ryuk | 826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec

Analysis

max time kernel
188s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
Size

206KB
MD5

c75b0beff52189aed827839bea3e5da4
SHA1

e9b20948b82eee88081cebe2d62408871dbe601a
SHA256

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec
SHA512

4fe591ab12f1245f7f16efea215679321ff415b879cacfa373824e6f170d08ffcf650783f835fd219abe240b7fe0fd48d4f1dad0e4b730e7e72fb6433b6b8a9c

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 5052 created 2740 5052 WerFault.exe DllHost.exe
PID 4812 created 2916 4812 WerFault.exe StartMenuExperienceHost.exe

description	pid	process	target process
PID 5052 created 2740	5052	WerFault.exe	DllHost.exe
PID 4812 created 2916	4812	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4960 2740 WerFault.exe DllHost.exe
5700 2740 WerFault.exe DllHost.exe
5712 2916 WerFault.exe StartMenuExperienceHost.exe
Runs net.exe

pid	pid_target	process	target process
4960	2740	WerFault.exe	DllHost.exe
5700	2740	WerFault.exe	DllHost.exe
5712	2916	WerFault.exe	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exesihost.exeWerFault.exeWerFault.exe

pid	process
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
2224	sihost.exe
2224	sihost.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
2224	sihost.exe
2224	sihost.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
5712	WerFault.exe
5712	WerFault.exe
4960	WerFault.exe
4960	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exesihost.exeStartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
Token: SeBackupPrivilege	2224	sihost.exe
Token: SeBackupPrivilege	2916	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2980 RuntimeBroker.exe

pid	process
2980	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exenet.exenet.exeWerFault.exenet.exenet.exe

description	pid	process	target process
PID 1984 wrote to memory of 2224	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	sihost.exe
PID 1984 wrote to memory of 2244	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	svchost.exe
PID 1984 wrote to memory of 2296	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	taskhostw.exe
PID 1984 wrote to memory of 2536	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	svchost.exe
PID 1984 wrote to memory of 2740	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	DllHost.exe
PID 1984 wrote to memory of 2916	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	StartMenuExperienceHost.exe
PID 1984 wrote to memory of 2980	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	RuntimeBroker.exe
PID 1984 wrote to memory of 3068	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	SearchApp.exe
PID 1984 wrote to memory of 2772	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	RuntimeBroker.exe
PID 1984 wrote to memory of 3496	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	RuntimeBroker.exe
PID 1984 wrote to memory of 2924	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	RuntimeBroker.exe
PID 1984 wrote to memory of 2168	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	backgroundTaskHost.exe
PID 2740 wrote to memory of 4960	2740	DllHost.exe	WerFault.exe
PID 2740 wrote to memory of 4960	2740	DllHost.exe	WerFault.exe
PID 1984 wrote to memory of 4980	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1984 wrote to memory of 4980	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 2224 wrote to memory of 4992	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4992	2224	sihost.exe	net.exe
PID 1984 wrote to memory of 544	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1984 wrote to memory of 544	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 2224 wrote to memory of 2992	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 2992	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4928	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4928	2224	sihost.exe	net.exe
PID 1984 wrote to memory of 2424	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1984 wrote to memory of 2424	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1984 wrote to memory of 5192	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 4992 wrote to memory of 5216	4992	net.exe	net1.exe
PID 4992 wrote to memory of 5216	4992	net.exe	net1.exe
PID 2992 wrote to memory of 5232	2992	net.exe	net1.exe
PID 2992 wrote to memory of 5232	2992	net.exe	net1.exe
PID 1984 wrote to memory of 5192	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 4928 wrote to memory of 5224	4928	net.exe	net1.exe
PID 4928 wrote to memory of 5224	4928	net.exe	net1.exe
PID 1984 wrote to memory of 5260	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1984 wrote to memory of 5260	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1984 wrote to memory of 5296	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1984 wrote to memory of 5296	1984	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 4980 wrote to memory of 5424	4980	net.exe	net1.exe
PID 4980 wrote to memory of 5424	4980	net.exe	net1.exe
PID 544 wrote to memory of 5396	544	net.exe	net1.exe
PID 544 wrote to memory of 5396	544	net.exe	net1.exe
PID 2424 wrote to memory of 5432	2424	net.exe	net1.exe
PID 2424 wrote to memory of 5432	2424	net.exe	net1.exe
PID 5192 wrote to memory of 5484	5192	net.exe	net1.exe
PID 5192 wrote to memory of 5484	5192	net.exe	net1.exe
PID 5052 wrote to memory of 2740	5052	WerFault.exe	DllHost.exe
PID 5052 wrote to memory of 2740	5052	WerFault.exe	DllHost.exe
PID 5296 wrote to memory of 5520	5296	net.exe	net1.exe
PID 5296 wrote to memory of 5520	5296	net.exe	net1.exe
PID 5260 wrote to memory of 5528	5260	net.exe	net1.exe
PID 5260 wrote to memory of 5528	5260	net.exe	net1.exe
PID 4812 wrote to memory of 2916	4812	WerFault.exe	StartMenuExperienceHost.exe
PID 4812 wrote to memory of 2916	4812	WerFault.exe	StartMenuExperienceHost.exe
PID 2224 wrote to memory of 840	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 840	2224	sihost.exe	net.exe
PID 840 wrote to memory of 5180	840	net.exe	net1.exe
PID 840 wrote to memory of 5180	840	net.exe	net1.exe
PID 2224 wrote to memory of 4828	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4828	2224	sihost.exe	net.exe
PID 4828 wrote to memory of 3784	4828	net.exe	net1.exe
PID 4828 wrote to memory of 3784	4828	net.exe	net1.exe
PID 2224 wrote to memory of 5708	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 5708	2224	sihost.exe	net.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:2980

