Analysis Overview
SHA256
4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
Threat Level: Known bad
The file 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 07:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 07:41
Reported
2022-02-20 08:52
Platform
win7-en-20211208
Max time kernel
176s
Max time network
87s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
"C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe"
C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
"C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1480-54-0x0000000075D51000-0x0000000075D53000-memory.dmp
\Users\Admin\AppData\Local\Temp\uObNeqU.exe
| MD5 | 727cf4d00df34f36c4767f1ab185244a |
| SHA1 | 983331a93a5c91cb3ffee97495eef475d43f3f52 |
| SHA256 | 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a |
| SHA512 | ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0 |
\Users\Admin\AppData\Local\Temp\uObNeqU.exe
| MD5 | 727cf4d00df34f36c4767f1ab185244a |
| SHA1 | 983331a93a5c91cb3ffee97495eef475d43f3f52 |
| SHA256 | 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a |
| SHA512 | ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0 |
C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
| MD5 | 727cf4d00df34f36c4767f1ab185244a |
| SHA1 | 983331a93a5c91cb3ffee97495eef475d43f3f52 |
| SHA256 | 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a |
| SHA512 | ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0 |
C:\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 69bd776eb6ba8fbbf28664acfc789df3 |
| SHA1 | fa0ee22ff3c3000a9bef5487df244e1ba7c9b4d7 |
| SHA256 | ff0f69f4c95a921c859573a5e6c71e66381b3275ca8c1f7f9e477c38de959a15 |
| SHA512 | 13d13d5077340a91358a1f0d785f8faa1a03118ed946dc08922d6fade181af6e4c762c66a03becb55ab5f2d195b796b48f2e36e098312d473d20ab1de4616099 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | 0263f87e403a12940199b72f8de8751c |
| SHA1 | b2353e98b50d59e8b1148b3e12c97becdbd15a30 |
| SHA256 | 1cb3b5b20bf6ba61181df947a9e482c4b5097bd14a64bec7484effafc620ed3b |
| SHA512 | 66f92ea2a593de8492a91196b1c1e3a5294772e66cb1918c36082f6a9b741aa79451c09aba4a6f8123f74367d89fcb0689ab469e17d9241bb670a1a31cd364f8 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 385d311074da3817c08671ad9f597b10 |
| SHA1 | 4340d33ba61f609528dda00aaa68f97a5df9ab6e |
| SHA256 | 44da321ec7ba370e8727f7f3a1cc3db9ea9047096c14e57831e6bd55725691d9 |
| SHA512 | 84f71f676be1e581deb1b3a6ea17d1d7c6314153327a3b2f9027066d59b66d87a9c4f1ab3a3541700cb6357a7b5549db337d0a549db074cd3c706123a85d9dbc |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | e61de08e108d0e1b8b2e30bc0b3fde4e |
| SHA1 | d147b827baf45506bf50ee5bfd4d17764c958dbb |
| SHA256 | f5f9801db7b23a385fcb59362f908bd0ef215e55fa4065c26c580497d5ca38ad |
| SHA512 | 3a26fed569ceb9c6bc1e6094e90a64633096eed19e0536c3a213a183cc61e6f3f60e64bfad1abc5be270d245df9b43ce06482c873f039a5b36350d2ba8f63cdd |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 7bcc00047a085de0f6b02026ff175b61 |
| SHA1 | ce4c296ebc307b750bb83c4dba643be48fcedb67 |
| SHA256 | a2a559b356a56ebf7d693d98feb5dcdb2faabb366bab5991c25313e1917d9456 |
| SHA512 | 2fa855dd887182112ac42a455cfcd15bdfbe59d6e50cb5c05c21a88880514e65eaadf9b45dbf5886785c9a6c322c87caf067c1d49994b0051ed5d9f348df6379 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | 84c5e23c69115b59d5d992a0e5bb5881 |
