6f8c0847d1a9f4aacd75bac316e204b1d18cf83d23fb189e0b6bc8ac06e1307cb0bea2d0d9d030d930fc22a9e661a6097f073168e6f3260978f7b614e9e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

sihost.exe748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4316 2712 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4316	2712	WerFault.exe	DllHost.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899874700148141"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.067898"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe

Modifies registry class 8 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{73559BCE-0E00-46FF-8843-3961E82EC1A4}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exesihost.exe

pid	process
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
2204	sihost.exe
2204	sihost.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
2204	sihost.exe
2204	sihost.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
2204	sihost.exe
2204	sihost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exesihost.exeStartMenuExperienceHost.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Token: SeBackupPrivilege	2204	sihost.exe
Token: SeBackupPrivilege	2816	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Token: SeShutdownPrivilege	2948	RuntimeBroker.exe
Token: SeShutdownPrivilege	2948	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

4616 StartMenuExperienceHost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2948 RuntimeBroker.exe

pid	process
4616	StartMenuExperienceHost.exe

pid	process
2948	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1540 wrote to memory of 2204	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	sihost.exe
PID 1540 wrote to memory of 2224	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	svchost.exe
PID 1540 wrote to memory of 2276	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	taskhostw.exe
PID 1540 wrote to memory of 2528	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	svchost.exe
PID 1540 wrote to memory of 2712	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	DllHost.exe
PID 1540 wrote to memory of 2816	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	StartMenuExperienceHost.exe
PID 1540 wrote to memory of 2948	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	RuntimeBroker.exe
PID 1540 wrote to memory of 3024	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	SearchApp.exe
PID 1540 wrote to memory of 2172	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	RuntimeBroker.exe
PID 1540 wrote to memory of 3372	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	RuntimeBroker.exe
PID 1540 wrote to memory of 2932	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	RuntimeBroker.exe
PID 1540 wrote to memory of 2676	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	backgroundTaskHost.exe
PID 2712 wrote to memory of 4316	2712	DllHost.exe	WerFault.exe
PID 2712 wrote to memory of 4316	2712	DllHost.exe	WerFault.exe
PID 1540 wrote to memory of 3148	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 3148	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 2204 wrote to memory of 4236	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 4236	2204	sihost.exe	net.exe
PID 1540 wrote to memory of 4532	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 4532	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 2204 wrote to memory of 3052	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 3052	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 5180	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 5180	2204	sihost.exe	net.exe
PID 1540 wrote to memory of 5488	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 5488	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 5496	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 5496	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 3148 wrote to memory of 5736	3148	net.exe	net1.exe
PID 3148 wrote to memory of 5736	3148	net.exe	net1.exe
PID 5488 wrote to memory of 5744	5488	net.exe	net1.exe
PID 5488 wrote to memory of 5744	5488	net.exe	net1.exe
PID 4532 wrote to memory of 5768	4532	net.exe	net1.exe
PID 4532 wrote to memory of 5768	4532	net.exe	net1.exe
PID 3052 wrote to memory of 5776	3052	net.exe	net1.exe
PID 3052 wrote to memory of 5776	3052	net.exe	net1.exe
PID 4236 wrote to memory of 5784	4236	net.exe	net1.exe
PID 4236 wrote to memory of 5784	4236	net.exe	net1.exe
PID 5180 wrote to memory of 5792	5180	net.exe	net1.exe
PID 5180 wrote to memory of 5792	5180	net.exe	net1.exe
PID 5496 wrote to memory of 5824	5496	net.exe	net1.exe
PID 5496 wrote to memory of 5824	5496	net.exe	net1.exe
PID 1540 wrote to memory of 5840	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 5840	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 5920	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 5920	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 5840 wrote to memory of 5992	5840	net.exe	net1.exe
PID 5840 wrote to memory of 5992	5840	net.exe	net1.exe
PID 5920 wrote to memory of 6000	5920	net.exe	net1.exe
PID 5920 wrote to memory of 6000	5920	net.exe	net1.exe
PID 2204 wrote to memory of 5800	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 5800	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 5108	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 5108	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 3744	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 3744	2204	sihost.exe	net.exe
PID 5800 wrote to memory of 3328	5800	net.exe	net1.exe
PID 5800 wrote to memory of 3328	5800	net.exe	net1.exe
PID 5108 wrote to memory of 4612	5108	net.exe	net1.exe
PID 5108 wrote to memory of 4612	5108	net.exe	net1.exe
PID 3744 wrote to memory of 5200	3744	net.exe	net1.exe
PID 3744 wrote to memory of 5200	3744	net.exe	net1.exe
PID 1540 wrote to memory of 4504	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1540 wrote to memory of 4504	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2172

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000
2⤵
- Program crash
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5784

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5776

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:3328

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4612

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5200

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:6388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:6440

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6512

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6584

C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
"C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5768

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5824

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5992

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:4504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:1428

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:3288

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:1220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5352

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:5104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5080

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3476

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
579e97af4d264ec84726bca91bab771f