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2916 -s 2232
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 956
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 956
2⤵
- Program crash
PID:5700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2536

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5216

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5180

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3784

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
"C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5424

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5396

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5432

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5484

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5520

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:2504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:5600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:2752

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:5720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1936

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2740 -ip 2740
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 2916 -ip 2916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
3f3517a357ffde86c498407a35d50099

SHA1
08a7bfc7bd25ca41c0ce8e50c56eaec6df2b5c41

SHA256
2c61b19d36a31dfb9998bd3fbfdeccc9cf6b796025b2c4cce7f0c72b8f81ca69

SHA512
7b275a3f5225401e146a24ddd6c7bddc6b0527aa21087f33be7893e6305673ccf41a7c6f474f13ad22bf8feb68b2dbdb4fac373980cef79029d5880c20b19053

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
94cccd92f0169bbde5de1e39cae7c842

SHA1
eb5fa59f1b533b36161db74fd0a776619d2361b0

SHA256
d5fee40ccc72f3bf5a5ef4c919488c838fcd192a0fd9c44decabd5938fbcec20

SHA512
6d1273e356f31cb765b3ef9254b0b3020bbc6690887d52ea99338690a068710598beffe5550760df7927c3520066fb0a4270945cc3a2aaea2e5b826f7fa56010

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
0147032e3dd3b9455b0a93d8465b64c6

SHA1
c847455f7076e1544da1292cb23e0eb4fd923727

SHA256
a6b8c62baac925929905b89dde61314f88ef0c68999e1ead30c6cdf273b1c4a4

SHA512
e55a904d44e6f0755eaef6d924f35150431d643022b3da3aa6c2375f6dbdc9fe7c57a280ed052eb82c2c1c602334f7e265330d87faa65e516cdb42d70a69a3da

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
8f3aeee68f22a443555dd637fa86dbb6

