ryuk | aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83

Analysis

max time kernel
185s
max time network
38s
platform
windows7_x64
resource
win7v20210408
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

thankful-boat.exe
Size

129KB
MD5

db2766c6f43c25951cdd38304d328dc1
SHA1

fc62460c6ddd671085cde0138cf3d999e1db08cf
SHA256

aacfc3e386ed12082923d03fa1120d5fa6bf7b8655ba77e04b96a45434fa9a83
SHA512

87bc840be7d0ac2e30712b9bf72da9666e10abfce50cd312f56facdae606ab0c5592b910629442d17577ee521c1b93de07d2e578a446f0e817242c025cc00a2c

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

thankful-boat.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UninstallBlock.crw.RYK	thankful-boat.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallBlock.crw.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\MountSwitch.raw.RYK	thankful-boat.exe
File opened for modification	C:\Users\Admin\Pictures\PushRedo.png.RYK	thankful-boat.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeComplete.crw.RYK	thankful-boat.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterRead.png.RYK	thankful-boat.exe
File opened for modification	C:\Users\Admin\Pictures\MountSwitch.raw.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\PushRedo.png.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeComplete.crw.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterRead.png.RYK	taskhost.exe

Drops startup file 2 IoCs

Processes:

taskhost.exethankful-boat.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	thankful-boat.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.exethankful-boat.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Recorded TV\Sample Media\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	thankful-boat.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Public\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	thankful-boat.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	taskhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exethankful-boat.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\macroprogress.gif	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03459_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF	thankful-boat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini	thankful-boat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png	thankful-boat.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00443_.WMF	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	thankful-boat.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Module.thmx	thankful-boat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.RYK	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML	thankful-boat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.RYK	thankful-boat.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nassau	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Invite or Link.one	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	thankful-boat.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02522_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	thankful-boat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.RYK	taskhost.exe

Drops file in Windows directory 64 IoCs

Processes:

taskhost.exethankful-boat.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\AppCompat\Programs\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\7fce6bcd28750194d0343e473ad4f463\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Web\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0\9.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Aero\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiiTV\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity\84467aa24019da88d4aece177e51a223\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\f0a8400b761cf5680fd7fdd7db26181c\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MCESidebarCtrl\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcstore\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IdentityModel\0a637affd530a4ee90f0ed36c3febc79\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\mcepg\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net\c252762f9efbc0ad25f01a475b7d00ad\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data7706cdc8#\d3c9daee844c6d685e059108aa87b3a4\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.IdentityMode#\559a3dee015d005c199f3867b10f5bbc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\0f6b049b864d8965e11862554854eee9\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEExecRemote\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.v9.0\9.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\30f8865f88bb953486fd20650b54177c\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Printing\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClient\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\napsnap\46a2e8958905ea98cb6e91b38449c58a\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehshell\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MMCEx\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napinit.resources\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.SqlServerCe.Entity\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ipdmctrl\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Comp7dda8007#\e00e9898fbb901fe514674de702f578d\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiwmp\9f570489c98c93a79f0fd793586afdc6\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.6.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Publisher\14.0.0.0__71e9bce111e9429c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\5b9c2eae674609a3d84010c9906e0bf8\RyukReadMe.txt	thankful-boat.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data.Server\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_en_31bf3856ad364e35\RyukReadMe.txt	taskhost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

431864 1816 WerFault.exe thankful-boat.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

thankful-boat.exe

pid process

1816 thankful-boat.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE

pid	pid_target	process	target process
431864	1816	WerFault.exe	thankful-boat.exe

pid	process
1816	thankful-boat.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

thankful-boat.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1816	thankful-boat.exe
Token: SeBackupPrivilege	1104	taskhost.exe
Token: SeBackupPrivilege	1816	thankful-boat.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

thankful-boat.exe

description	pid	process	target process
PID 1816 wrote to memory of 1104	1816	thankful-boat.exe	taskhost.exe
PID 1816 wrote to memory of 1180	1816	thankful-boat.exe	Dwm.exe
PID 1816 wrote to memory of 1212	1816	thankful-boat.exe	Explorer.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212

C:\Users\Admin\AppData\Local\Temp\thankful-boat.exe
"C:\Users\Admin\AppData\Local\Temp\thankful-boat.exe"
2⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1816 -s 215636
3⤵
- Program crash
PID:431864

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:432196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5
135031073aed39a1bc61bf949abf53fc

