ryuk | 75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1

Analysis

max time kernel
173s
max time network
46s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
Size

209KB
MD5

4d409f1fc90b86f5893a8ad63d0d4b84
SHA1

4c7a52b0def17ab668c2bc0dbfa43d56360d0786
SHA256

75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1
SHA512

fdfc68a0d4cc76b38ddede9c2b3fd55719554aff48e73ff3c4e4d0a35ac6b0436501a8e3e9e72385e72a61dcb3fa3f0dc4c4a22824ff06e7859a169ab7fc7b82

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\Desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exetaskhost.exe

pid	process
1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
1228	taskhost.exe
1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
1228	taskhost.exe
1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
1228	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
Token: SeBackupPrivilege	1228	taskhost.exe
Token: SeBackupPrivilege	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1940 wrote to memory of 1228	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	taskhost.exe
PID 1940 wrote to memory of 1344	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	Dwm.exe
PID 1940 wrote to memory of 1056	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 1056	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 1056	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 1208	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 1208	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 1208	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1056 wrote to memory of 636	1056	net.exe	net1.exe
PID 1056 wrote to memory of 636	1056	net.exe	net1.exe
PID 1056 wrote to memory of 636	1056	net.exe	net1.exe
PID 1208 wrote to memory of 440	1208	net.exe	net1.exe
PID 1208 wrote to memory of 440	1208	net.exe	net1.exe
PID 1208 wrote to memory of 440	1208	net.exe	net1.exe
PID 1940 wrote to memory of 2008	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 2008	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 2008	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 2008 wrote to memory of 916	2008	net.exe	net1.exe
PID 2008 wrote to memory of 916	2008	net.exe	net1.exe
PID 2008 wrote to memory of 916	2008	net.exe	net1.exe
PID 1940 wrote to memory of 1508	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 1508	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 1508	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1228 wrote to memory of 2428	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2428	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2428	1228	taskhost.exe	net.exe
PID 2428 wrote to memory of 2484	2428	net.exe	net1.exe
PID 2428 wrote to memory of 2484	2428	net.exe	net1.exe
PID 2428 wrote to memory of 2484	2428	net.exe	net1.exe
PID 1940 wrote to memory of 2664	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 2664	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 2664	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1508 wrote to memory of 2704	1508	net.exe	net1.exe
PID 1508 wrote to memory of 2704	1508	net.exe	net1.exe
PID 1508 wrote to memory of 2704	1508	net.exe	net1.exe
PID 1228 wrote to memory of 2720	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2720	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2720	1228	taskhost.exe	net.exe
PID 2720 wrote to memory of 2748	2720	net.exe	net1.exe
PID 2720 wrote to memory of 2748	2720	net.exe	net1.exe
PID 2720 wrote to memory of 2748	2720	net.exe	net1.exe
PID 2664 wrote to memory of 2764	2664	net.exe	net1.exe
PID 2664 wrote to memory of 2764	2664	net.exe	net1.exe
PID 2664 wrote to memory of 2764	2664	net.exe	net1.exe
PID 1940 wrote to memory of 18784	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 18784	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 18784	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 18784 wrote to memory of 18808	18784	net.exe	net1.exe
PID 18784 wrote to memory of 18808	18784	net.exe	net1.exe
PID 18784 wrote to memory of 18808	18784	net.exe	net1.exe
PID 1940 wrote to memory of 18844	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 18844	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 18844	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1228 wrote to memory of 18864	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 18864	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 18864	1228	taskhost.exe	net.exe
PID 18844 wrote to memory of 18896	18844	net.exe	net1.exe
PID 18844 wrote to memory of 18896	18844	net.exe	net1.exe
PID 18844 wrote to memory of 18896	18844	net.exe	net1.exe
PID 18864 wrote to memory of 18904	18864	net.exe	net1.exe
PID 18864 wrote to memory of 18904	18864	net.exe	net1.exe
PID 18864 wrote to memory of 18904	18864	net.exe	net1.exe
PID 1940 wrote to memory of 26248	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe
PID 1940 wrote to memory of 26248	1940	75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2484
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2748
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18904
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:33732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:33772

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
"C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:636
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:440
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:916
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2704
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2764
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18896
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:26248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:26272
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:33724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:33780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5
34c2c8cb2fd81cbc4f4ec901796ffc52