SHA1
d94ac14649e7e8cd82a2c74f931db403d8376c54

SHA256
44449e1941dd096a53790dcb77420e9582b539270e6caf79e5d1adef0f0f5ab6

SHA512
1b31c4434bbae7c3493b3bcf1e638f223e606684b30059b1568ecf003188f6b4df955dd107ef41a9caa30349464b65ad6ea0c8502c80fc309e1e52019428910a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
1ecebd7654e49633403c240c56af0897

SHA1
20abf7540316ed5142e73b87c7da0e209968c402

SHA256
5bf8b2a17a63866690f52fdd2b6bbd78d4f7335c5e44e8a9ca4a12feaa97330c

SHA512
87b656b1138a5dcdb4bb2d3e4f959543fb3f7a1ef59d4bad9fab7cd2c6e221f0af86cfc9036af57ee7570135ffd33b6104330b44d377052831a2db7e03dbe3d0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
5188bae5e2a45e1ccd7619eff7ee2704

SHA1
fd15b1f728ca97d81ada5795467fdafd121ff4cc

SHA256
c32f85d974985e537b6519f826b63e3fd3995aaedf92a67d053793707152ef79

SHA512
c0c81a2c1ef7f5b2b809c95fe0e4847181153d4c719099b3ed6f12ec0d1c05492097d72e6ec7aad30481a5d246d20a097a0520b5aaf28c108247dc88aef61bf3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
5e9966fbe1554faa2ebae56ddc83ea4d

SHA1
d021d44b282e5a31644796db5c8c4ec552777d06

SHA256
abb49d3f89c9c9ddab4ec9cae1bcbe272a764cd1d61e874b8b91af5eafd12b59

SHA512
4e7122ac2487035ed0a4322c8648efab9856c80c0c61525ee0b6386f9345a38e19da5658c802e1de43f8546ca025ba9284a21a82c8adbd10cc06148cca83ae12

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
8fb742b44bba9e543fb90b2dafc47a2e

SHA1
4b48f6bc6ef96d7b760f3e3d04f9d60dda9ec88d

SHA256
c31777ea19deae32dad51bb24a8f847bef7434e39fc3760712938c0d35b82715

SHA512
6245dea88d88e6bee14d3e0e0f8078cc4b3182f38947aef1eeb613ef3d098ad52dce371a0090e70ac9efb8baaeff86e4c0535a46f14321ab8610a4b6d0a471f5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
1f6d355bb2b3b2c705327d0199389939

SHA1
2ec60b1bade250071c70db6521d44eabeaa00eda

SHA256
88834b4be23d8bb9ae26d159aa1b049fe1e5f1eb73c49e9890ec3989732cae83

SHA512
722e44ddff95c9837b82ac4f6a985fdfbcbc5f96817b025f01c646c90908dacd954cc93baaf6a03cf3b1b6fc99c1f3f7afc2495bf5bb4b5dc481b8dc921288e3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
1f6d355bb2b3b2c705327d0199389939

SHA1
2ec60b1bade250071c70db6521d44eabeaa00eda

SHA256
88834b4be23d8bb9ae26d159aa1b049fe1e5f1eb73c49e9890ec3989732cae83

SHA512
722e44ddff95c9837b82ac4f6a985fdfbcbc5f96817b025f01c646c90908dacd954cc93baaf6a03cf3b1b6fc99c1f3f7afc2495bf5bb4b5dc481b8dc921288e3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
f675beaa19801ecb68bf051318b5f7fa

SHA1
16cd411269a81ec26afee928663a4a127812682b

SHA256
50d93a2aa98f2d22aff2acb45d35ad8888e9b4e73b25d580592cbb007827087e

SHA512
78a7b12c5ce8d7e55f037dfff8e78f2b5c2bce373088f9789fd85805f22374a7d48edae8a5c35e532a266b6e99bbdefa585179d1df1bf09a777175aef4ecff6d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
107e0cf59402e4c4831f5ca6f8ef79e0