SHA1
4e0f42a4ce0affbddc310fd42f856efb209492f4

SHA256
f3db669471cd56df51895803e7d731c7c6e6b85bc8bdd768cfcbe5864ec773fb

SHA512
1b061d6043201a7ba7153385e83f65aa15a4693694387de7a0645688bc2ce241367c72df16c2f67d9cd3a3a32a2774548da91889df5e0ac6c8ddccac398e3c29

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5
7761b8a67c789bcbfc5b8e36241977bd

SHA1
6e35ea869828d37d8d4a9a4851dcbca0383e7152

SHA256
e05ec9d7df2393ee056dd070866652b8f3cdb55fb3c50c8e8a3df043e6d9049c

SHA512
0a66354df0595b03b39bad3179b21a9c2638453a60ec078a1137c616e43d96f669d825b68c1fe365cda66ca8de1f34697ae0d4e9e26fe5b89888b1d93940fbe9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
584cdb5c48fb60bd7133e47ed05a24a5

SHA1
a616e0050d6b14e50a5f281da79a6a282d2c0dce

SHA256
775089d9027071d11554003e8c263745c37c1f02a064911b1a6e5825d821ce2c

SHA512
001dfb4a83b11bc9adbc59849d0931672dedd578f1909e300757d44854eea20508878000b6beb4a670c3d7329463036cf82fb0fa0d62474afe86c8c8bb4df8ad

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
032ad32f7424c571d6d4036fac67a838

SHA1
73e833c9795a8e3b7c668e8183b6a2d7dfdedbfe

SHA256
d2df2d38fce66f66bd2b1179d9b23dc638f083f69e9a0a541b245df8d26aa977

SHA512
1d62195f42b5e45411e9a2f8787cc35dea7396c6d73930e092bb3965a1341b74b64ab5beb8490cb3188f7d0be1f1b110d16639dd537507ce07fdacbaef2977a6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5
696bcd3a81aeaed3536f7e2b5dc1d3df

SHA1
7afa17f076b67eb0658d9944aed9f3e8b2ef222d

SHA256
9729ec4e9f6090700685112c27273a166a014d7b5a602ddd496016852af89309

SHA512
b1ed9e92a613058917c3ded1f6c6a0aee24b02cd6cc633953ef558953766b381565f83f089b65042abad5af759e1096ed43f72fd445f7fcc7875fb5f8893b41f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5
4fa3b13ee120da4f4ea6409460a4a497

SHA1
0fba428e897aead056d7059565c605117cd5f4e0

SHA256
5129dea6b369443e90e063a7fd1e1e2f989c9ba87eb8cd883e53ba09e87b883f

SHA512
2870c0a24676fa76d8f4fa63228ce0181e0e869feb07b26921df683f501484bcf23130c35226ff305cbb43f31e242ff3eca70a308bf16e75dc81405bf29c31fc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5
06a7ebd84e604f2a0b87d1e6988bcee9

SHA1
03471e6dfad6201b4303f94bf7ff44bc29250f62

SHA256
7102a74d7e68d892641f0c8248669cbf92e879f1dcf9c9af5821fb7867c4cb4a

SHA512
ba399b8a1607a73faa53e9204f1de45cfa8e3c9b7cb1a6e49d0d4b800161c02b352a1f0106103acfb47728d4c7ba564a391515f4467abad77c9baf73ef0d9f60

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

MD5
e35fbc6bc95b8ef687d0e3e92540beec

SHA1
89fc8de7153edc70be69b07fa447191db32ebda0

SHA256
279716092ab5d1690a6922f93c04ce50add387ee0b62a59ec9a330724cc15690

SHA512
2de2d361ae2f58f8a809a396f597a900fbf3138eccd360cae7e883e4de61e7e1b476dd7057875a36d4cbed8a294aed6030695b89ced758de13042de1a0d9833c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

MD5
b005afdfc8272a2aca1af759663fb203

SHA1
d7026afda00bad7eebfd8b338d5c465bb7339655

SHA256
802d1ecb0008cdc30029178a512afdf799a08d25088e93ae26f453b0a4dd8a7d

SHA512
8a342be0369a86baa070022e1b9085429b5055ea811894919a2c1ffd11c5118faa58bd25e13bb34c4de95939793868eeaf05fe3f0dbb64cb06f98f7cbf5d5dfa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI26D3.tmp.RYK