SHA1
15e435b3bc9c5e143f1bd2ce7ab535af7fb33083

SHA256
1f5e524625871e3a4326dcecd82dd2dce332544c09e8e4e3f22096f1ac981d72

SHA512
e3cf85d77891080f6b1066e1520b277838af28a0d7c5f8f17a84860162d222cd182a98ff25b7b66c43673a8b9fab646b7412e07295a2d857a1b59c6fc93d3f7f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
307f944e977315f882ede63f9e4d6ad5

SHA1
ffcffb2bbbb876295f43b17539c088b7d7735f37

SHA256
20b5b4b1dda4603e1a3664bb59bc07a0eeeaa6c6c39c66905a40dbcde692ebf5

SHA512
c7034b532af4e0a5dd35216e2abc7305a8bc92d286042a945b79e718fa23262726c0a199221f3481f09a37ceec0d104aad263c85c60d22f3ef5c2657022863a9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5
d457fcf4ca5221b94db1130e1bcc5fcb

SHA1
809d4493fac32fc764dc87ba6d12309be8728290

SHA256
088142b4ac3490b6ea0303a8a40884d62787eb089ca29c423afabf5c5e9bf33c

SHA512
ff1f1cdc4d5a99e4ded854696c7c9a10322b24e88967e5a30b9525fc6d3e3a35c79ac81dc382a426f9ae122b87a96f4e9f2ca127b8eacdae6354180baad015ed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5
3b9fa5a6cfbda804238b54ce3dcdd1f2

SHA1
725bc4d9451977ae9f17f81a54cd44b9824a94dd

SHA256
39f9e4dd887a5411453281967b6ab3681bdb72b55ccdc3d275ec2120472b4858

SHA512
a595b7bf7a78b8dea65e8c4272041d7df550ecab874badacf2da61ea5d73dc6b75511e8a7ade4e4e7e5895a73ab0698867becf2a7cae3ed1be9a43bb5cfb72a2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5
acac44ee6f5e016fdc286d22a42559d7

SHA1
4d8fe9d1a1e7a089879b09e90515725905704e36

SHA256
8696c7806945a95059ae4709531f64e59792dd1d815f04f07013f67993727f0e

SHA512
880e10d328fd800809bdf1e6f722fea0770e62103a9ffdc2e9777db792d3ed665a4a94d14209245d2ec13a53649df29bc4b500219696d5bbcec688d613506493

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5
d1d8e9458832ffb62cf4ddaf8ef481c8

SHA1
98823524d728b4859fad3d95d060030faa31f38e

SHA256
465f405fc7a27a01f467303109d903b5a007b8283a5efb903f8c243816e0f283

SHA512
d568c5f899a8d51d985550fab205f9742676ab85e0b0bf5b77aa38df7999c1ff464182fe267cefdbf431d3acf2bb395ba872083d6c6b3406657200260a2299cd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

MD5
49d5ed46abc4a73c03ccd88557afbd78

SHA1
6125d2ae7559f37f59b9273fe2e48c4391bf86e6

SHA256
7f12bc6ec44f693084ea889bc471be4a76e7ea4c1c2c3d99967812d77e17efca

SHA512
b27eb79b5cfcd5a3fc7cae3ef021fd6a5cf7da288ceec12b29f5addae5baac5f4f02c7353c1bdc472b38a1d698d77ee9d60726534f86319a2a34e3c873ae511f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

MD5
3649d37a94248538fa7441d1664ad23a

SHA1
a7dbdccf38d3df282ce520871446b5f4694594de

SHA256
c4c4fb1109e2915f67e72b9225b1b6133b2b3ef915b0b052507951e615d3474c

SHA512
5b5de9dbedc5747f5c7a3b3ca65666a1ca7e3c7c2b27fd06f3a1850564af4f891b05805e7dceb7135d5781a5b1ea6fe8750cff33e5bc85546ce6198bab00852c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp.RYK

MD5
34e8ce4f9348cd38a05b31a4e3e8df5d

SHA1
df4c06b9ff60b3ac9ace04e8fb16ea6a46884e9b

SHA256
53885d10a5f97854cc25f58563143617cba390e8c0c48263c72bb18adaa01ecd

SHA512
5311aba9d5416992ea33cd70d4f620e5588a15e07b6acdc61a656b23dd2fef3f72e27b0eb4d8d2d90f9f79d3eab269002c98d9662ae6e03884e500b4bac7440b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp.RYK

MD5
6f61ea1c282a3336ecf45577ca3dc9be

SHA1
e8feb844f5f35b43ba3a0fc090fd4b080c542f05

SHA256
7a119c6519d68683f15ae124b77c626968909ec4386e12345ec7b06fcff57902

SHA512
a77a90bef914c73599b8645a6fb89d51f1deba5ef177e099539519e6d9caa0d489759446a6b91775236e1a6ea2f1a06bacaf74066dcbec7ecd526e5a24f78de4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5
4c8a03f38c6a27c62e0e9b346e9faa59