SHA1
5bc2eee34589024d5418539e2fcbb9867ed1ca89

SHA256
e017f373ba1fb4b06ea093911e310c9544ba7b5df2968f2562471a64e80e8462

SHA512
58e97bb717c742f283302816686f373194d9cd9f47cb1afb602351850ac5fea977c769bb31b1e2fd754896991c200632d5743b343620adb1cc7c6785fe31720d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
c5394156f64e264c6ad117b9c8059fa1

SHA1
b12f91b3d1d422617a7e884c22ffcb368d148313

SHA256
7a5774168433ed9723d36e044afbd5f4a5abe2409df4372a2d0b1b05ca0f2ba8

SHA512
91ab7fcd12c25dfcf979a21f043e75bd896600e543b4abd6ef0be971acd646e40613c821dcc55ffa1ad18469be33d4df80f27be2b0e0b57f2048230e52fcf658

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
c82a56123569048923076dde033bbcc0

SHA1
647753a559c245f9e7eee4228cd7d534fa72b3ff

SHA256
bf309736c8c63bd6523d319eb0d18e29b313f6687d62fa7e364b5686c908d4b2

SHA512
97b1df13bec289255d690e9cb5b86cf931e0abaacd773f69e5afb0c61f593d2ee714321ed0421ab4f04c5684cf225f6d9153cf27cd203cd08a6d144e70c154ac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
538079581aefa784ffa34021c1b0ef2f

SHA1
780372da8194c6dfc3f48b670eb4749751d5cbb5

SHA256
c13e85cfd3018a9c06ae58e2e867aff55ca5ae91ffcfa2349733b328f72a4b8b

SHA512
92eb16a334f6bb1526e148d6e89fa7f48fd1fd9960816da8b9d1f39650dbedff2a6a71f495c6820c389f6b42bafe2788c88fdf75c79894a00a344eaf56db16f2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
5852af7c5bc41108ed8b6534bda7e4d9

SHA1
b140e56400dd6912455a0a6318e9266485fdf55f

SHA256
cd84d1075db719aea984703cf537ab696363650d073ed9e21b38113ba99c5ec0

SHA512
7af481bdf0396ee85ae07f861f2d0c89ee653b293219cb0b2c9a01fed9bea4c392fab894bdd1a39fbac5ad307bc279489e26cf8c65351cf20a906cd6f7c41d67

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
8f1a51ea79c00599e4f6c5bf48219521

SHA1
62c972c2d87f8fc0a7b79c59df68793d0f63b059

SHA256
deb114d7fc088f0e267171d4a5b8525c1da2947a5d21294ee84ef8b0af2de0a8

SHA512
e0a39498a1306a873630a7b6c4d26ad3f26524012480ab3932aaedefba216aaeae2d3d82afe4d6f19ac9eeb38cdc69bfc3f3984ac77895d44a94ade70fa3c15f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
59e83590df32ceccde4b341211d1698e

SHA1
f8295b33993dfd8402cbcde72d163b75334082b2

SHA256
beaeea45a839ab0c0b6f19bcfe45e930fc405e4eb481aad849078e0d6ea2226e

SHA512
0a05a9145ce5cf462c35ee44624fd1124904b9874a3e19aa181f62851ac53c31bf13551504c6a66f856d9eb73d5b174be0987904338e8aa0b401d61c62aa57fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
3ab179521f87a702ad92481945bfe1ba

SHA1
aa5b517d0bddafb1d4994e6c094cac25e8c658db

SHA256
0e7fdd9a788533c3c9d944da46b848675d9b6776e7b4d9dffab66a2f53c35e60

SHA512
4ec813e970fb16c5e5268c42e06b0b11fded39c8b853e4d7b8f6297173b521623c38c0ac4df2d6667075315fadd043fa9ab56b10680cde5f9fb108b13c5bb80c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
0c00843540eda78e3d7102870606a71f

SHA1
98baceb03bd459786430a13e7f563071e63bdebd

SHA256
38bec57933a73ad63761958072a8c31d90a1c3abb566ad0fcf32c945f44bbfc6

SHA512
e52bcfca5d710548e5b97a26b7317bf1582bf0f0fde915f99a497d22c49e7dae621936e208c0688fab74f95e6018e2bc58ad8db7d0bd1bedc7812fbbab5de0ef