MD5
a54cdd54e307c08e6b7769aadf9d475e

SHA1
cc7bd9db91add912bac59e43e851a05e3d3f00c9

SHA256
ac4fb3826d8fc983977cb9c4c02e5f8b7cce1c96835c512c5aa3f2a727f3a04c

SHA512
0adeebfdc44c51b48ae16bbe08ed44375aeeeb76a975ce46d156472bf10a53f761a659c1deef00f1587d261b12f7286db51c5b25bf16a99367ce63fb7e872b3f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5
82bca816d23a860019f309509a61b678

SHA1
012b9bead8b6234851872445935c50b3541ce29b

SHA256
d42cb3e02039f708b2a923eb692d93445dfb0bb3dd287f70270e8c3aedba866e

SHA512
8d14a729d9a807a5a859ad2b8732e14893dd6311748657cf66bf5529451290ff46ebe002e4b3fe1224a88211e6c7726c80f440217e0455d4b9f15d7db939ca28

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI3096.txt

MD5
e0cae99e26b515104c0ad8b71cd87359

SHA1
6ed24919f713c9ff8893a56c1245f71852aead47

SHA256
6d90a561f41f90f6bcef2a46627b00209d40f6a29484681832d9c74e5a5ccd75

SHA512
0be35d93780ca215cc71bb0afa1af3d7dd8e498eeb666eed9fd9d95cfd8484376627652bca38517c970ced96c203471b0ebd7cbb7a4ab72a3a96c13f23c6bdfa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5
6f3f5963d80f947523877bc8a4fc6d42

SHA1
4092330889ec37a5a57eafb196ba6bfb061bde59

SHA256
c1b4a22962599b977f58c344ba0468d23afdb7178fe97e247f918701b9ed9d36

SHA512
f5ad1980f20e3e56cc1b1477ad620c449ff1961313ccd7430bac21c66f639d7abfbecd633020cfe85a75502a42ebb4d761887fee3c99d01a1dcece6d6fe1f83c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

MD5
9022cd56c914426f1e5002b23d6901f6

SHA1
a5dba6f4bf2ec25941ec0bd9824b617c3037fb91

SHA256
920c3d217597b2bae252c9f2f7fb62f9c8582402c8fcbc252c63973809ad99d6

SHA512
988e6f028720304fc9187cdf47a6091c69cf133e806728981d9c899dbfb967c2d7c8ea03aeadaea441f5188e570d886700753f939684922a72fd924aba9e4ca2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5
98c0b59b721657c92b4ea347ffe64179

SHA1
81c985fd9cdfca4e3ab27df00f4af2f2520b8748

SHA256
86d532b224737f32860f2a22ff92646768f81f8810986266accda8c020a36488

SHA512
0ab64ae937662833ec229c9f965a21ba6c468e26702c4c354ee2ef40246483a3b97403e655ed5f980f9637e1c40e0524bad300f77e246fcfc2562b2b82dd315c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK

MD5
505cfb11f72ab585f431e89906134b41

SHA1
b5f1c6a71112aa6a96aaf097534a385eedd37ba4

SHA256
fecbe891a0e60114d88cd8c4ba175f7d9312c6a37e096c2fd6aa4cd331bdbd18

SHA512
68a73c35470aef3c34fe2195473a5256e4e7ab4273add07bf0a1672da6563f9b016267c3000801d75ddfecc209c1b3e6988340abb1734712869d8895a04be316

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini

MD5
a53202d9694a4b06964d50a01987186c

SHA1
d601d99af10a872070a3aba2932cee05674b64d8

SHA256
545a7c643e9fb835d2b135534e771caee4be88bd48648eb3e7af5d1ae0cec3e7

SHA512
eef67f840c70018cceb6fe519c508c37f188d1cb3857a5efcf70dcc311bfd355cf2698e3c75d56293ac3b08ce49781614d4efd13a1e124d6d4493eac21c77867

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H18KNA1T\desktop.ini

MD5
84748f64b3c9ed266cf86822c88bcac4

SHA1
d84ebe407de4adcc360bd29ce46b1f13503c77c9

SHA256
3d0aefa452eb0079ac4784af6c8203d0cc8bc4f074655caaf60d4b271730a737

SHA512
e42d38acea7e98c96848f0973e93b58efe1d2a0af21e986f6b1203d1f8a43c032c407c0454c201bf7e69603f0799245af523edae83148baa5f8281467d7b31e4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini

MD5
d5695adea8c24ce04c67510252096d84

SHA1
86231afd991e01eadcac77842db2926f85d9ee46

SHA256
55c4db703009b03dd0440107b213a57c5ae63a33291b7e094455903b75e756ee

SHA512
0b772020538782cfba270c3764b658b4456641389d91595ec1da716c6a4237720f630da6d9862128360bf67834662790026cfa7ffa1bab832a83e83aab8febb6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini

MD5
94ff87ec0db642639368752049378d99

SHA1
03bfef325afc2c8829ad917e98e0565d7df87b4a

SHA256
4e4f5a53faa3370775ccb80e166380ea05127b3db30f1378f308b779d2ac5f44

SHA512
2eb1e9ac9bc68742169a14f2150d3ca9e7f1dd82900e7c290ca40355ff29fca0f2024a47d8720361bfbe68548192eb442e6cee28a8d1b5bf65c7092c0954ad24

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK

MD5
40ac67cdda1622654dc4944fd59b1e18

SHA1
bcd21056bd21952d000ed74f1ab43fda59f2e724

SHA256
b6eae52a947aae748453d15ca8169758b9e484625203b9bd57bff1966f9bfba4

SHA512
677a2a15b4103c1200594fa6c9f8ff7fe288c891bb28dcbc0b08605f55d562fe8a4a32f6d0bd1abccaddb79992f5ba9015cd8bafffc9af541bea61b3dd8faccd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5
d406b9f6b2e177670deedd22861ebfe2

SHA1
a734ad7d43a0cc62f432fe55f731cd2adf64879e

SHA256
305d34c5d62e3832ea6deb8675756af79ec5523b8d06c436f679ea3acf54121e

SHA512
8390b7dc2d4d19601fa1088fa98d8dc12ddb9eca05758157215da4048e009a06fe3fe01ef72df73dd338a43e977b6883be96b4b4edb328323116f81206173b56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5
85b0e7f2338bd437b4e0a39f31848857

SHA1
d72868a69af4a3252b531f1d8cbf2368b491422f

SHA256
d2f5286f8b7be586a172913c5172fabaf37b9842494df26736a5f3912e35c0c9

SHA512
5da4bc91d541ffe4e8e7ebb8cbd071bc0ab2758034dd602d74f7d9ecce03a4191c7a0863665d613fd171a7dad5f2a640a74f7eb9c0fd639fd0895b8f3080bd68

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK

MD5
958103751c54c134cc5a82d52dc018fd

SHA1
394a3abb440bd0a4a838c95836db60b6f25b343e

SHA256
f58df6a412a3d874d23383a28db81c732942fdbec14b75ae758f581a03fd2abe

SHA512
9ae44665cde9ba2164a2a5e2a7d9d1844f38f8657c9feb185aa6ebbffd13675966df0653da3970a277b5907c4b46a3240eb1491b1ba6599df3d3a4ae29c903cb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log.RYK

MD5
a7925e4d4c8c763ffff870660232018b

SHA1
06c804988f363d9f779a380ee4f2cc54da7c5546

SHA256
a1682ebc0e30723726e2b5497b760676ffc938aeb9ed93514fb1b8ea9abb070f

SHA512
70ce43c13d4f2964315cb0483d2ea2426612ce5605a35cf1ca1118977badb4d110077b1f4fd24a6e18f4145b7d18f5d0b61c9002e4a9a1b380e535fe6859293b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5
7f3e985688f7d3080598c4cedfa6ef0e

SHA1
bc121af442b13ba0253338023d9ee9c33423b599

SHA256
fa0ea1972e3b39d5722808985c71c0b2b0354ae3f6c86d8c311fdb3d1e2ac897

SHA512
0e5d6de931bcbb3d19b199ce2c750b715affac1f9d7f0270deb36c8a66d15c5393eb225ab8daa637ef79747d2730168484d8c204cb759150780d07f1d65f1fb0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\PowerShell\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\Documents and Settings\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt

MD5
27176150cae2419ac2884cd40d8d4739

SHA1
3e9ee61c84a26c9cead9bac797be7487635eeaea

SHA256
f6cbf790ef8d036535adc4628361166dbda8538f583505668fa614b79862cf67

SHA512
49143bf642d30314d73dff97104240d10113945eb1af11017bb03f2026c93f16ca0941f66600b3ee7f2716a6fea118d675cd15b985324ec3c1a80e996217e650

Download Submit
memory/1104-60-0x000000013FF20000-0x00000001402A2000-memory.dmp

Filesize
3.5MB

Download
memory/1212-62-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/431864-128-0x0000000000000000-mapping.dmp

Download
memory/431864-129-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download
memory/431864-130-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download