| SHA1 | d47c933c7d5f0d6896f962c477ba24e87dc931f4 |
| SHA256 | aabe874d1c6e540bd0e890bc3b75e1df306e21200d1bfc09a6fa6d51c4461c47 |
| SHA512 | 2986a1a79c20828b025e7a1ef784352c16e663350781b3c5fd521e4d02e9e6789f38840c37ca1292fde9c3e2a81f5ee6065b29962680ec967bfbd5ef77740801 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | c9b1c82a88dbc1291c6db01fd4548ed7 |
| SHA1 | a61829cced3b155ac7643b46ff5c78105f54570f |
| SHA256 | d7dbd1aa95a7216ba560029f7f136d7328720090f6f50964f4c9a015c5003012 |
| SHA512 | 4b64147e94f038efeffd4cc4ebfdd9256f29bde7554a36630f1f6bfd438656e268da541f76349c2aa2bf05db1c3dfcffa7abcb3dbcab4189d198989f1647ae8c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | 7fe5bdfd356d7bf4249a231f90efd804 |
| SHA1 | 04815fcd2035e23e6418a54206ab3ab3785a0547 |
| SHA256 | 326e42c32b2147f004c6315920a8d90ced9b4621d879179c3c8511746dd731d1 |
| SHA512 | 2e5c2773bb73726eba72a21e360eb0320bce89e500d6906e71ae16492c5a4cdf15e742cd1df065d35c5fea48192049354bda0b252281c924f1e3f928f745e295 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
| MD5 | 157eec80d778a51ae66cd488969addaa |
| SHA1 | 3a972178f230fa374f63bfe6a481217f941c1e9b |
| SHA256 | 4d645f3b836b77ae41d5bfc4eac7ce1cadb207cf31ab32814612e4c4baf32adc |
| SHA512 | 67134effb81f5236fbf247bf7c5d8fcc943f8b237f58a2e0668766b54f332de27b43128b765075ceee4dbe888f86d0f4e05edaa91a73d181b758f8ff79b0d2e3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK
| MD5 | a8820ebfb19bf1e28a6a8a657eeccbfe |
| SHA1 | 75fea6109e4e406ab6b7acf551481deab3d1b59b |
| SHA256 | f69bf417bd47a2c248b7e9564b40995eab63e6dfc5839e47f6151d403a769c73 |
| SHA512 | e5d1db6ed57e078dbb4ecdb1ed56eec32c7987c62675ff7c8611c8309827a5d19c5c8502359913edd9795cdace4542d2218f4d44ccba4c5123336d0810ad7234 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | 188e9ee79b5a6f87fb0d8ca69da1dc7a |
| SHA1 | f00ae724fa524efe94c7d97af852857bc658b3cc |
| SHA256 | 20503a5811f3e27f8dd0466a5a9cd9cc89f3a0cf2dd4fa4b49f56a7af9747c5e |
| SHA512 | 191810f7fbbc52735218f67c901028fcc670d710ac670df34c4ba7e05e0a72989eefdb028c333510f5c49de6e0ae143c9080fbd03e004da70aa122b230ca49a0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK
| MD5 | 661a96d8025d0cb3c15f2ab4ee42a9eb |
| SHA1 | 6961717e962eec2f723971460a9ba37e79d27cba |
| SHA256 | 361f0d6888ae724ec0d7c5a4aac2edb8c8d0fcee91407fcbb00f7fc4bb3618fa |
| SHA512 | 9694c374f17798e3b987a47ea0bae6ae29ef7fc64a6f7010b8d6c7e611749b3e8ad5668e98dac6804a0b7a69ad1427f2f0a9f619f24a3cf7850d4dab4d318c9e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK
| MD5 | 3c27bf494077329b33cf94d378cc1c4a |
| SHA1 | 705e59f3d9ab247de985d2da47ced7321055c07c |
| SHA256 | 0a7e903010e5bffb1e1c2e5614af277cba9145f742919af8d2f6da062efdaa55 |
| SHA512 | a4d2bb43d5baa3f9361cdb07bc7da72640c319f9ce2aa3045876ee435e54954d744915939ab007ecd094c630a6c4a42c9ae974945ca9c290152d3fca0af8c356 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK
| MD5 | c94d6f920ff50c5870ba4781a2b1447c |
| SHA1 | eba3cb59d44127ba02679b465370f2243025757a |
| SHA256 | fe2172fab0b11f7d1fda633486565cd8698b3a62c36a4a15c90536e9706d9dcd |
| SHA512 | dd1ea0f35dc7a1217b3b5781bed7fe267e3f12d21b1ff1dc9263c312ce13da1078fb3ae5e97ee0b37fc9a74b8cc8703e91f2b14465e631cf27dcd929def46534 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK