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
d1f5945eca4ca2a156ec92a72273b116

SHA1
719a657080a93b849acf0154b97963f0722cc409

SHA256
9a899d7a8fc8ff258b0dd51e75d8390df72b2cff6f8256039c86784117751ab9

SHA512
26d08d8de5750a1e114ddb8b4fd53dfc7390fee02981c6697c2739db92e053c83133c27746c67eeafdbb5dbbc8dd3ebff41bc16e0fea1deeb214f204070f8655

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline
MD5
6ef410cc9ebb63f76eb242183c7a27c0

SHA1
10e74582af99be34d3ce817cff474d9543ada1c7

SHA256
e3717bbba6a0fc3d54ed3b416ebcbce0daad5becb1bf50d908e6e6d1dd50fe86

SHA512
7bcf466560d48dca904a041cff16addfe21827756c966bc0e2f62d45b6b3ae04586129db064e21ed8f5485c82378f64ddc93d1e6bf9296e311fa2f3c4501e0ee

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64
MD5
c3f4dfca836b2165838aecc45f6b9525

SHA1
55d78b960c87cd701b5e82eb28805da75225b612

SHA256
c3fd2be60d2b0cc82f3a355f2a04ee59c50c59aa8457272c5cdedf4b57acc967

SHA512
d879955524591aeb16946f9b58d0eb84561a9df539e627bcee0227355cf2fdc0e60a3706f56ba4ec8af36595124920c3faa9efc94a6f422d7fbbf9624baa40ff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp
MD5
7cc4fc6f4b904f3271625b9d825761b9

SHA1
f3358e6fef0596757aa2b80a424d8a677aa23370

SHA256
e538a807cc1a6bdabe3efc401ea18aaf3a7459ff6e3902adf9ffec2253ba60d0

SHA512
c049aa89aa063e6b04f0ba7ba05e4d58fb7891fe30653e69730bad06f330755b4098ec6fdb3525271d1624a4d9f4923ae8a45b2003db081d434e493f9e30ce3e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp
MD5
d07cbd813ed53e94169f648524026432

SHA1
8c0b7cda5b156dd4bd7b373ba35f214fb9001e80

SHA256
8e2f372b04242d2e980e5bacfb89e1685189ff728d6d3618ac95046ba51bbda3

SHA512
de9d98398e73bead7ddcd2ff803d899e91859e2baa36c40cc5686b1fb2a31659f7d5b8b8f964287d6478f5beeba78bfae04abf847805ab8fa0169043599dc666

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp
MD5
9745e066c680a8f9f17ee33e869e336f

SHA1
8261e0ca7d7b2aaa57c0da13d6321ac7750b1901

SHA256
f567ae97e31b43cdcad9829c5127275fc8c4a16b4cd7cf872ee0cbaa04906308

SHA512
63f244a7f274b44443142dd7f65dbe65cb90616b25f273f7792aeebf4d69ec920f559de04486cf112795d6e64a8c431987ee51914500a589194cf79e3512017a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp
MD5
2912d123566710369457377704eafd25

SHA1
e77cad1e47f1c3c4e10946e2b1996028185aa1ad

SHA256
3f0058f4ef55b7599974e7460b87adff6adf077566bf60df2cac56ee5acc28e9

SHA512
5e25fec254428ac1afbf242be666c0d6c7ea5ad50d00ef27a50e9b33a45e27a62023795f11fedf8a5af140047a3a3237577a381055936754340eeeee14c871bf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
memory/2224-130-0x00007FF6E2C40000-0x00007FF6E2FD7000-memory.dmp

Filesize
3.6MB

Download
memory/2244-131-0x00007FF6E2C40000-0x00007FF6E2FD7000-memory.dmp

Filesize
3.6MB

Download