SHA1
63ebe2a372add9f803ab796f2e1c53f14f259a9b

SHA256
24ec6a1ff80cc3f5a3769fc825ce9de3896ae3cfa7243f06be9a84e7eca89842

SHA512
5374f1bc409e1604d916aab7f5f3c36e97e1efe0c6e48057299e014e80b59369b7a35384499db513d643327e43357b576ae908399ee8c0877c595bee3a02aa8d

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini
MD5
cf75a607a0b3167e029c91934cf4bbb8

SHA1
518d70df32d2753c6653f697e93bebb9d0031e08

SHA256
1c9f81e00b4c8b2fff7c076bc95af9668a12a138e20d3b6c43aecc1235718a6e

SHA512
fb9e67064bc7e3327750ac207d6a563021a37c38b9e4e30d72446069b4e953d7f05a33dbacf5cff93beb6f9c13127b171b9cb77797f032ed9ae68353fc16b460

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
MD5
e500f8d9f607fd99fd2eca1843695ffb

SHA1
29e9b23c2859225ad6159839f1209c9e6237635c

SHA256
ed246f88900700873b2ab6a0689073c2c2b37579f81833e3d2211437b0fe95f2

SHA512
b618a946eb4b4464eb99e70ab4d8365746be176bcc248554e08301a05bbd8d0f7b1cc6f58407384b8e73cdc74da9336560d328f47c341ab59f19a6e977d22896

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst
MD5
8a58e61e557c6e88b8cde008f4ddbc3a

SHA1
c787fda51cd422cdc97bb18197dbcfdb474ca167

SHA256
64612b322922bd80b16e8a6e2e6a4e5dd851b9dfacff8ce9e7cf9476e77cc099

SHA512
6239de727d749d250476e45df24ac0c66ae872bf92c70d92ccb2d92cda168acda8a754169871af80b7d9e5fdad9ac6b73921de6980b1626ca8c8763851884f2e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
abf7ed94c50614889278ef19c4e2d04b

SHA1
d4267fdd8694772549f03e1caf517eefcd7523d3

SHA256
566477efd583373f8bb2cf6f65138f14e96e6c821df366b063b61de5767458f0

SHA512
f648eb38ed296645e8532f7650722f8d2900070f21171f2c7a0912d90e15e42da42dba70052b2c7a57e8d41d24b3a8a5a831405522f891a9f0c98cd95600c4ae

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
5e5f59b59830897faaf4e75ed01dd1a0

SHA1
95514a849ee5c551d4650bf149bd9e2708c5793a

SHA256
bf0812600758db2f8dd5c300ffc5f7926ef510a9087e5f5d80eabd3bbdd31c67

SHA512
a1f7bac10be8484c3613b2fc8ceac0a53c9f1f348c8c58994f0570682e2c4ed12dd3ca904db56f0bfa6e3987f77bf8f60d03f1b17cc5cb979a5da3f9478359d2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
a707d73434030defc340698fd0b77d54

SHA1
690a8f47ff6e5558e77eb74248574dd968c1688d

SHA256
439a75185439d523a5fc59200f78305f9a61ded2f63dc453e2276f014881a9ff

SHA512
ac7509e6680704fe1903d4c1827cb33ae8810a76b65f8c4ee429b5cdda28075a419a99c6b272e7de133899890a4699442e5917abd19c1b930e4fc0e22aa8113d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
5c0a4f62ef1dca05f1467a7321fddfe7

SHA1
15a787f5dc8ce41b6e6733d7b581ebccc560ec2b

SHA256
4af09cca3961d78cd480f0d5919836dc29808d1a9faf2ea0e6b521145624333b

SHA512
1af938a2ee813c88461f98a984992d262094e6491206de4b19bb685f635ab8238ac724fa6f7eab18dfca12e48463e14d8d9729dd7d91a947923c5bc97791f6a1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
2d4cf95a4fcb3add7f960bad23db77cb

SHA1
5a55b56e03ae7aa5a776d31921ebfff0bb0b0826

SHA256
5c84ea7121d54f0e9f745d406fb8543d2d8f66803f0d76677d9127a080f0aa17

SHA512
07b459cafba51d190f36cfc2b9beaab68be54193b5698a87824640c738e272d2f3f0adfe67c155d331c2ccf5b3ffd8bde35cecbeb6634b71709016569f2457f1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
42d6ea12676d225683819e11d67213b4

SHA1
b6fc7c79f138c35cbdbcb8d8457f5a04e2e770ee

SHA256
18568b917f83c8db203bde17291a373c45c5bdc184856f44030251eaed3a652b

SHA512
f914715fe876f51b431a2109e36deaadc98fc9a8795c41bfb0c6756882f6a5f6bf10256d49ea60ceb2f61f8deb0862532ad7803bf6689dd0be83e83662f92a45

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
888950f03ead7a8602914b955ed9e176