| MD5 | 22693af205b4e20944c802281fa9f2af |
| SHA1 | 113751467e0739d89e59378faa22e62a77aa364a |
| SHA256 | f2006d70ce09958667de4094864a1fd89102e7a0cc5b78b61c2f076132120e74 |
| SHA512 | 3295e1baf2fe71d59e5392c1f6c7a2e4db674b113f6acc5d6f04963f13111dc0eb4218370377e322285570680fce305da57a8a55d619f49e0be781fbb819ab5d |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK
| MD5 | 338f0659dd234049f407a5bc866e86b8 |
| SHA1 | 2be984f0f633f82f5936ed4c1f5f8e53c035d491 |
| SHA256 | 5d9f842f7bcf0ed3199c6ecefb4120720e34138e017c68f5e37c3032293e809d |
| SHA512 | 8544decb710085392521278495cebfed9839ed61a0fe60d15626ecc9b0e74d15368a17d213b227de792ed026f656c21cadd3f94256d28b8fa7aad50b1e17e90c |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK
| MD5 | 4cf61e4917bc97d04ee531b092301cfe |
| SHA1 | b17c3fab966b6edad3a6e785289623e752a82295 |
| SHA256 | 7345f280a5e9eb2ec3d41f8403c70aa0981ca89ff122595f2fb5be0d803275c7 |
| SHA512 | be3ae0085e0b0b95553d85a3e8fa6560f71e26d6ce3cbec0a8cf780c4e70f831fe6bfe35b9236b4b80b7c8acb54600d12d1d00a3335f9a283af1d9809c8709aa |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK
| MD5 | 1bd881cdaedbbad53dd157a60060fb2b |
| SHA1 | 853a634bf8fbaab639bb2133a4c9002db537a952 |
| SHA256 | 64b4811be1030f50e172ac9537e0767b5fb3a2b4361c20d88dd36d915ecff738 |
| SHA512 | eac8f45875c2aa58d2b7eed55dc8ac327ba42f8abbbd18e9a7fb920836096bb88001ec0b36942bb33e7c6e8d7fad85f521d1e5e2dcac74a60282c723db158be9 |
memory/1764-120-0x000000000E3F0000-0x000000000E514000-memory.dmp
memory/1764-121-0x000000000DF50000-0x000000000E074000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 07:41
Reported
2022-02-20 08:52
Platform
win10v2004-en-20220113
Max time kernel
195s
Max time network
214s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
"C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe"
C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe
"C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 52.184.215.140:443 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe
| MD5 | 727cf4d00df34f36c4767f1ab185244a |
| SHA1 | 983331a93a5c91cb3ffee97495eef475d43f3f52 |
| SHA256 | 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a |
| SHA512 | ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0 |
C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe
| MD5 | 727cf4d00df34f36c4767f1ab185244a |
| SHA1 | 983331a93a5c91cb3ffee97495eef475d43f3f52 |
| SHA256 | 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a |
| SHA512 | ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.RYK
| MD5 | 13787316a08247b16ea7c4401a99861e |
| SHA1 | 8349c240285a9488176859ed11b6a9aa29848dc7 |
| SHA256 | 51dbe20e40423cfca104b8dafc03f3dda1f4d8b598f3efd3f97c5453ae61dee7 |
| SHA512 | 17bb70809e032d11154c005a09aa5571caaec60fd3248e36ac77c0154d5e4158cd07393d4f298386ac7e10eb372907fd1c68ee221fc11fed57a603bc44f040a9 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.RYK
| MD5 | af4b66398c399680c00dbcea14fa5a55 |
| SHA1 | c7abfe79bb698842c0d70d009dd4f04d403c96bf |
| SHA256 | 60ddd2157856767cabc816b41d87f952f5490ab303cf45e8eb8fc2371cbeabd2 |
| SHA512 | 37471cd12275ad03326335dac9d5bc2f8e438df49fbaac8981793f5f2a7dcfcaea591f9313be511941f280c0a0b7841098bcbcd1089cab10a6dd3576a19cdb0a |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx
| MD5 | a801b8bdf39b57cc9e9c7acfa4e7b859 |