SHA1
7b7156caa8db6c7b7b2f044dd616257e67902470

SHA256
61b3526174548cb523c390b49a0b1de13d8a7de3f72b3bded44f5dceed7d93d8

SHA512
79ef06282c737dc06e873979dc6756db5c8aa990887fc3e52c1c6c481272132f966aa04f034cfe82ea547f3a564dca76c664bc9dd69ceb507db1e594a4ea9d8a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5
07b1bf6efc6bfb7dada9bfb9168b4560

SHA1
28cbda1d4e9e144958c399de11b3152a1c7d0691

SHA256
967956913de09c71c6529c09d59fc861e7cd7220fd57af8e81034c61433fa5f2

SHA512
d85a39cf0a7a11acde5520639202ffe34e9cfd07de334625265f87a0bc73ec56916e7b0850c81cb4de77e620b2878d7e16a8a72c0b672f4ac5988e1d5d5c427d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt

MD5
4a1763a38b43dec55711bb2be626039a

SHA1
0d3a0163b63c7f13dd49f11cde5a3574512c41ac

SHA256
57069b429b71c22f212448de64841e8d49590b6fa1c0128c024801c8be373aa7

SHA512
d733ba3017317dba6f43803172a09c01a11d126b8552772d64290a3e35023c3c0d72fd43a22dacd2ffdf52a727449f1630832ad2ba919b16e457bc1f18532942

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK

MD5
fc56b52b2431499279be0889505813c3

SHA1
652c1fb916f4fae221603d336918f787a98a4b75

SHA256
22b1f6dc3baa2909b5f27c2bed0b346b7240e4dc48e93ab8ffcdb0966bd85568

SHA512
396ef023dcd9f1778b6cc7c964b74086db132242034ef30c3ce30010b3a8bcb9fc5dc80b4108f8c4fea8b671f021aa600a23806d9ceff260dc5d1f90a6136f90

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5
0702b1d6d01dc892f622e266f2444464

SHA1
906ebc163933f1a1f65ad2f6b8d9d1cfb105fa1d

SHA256
aa415e4141773dae4119fe8e2aade88086eaf8e12a813e220c623de62ada84d3

SHA512
5caef1158c6983630648feb5ca94be5998eb7a1ef42d573b2fcca6e4c92a57923ee75a21f2f45491ed095cfa3cf91b8eddcb7a65824ae38c639e668d77ad4bb0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

MD5
57c09db15c594ffb6e16e88982cbe0af

SHA1
b718067412335b1b7a7fbe200b8f04829349e744

SHA256
bfab07e67f7a70e3e208d3776fc59d3f532d36d7f24a215fe86b45cc1a964ef1

SHA512
8d2ef31068ed4be5a8f8b389251f5c7fa68af41f9dad4b1d7022d37de7e9b4b6abb6baec6dfcad4db6f538895d01b04df1cfff306e2d1bb809d840449593163f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5
586581874f29ff151f56f14da77a58f5

SHA1
f86400798da5ae6859a2382cb5397a96df005e53

SHA256
7c570696cccbeb3bd111183af3f5021b38e251be12f88b29053c3c3f281a3f63

SHA512
765a893ce2f6bcdbc990b2da031d20c6d981fcbe18cfff266c813d0653c1b85bada21cb155e01514628f7050453216a83615c9f8c6fcc0ade0939508987c9967

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK

MD5
2566e7565862a99a7bd1c672988c5d2e

SHA1
d5483c5b8c6195531c657b3cd3006c7d2fa1b856

SHA256
021fc87dcb9fbe143511cf4729b4372a8cc532ad374cd4f60042208a44723cb5

SHA512
061aca92fa00beb62c806cf9001a7009c70c414139f2dac67a2e36d137f2f45d635452e7e48a026b9ca2d6e1d8f65e6c50d102bd47a591d488ad7c2d6d5eb81f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini

MD5
d20de5d52708b76b9cd389f25c07ace6

SHA1
7833d5b56c9fb377623f6ac67134386f18f2a052

SHA256
6bab7500bc86242e5492ec45206ccb9704df279180c8e414b13c51eabc2a6728

SHA512
d3ad1138e2a7643c2f03d1729ebdfe039a97fd38aa2df8e51ad6e2cf62d61fe21bc40e37baf03d8d73d3a8ffa6b336c23ef479b74024faa97da564513b02ca59