SHA1
aadc0d6c45713f39c58c51dbac0ba580c7c45497

SHA256
c40528aef62fb3e7f303ecaf9065e6a7db49f4417e99dd4bdf159c5e77356f02

SHA512
d897676b114380e376dc764794038ff184890da01abaa4ded65aad0174d57ff73471033433ee3d89f572abcbf7654e5f93bc9cdf3aed391599de9cce2d8059a8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
455d2a5bee71c8ddc86b3fcdb73d50d6

SHA1
6cc53cd79ab6dd066e4f8781559ae0c4d200b8e6

SHA256
61b2aeb6051c812c97615a1c35f19b1417cfa2e8b4a1a96f2b54a77c478a9a59

SHA512
3b0597637006951efca3e82fd845c3ebe8de73a84c362355126a24bbc71ee138041d200daf3856c4173b541c846ba73946a28fffc26eb89816b13c4819b9ebcf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
908cea27ffd6a4af2f92c9866de1b64d

SHA1
62856a21799480c22f61a175b9e58708441ae1a7

SHA256
d66aa8b46b3a5d80999b4f4b4dcf9ee2f384744414f203111ef7a066d5dd808c

SHA512
a33c7ae7c089ecbdf4c45a354af17559887d8e46eb19962cd273804803affa5c71f0ce739149940f8583d26cd0aae329cfe4c74704a578a179c178fb1faf5e38

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
01006f4b1f6caadb532329e1e1cc38d6

SHA1
fae889b38c13c3c868e76dd982efc54bd972801f

SHA256
b0c0a1e5d8982b9415ba4ed11edbb127481f01611ad168d082d7dab7bdc91d09

SHA512
1f35da3c018bd00dd11232779d1365d33fd523ec64515415770445b1d45c4705242be12c5605bd758c71a95664d970a307d73d144aac23bff6337e0614bcb049

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
4da0ef0ba82c8bb455616bf17cd82031

SHA1
3c1901595f2aa0eb96ab8b77a51fb589835f323e

SHA256
d1b6095cfef336bff58948b375b5a295fa290fbc4823ec87f753d88afc1d4946

SHA512
cf807dcc4be769c383e26224df396af852d9ba071435967998088bb957fc97a6b40f63c2e9d45016a2abd4fe693bd06a7130e89b2a2cc48bad9697309c677cb8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
c0202f002aaeb0372d38020e4bd4e3c7

SHA1
df99c80de6ff4e12d891f2f8405eed6834674edd

SHA256
a68c9f62624503ddaa7e0c7377b7127c94b5957b5d8c9e54d2083bbb2a87d62c

SHA512
7cda715fb2c7e4b64a0c4b2481fd7c097d048e01d623a179f083caa6a98c20106969f98c9a69828c00770ede41661b25c6a70b31e665373e1ee1c54c65d2c008

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
273709337e5a172b700f16c493b112e1

SHA1
eccb7ca5e699e29ae0bacf8dc1218e1f7f446cbf

SHA256
a90ec694afdf5ec11a44fd32f29dc210b635394f75ba09026a8ef5d08de0c607

SHA512
f34ad961fd7a693f8445ce2e97b2ece636c040dc3cc26adb7456807f5fc8414263d2221c9ec8e4938cacb33c1d9ec549072e20b0faff49a0cc38404838e9aa72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
64e6a4f71b4028588b2b31f238a9a96a

SHA1
5d2b209075110597a6d58ea30419be0da48f7eb5

SHA256
f47adff1675292e2a77a51eb0fcb3353296b5d1a435566c945e90864b2474e82

SHA512
1ae29ec94fd30224a36fb0c1018667bf6587f4566bdbed304e02664d2ac44ec835b64b78ad46d8c3ab7af29790c279b474c16d97ecf9a182b40de5d62d5abe52

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
MD5
6f4e54964412daec1fbf03646c54338e

SHA1
2a5612f5e3e2a16649d87cb8d16c476eda6b1813

SHA256
5fd24c087aa3e4931f21c7ee8cd48adb0b0c76a199859db59088c9c93cdfcf99

SHA512
75c974900bda933eb9060a7728c9e407e056607bbf17ac51f8d186289c2ff7b2afcaa25fc662a3e9754437638175c74b168df3e8f72c17d68813f8f2219abeac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
41c522e764594dc05c08a788f4420275

SHA1
922dacade1eb5c042a631438b202ac439b4a45ea

SHA256
9053d75832af344e14d89c4f233cad8e6c84fcb04c04948f561170f6d526d871

SHA512
105222a9a730604007a118df6ab49a85d47bed4acde2c721c04023138933c853223073980038f4a2cc7b339bd138614a118a1a5d8bb4717f4c3c3685a34edb1d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
memory/2204-131-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp

Filesize
3.6MB

Download
memory/2224-132-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp

Filesize
3.6MB

Download
memory/2712-150-0x000001F617080000-0x000001F617088000-memory.dmp

Filesize
32KB

Download
memory/2712-152-0x000001F617070000-0x000001F617071000-memory.dmp

Filesize
4KB

Download