| SHA1 | d26f3c4f30417356d93bb5fc8429b9fd0e774cb3 |
| SHA256 | 0e3e136c8de7f313fabdb8ed5a67df55aeb428eaa35eca342a20b2c248465e57 |
| SHA512 | f15bfa33361974c15cb1849fc4345792368b375392647e2db2b0d93816ffe8062b0f32da6001a76e10680823cc5a33e786d0d2a06fa64091cdf3a7361993d131 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | e2e36e461037d8d368d21353b53aeed2 |
| SHA1 | 6ccc512f9587e6023def14c4af1bbcd94e62109a |
| SHA256 | 885230a592e8c521f0ad9e63a8822e95bef73bc679c87915b8d9e04af45c873e |
| SHA512 | 995030c224977a0322c2a2aa66b829d092c01cb6e8d863d8ff9d7e4f335eff5fbd32ed0d957b68550565eed6fdb61e4cf769c174ac4df27b9f098fe774d2f732 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx
| MD5 | ee1746fc3d5184c08274847740e55865 |
| SHA1 | 8fb8fc9ed9b96e1ad9d7abd85e02a32e2929aa1f |
| SHA256 | a29fb6739c6d6b6f4e4a5e920f1cecabdfdf50534bd95249f24ee6153ca6d496 |
| SHA512 | af16d86540aeebc6ebf1ae648c3a397c0f5ba35ff627a58d433daf4d7e209d28f3dff1f7f5190498185db8b7bb222961456fded675b38b283d066dd23f84a67a |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp
| MD5 | ee2689bca19a138fc2c2048e212936d5 |
| SHA1 | fc758555594836f7558401cdc27fa079ea6f606d |
| SHA256 | 2e166c7092d6a679922ca192739379eaacda994b9acfa2b0c1b6c54ef6cac3f5 |
| SHA512 | 232a51258918d75e8b2e2bb11abfaba1b67afc6d7b5bf8ecdb08f5f6003eda1d2f162a5a952a6d9461b691eaf6f1ffa380201f85723eb5fde202867bf4b478c2 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 462129e3b74d9e683c723d5568c0ed56 |
| SHA1 | 1a5905f825523555c9a9f843dcbf1321b7e771d5 |
| SHA256 | 642d0556e2b3c0df8bff6cd670da59521a1ebec6a14a8551c14b76004ef19f4d |
| SHA512 | db2cd979f1192566f95268b53772507b6cce4b74b132878654147a10612b3e7678fe9863cd715420966e5837afd76a07ec592f58bb7a4b8c22489f1649d5dcb5 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | f991040898bbeaf082a6b7f9b4ee7a11 |
| SHA1 | bbfede7dc2354105bc988afc85d64f6e502d1ca8 |
| SHA256 | 69a7aadfac8e971e98f86657942bc11efcb239dd5290af433d4b1d9137bf391e |
| SHA512 | 6f1202be99cb7e054126bd2b3acf50c34f14cb2d036a8017c5dce7b215bc3a8c28b114d85636b58a7cb9fc725a50b4c2483d50f4e411a1bc7bc2b1281137926c |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | 01b92305f1c9d9f56c6236ce89cf09d0 |
| SHA1 | e82fb54eee4904eb325f6c98ada07035ccbdc2ad |
| SHA256 | 62bdf9d307f3fb950750fc7bcfa64c850e7fd8fb0ecf32eeee2e7f9685b3565f |
| SHA512 | ed5c9b6cedd9f82181d4c0df033b53cd84bd32e66cf1af7b07c4a213213479dd19c0e2d3f3b25f338b2712c326e487e629a4b1774357922ee2ce57f448b6d37a |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
| MD5 | fd8fa454610b543f07b3c17c19d5ed4c |
| SHA1 | 501eb6ce829cff54fab254d1f072f57951389767 |
| SHA256 | a48f38e92049874d87d4d846ace8b258f26b6bfdcf4971249530d5ae3b9b0c7a |
| SHA512 | 070cb773da08a0ad4238233691091fd9a00152a378ec098bde0e666e51d04d7bababd3f8f9a33efab98814d94643ce40311de039d82cd24840115807eb24a6ba |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | cd9f32cebb32d48e4cf7b25b3ee65aa3 |
| SHA1 | c3d2db47d2ca571641877d9c3b8e06faedf6e12f |
| SHA256 | 0f340669150bcf4487107be56f89c0216057e6a140a13cd004e6c1377adb0268 |
| SHA512 | 055531fa6a8c2dd6e141611535ccb3332634cb235bcec57607232e1605e221aa04cfe6f85d1d3660cce2447aa4ea25654225d6bb086be5d936d3af2c3610b0be |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\3D Objects\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | 7d34f2943f268a6f6adfffbdfdb498d2 |