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini

MD5
f3dd8c50f531ae58c8791e10958f23e3

SHA1
16bc9912d39284d7f7ff2a819830b2ca021cd2d6

SHA256
af3551b1f38e38dc431a6e7b6d839214c22664793e9013c52e8072f8b6eb98bb

SHA512
a76ef2a35a6bd97fc47ce52790a535b3457c867ff7d968136442c73a4aaaa206d4c60814c5555802d34f43deb81f5eff58fd8d04edc20138dd0f2a29405f04de

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini

MD5
1c0cc40ed75a19a99926c32eba7a58b1

SHA1
3a1bd0d1ffc7456fb527e759cd0235525d440a20

SHA256
ab3bcc3e2f4569912a33b1b9f12230671b0724503a1e4d73375a27f714e5a826

SHA512
52f910a0ce555cd5c087dc7e0f35f52b99258a0f08136736b3fe550d9b916da8617e2b079281bc08c7b99bc425f4db953d7f19a2b3d4c5eb4f2f7788d326c1df

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini

MD5
83fe9021cd2631e3293dc451a9e4f2d6

SHA1
ba2964f1d635ede976143280c3923d156c09c631

SHA256
914a9c6067e677e82d45beffbf1097872680d5a8519f24620ef54661e8549d13

SHA512
9c218c69fa4db5d7c770031d09dc04c3c00c8050c727fccbb424b0eb0094f0e96240ab73f26b50cdb19490da570c9d52db33dafb6f5c5573febb483de2fc10db

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK

MD5
9ceb6264e149ca3d13e25fa69524b566

SHA1
3a0004333dca658f30e22de74b45d9c737f40677

SHA256
1f0a4cae687b0f0b44f55ae58ae88f0e25f5e9af6e1bf90d3f872df26555a008

SHA512
eb8fb4099d0d33ba2bb5d48d3b91a42b7d35f3ec465c9bff05877b30193426bd37c2f5610ec82cb2124b1917e70d793ab589353aea83c0776081d67ec2d9c0a5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5
d3fd2dc73238e22409689d5a384dd962

SHA1
404f9292e7ba522e24f47ac0774cdca0214297fe

SHA256
fb3da24d830045b2f7ae9c35d7f4dd2cf3839dce461ca557b6ead5d0aed9a16d

SHA512
4da2d5aa5b3eb4d18461130a2df356983bcb7a16a7afb621ce64f831d2d1bd8e23c43cf53b050b9082c31cf5f0b09db7f9197aeceaf40cddce87cfe98856495b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5
51e2f19a6d196a0b7d31d902f5433081

SHA1
95fa20decd2933a5028e076a0fe411ab271dcc4c

SHA256
0b384c28a044fb3497cf1f68ed9c5c9b2cb0edf681293f0494f9199bdacc5c98

SHA512
971474836bc4564bba588b00015f20a6f4d314a5305e2c647d0cfbe77730326ff46f5b811ecea621ced36229c383d0f7e59fe1e9279dd2b22e024af02e9dfa03

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5
3df6cfc7091b21a96f33391efedfb572

SHA1
21ebf419846bcd8c9cf6fd0cb7cf19b2ba80b51c

SHA256
a4fa55b4f028e27f77a3cbb01f7f959c6d1f341f74b9b4fb5e427bdc63b3cf98

SHA512
687f73781cc88658e497667d2b50448b11a396cc77b2f4956670c481fec30c30b6d94179aac2c058e55bdaf1521c28f198139a227d4dc8a5d0bfce58691db666

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5
dbb9a2e318e3445b0bd49ce874b09150

SHA1
7b7d53ad7461c152fcb6bf078d2b670c2998becd

SHA256
1efc058ccaaeaa953153044ef4ca721da3ab2b9e010368f3f472dcd58885d512

SHA512
83c0e21a976fbbde40a44ded8524b86d67eaf7f8f5352412b361f531e661782c365dbfa1c3e02408a1dcee8f68a988df65c015514eba6d8d9e3ce0d05f27645d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\Documents and Settings\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt

MD5
ae40d03c8fdd305fe8d19a1969a8d02f

SHA1
3995332251a42db3d7a9a91ec9a783724f5bf27d

SHA256
8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34

SHA512
14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Download Submit
memory/1228-56-0x000000013FEA0000-0x0000000140237000-memory.dmp

Filesize
3.6MB

Download
memory/1228-54-0x000000013FEA0000-0x0000000140237000-memory.dmp

Filesize
3.6MB

Download
memory/1940-55-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download