| SHA1 | dde2eba0b516a68429994a61d63a431a4a67cc6c |
| SHA256 | 3aa5214b930905e614f857354709879e86dbe4f7404f5b2158e4ec304bb74e8d |
| SHA512 | 0c4c4910b2ccfa85e91d02ed3160d914d53584e59f1ea4a64ecf100eb26e90b0b9c492cb5ff14ee5b7936f8d80415f5d762114276d7ea8a074c07084a5a72d76 |
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp.RYK
| MD5 | f1630cccba0c34f1a004c068707fc9db |
| SHA1 | 465f99fc8c1f0378fc350953c699637cd1073cc6 |
| SHA256 | 00aec1e06f3c185fff53a03a4cdab056a81107b2033db2f820c7d74383cf6c50 |
| SHA512 | b6f42bd4d7a091f6a50bf292d325aba860b5492c7ee2296807219dbde453c7b37c7b5df23176e44a3898906ff7fa82aa68932288e4ab12cf4fa473873c31cb4b |
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol.RYK
| MD5 | f4dff35f9b905403b630083dc9fd1dc6 |
| SHA1 | d25f3b69637fb7c8c8d15dc8e0b5486fc66d9d67 |
| SHA256 | 84a4817abed64075c001a0bbbefe881fa28238158e8ec7825c76162522bd295e |
| SHA512 | 1cc03a3e08353aaabdb36585eb4dc2aa9e8bd938456e7fe2646031fe23c0033cd5a144afd6a3f8a9533b9000c3902317b1ccab4f0225258ae25e6a6c46755486 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 3f1e49a927db8af7e16aa3899025d242 |
| SHA1 | 0bcc0629128a88e7470ab974e3e3edb2f61c27d7 |
| SHA256 | c107a7a2d9de4bc1290590df8f41287804f994ef922ad5d6c90a26bc9b2f7f15 |
| SHA512 | b67a33fdbeb53957d98ccbc5d7d027dcc3c009837b68d3736612eba0d61cf16731a7ebcb308241646de0588ef75562e1409b58f345bb61ae9876026c7f44be87 |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma.RYK
| MD5 | fcf20fbfd828af7e0bebf010791c95b4 |
| SHA1 | c6f801e092025c742003fe2d432045bc8a41654e |
| SHA256 | 0db8b4392a8108493d5cc31908022b0a53afe1e0a9da809202a804126298df72 |
| SHA512 | ab01622c6e541fa7c9272d568a969eb8e8cb474e1058681676032c75669006e039bf52c159887767e6d85d03d74d8f07b240deef4f18d2c5c0b0387850b86f30 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico.RYK
| MD5 | 7b0ee99584de850fe8c48b3433ccb6f1 |
| SHA1 | e63b3d0176290705687b853983a1ec95cd05652f |
| SHA256 | 3dc55c94a01fbdfaff94647b8437ea4253ff97c2ba462496a14ac607c01df658 |
| SHA512 | 5d9ed2e118b50d87dc97c985144bd933d5ee1a9419a340e14a96b35431c19cdc161fa092266f6400d943b2b309d25f2c382fdee459f3c082615fc1dc725a0cbf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons.RYK
| MD5 | 90fa451e791bdd514bf5fc1a709fc3bd |
| SHA1 | e8faf4171644f3778bf4f424d374499a52028bf8 |
| SHA256 | 7d009af3ca492774242dd18304a7a2129bdcb763ce1c8d5442f9f683b77d503e |
| SHA512 | 06ffc0af8e603981d0788464d11b307a92031705400805b5f4ee841ee0aff3d1e48192c78a3d2cf4b70fd350c12c474f1fd6d4c1842184e5ba309493f7e88275 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat.RYK
| MD5 | 274aa7e3202a439d8d9c6ddcfbb23f4b |
| SHA1 | f0444dab580fcc4e1de3da088afe5bb63b3292c0 |
| SHA256 | cbec33cd951582ccbe54f1176ce1f28d6170e7688252e6c58df18d5ba4a05cbc |
| SHA512 | adfae194bfb99e0b6d1635802342fbcbba714a4c69a7692301dae2e5839220adf5d1ea4de20bad5c806b5550138311c6ddb1498d7f7a06f9fc4b28b4a7fb4f87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History.RYK
| MD5 | 9bc9fc64b18e84f85dbf1ceb9c74bf05 |
| SHA1 | ab0b0933955ce1ece84b88ff2bc87e6c82dbe71d |
| SHA256 | 892e03f9ed5b6b9069ca30447b729f8c8f791dc25e211c3d3d9b98b845819fef |
| SHA512 | b12bc9446983de4a9526f2ddba4948c2b86034614aad995006c8f13645ff54d025770de7febfe6a05a9323e2bf1845d39bc2724924801f6d0e0204a6e9cbd2c1 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.RYK
| MD5 | 69035e285860bbe858e39fae05be26f2 |
| SHA1 | ff57fe8e5751baa3a5a0b3e7b0e6ef5d7a016040 |
| SHA256 | ab4b4cc19a94c9ff10bb88d576d81467712099f4214c0ff4960b0706c71cf13c |
| SHA512 | 40bef3bb982980355659bf16ddd18cb6baebef9470efa9635b0ab14929c9aca09eddd240038402040cddfb437ae2561988d89cf41ca4209973adc0b6d6f419ae |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data.RYK
| MD5 | aeb09fd4fbe86867920ac1fd47365767 |
| SHA1 | 871b052a66a6f6410476b3c4417f8316a1b986f9 |
| SHA256 | 6fa57104b01096140bce311c5837b7e5cb22d8278b3e2783e54ff19af242cb09 |
| SHA512 | 6fdd64705a5e792bbf0d968764fef3fbff84543064525ec04a50c1b30b9de71d8c9fe1c335cc22aaa333d5b10a9bf701a8b797fb1bbc28e3fe470bae55b591c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index.RYK
| MD5 | 91682aeb7b831e3bfda35006134cd5da |
| SHA1 | 804796f44f93bc499662a791303acd6ece119af7 |
| SHA256 | 390b7e557534564ff30bae64b0c88186c8e9c0c2e3e4cc3cdaf794ac31ab41e3 |
| SHA512 | 4b42323ae388ed0de23951a05c0954363730b20bb639a71c70cf077f7e93eaa111574cb4aa544030f012253f968e8f9d51e24b66298749a63ad1d7e0183be5bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3.RYK
| MD5 | b3f98057118474450323a2175a8c0f6c |
| SHA1 | 838f3e2fb00b60311bdb1ba325325e9842199a21 |
| SHA256 | f6f92827e36f79c4b66e37460d21e6b7fc908d8618fc3fbde6ba741426dc42cf |
| SHA512 | 1aaa5f17fac5aa16c95c0f9fa602d6aa972ec01c5c1c51bc7a367aa6d751dc46885c09b7d338330f9ef7543b7f3dde1e43042a73b9db95b54a76ae494c081fac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2.RYK
| MD5 | b491f4a6fe91cebb9df00c047347c49d |
| SHA1 | df5e7040cb1d78849524c3dd0e25bda199193c76 |
| SHA256 | a8526f8be71794296f2aca8bfb24760276127d73bc44d5e85169d147a7e65a60 |
| SHA512 | 26dca3beb0432ab12ddb76e7747cab1577da244abe77ba849c2a209de113a9efcc809594c81b1722c96c0727a367eb3c6744e66e5584e40fe124532f6a7ed5c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1.RYK
| MD5 | 90b01ac19a137876c6a18ccf2f51e7f0 |
| SHA1 | 3b84484f9dce26d890b0be2420e86f5305b89849 |
| SHA256 | 3afce7fea21cacb8f32d934f9ae45c61594644ece06c0e53dfe6a3d34908608e |
| SHA512 | 055b8b8aada53b1c6966b3ce9e50f752161d1f7a8fe92e0e12b9a18395df5cd36b9250edeb417864a438f47f6ca344644817b17482c78ff46c0ab79e924ba525 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0.RYK
| MD5 | 7f63de0e925f950a9d8eed217463c3fc |
| SHA1 | e5c92b4b1931ba35e5ad0d342b571b7e0e6d6d54 |
| SHA256 | 1862733ce98c66f25cd9007217d9b35bc08c29801113bf702e25042fe51d2f92 |
| SHA512 | 5875d8e3b6687ffbb04838e7dde8b49507605d4859591506e1796734353169fc19b25e03628d241429dd321f0c2752482ab483c9b6c2a7e2621ff0ce4558ea4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.RYK
| MD5 | 474a8e81d38900f391fb21fcd5e0ea22 |
| SHA1 | f080a4b1ea76511a5a26a1e17e047fe26f26c568 |
| SHA256 | fb3db0b8d6f7d7b38e5cfa6f16521ef794ee1098089ceec45c5f6659dbea32ab |
| SHA512 | 8d433db32d88ffb87ba333e8dd69f8ac9590ad52e07ef2ddffd7c50950348d2aed578db4c9b0af39a97714a05f8df680d946019bd0aff8b3559e0a8335442422 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences.RYK
| MD5 | 6c0d644d6702c1308a86bd49a14b1882 |
| SHA1 | b4e5c81753f39fc5ec8224be13839be0fd126bac |
| SHA256 | c9bb33c080cd820edcfcbfa6a139dbe27deb75672b0a34f590f251dd3e51806f |
| SHA512 | 8b4660353e135d6756dfa0ad6feeb19056fd7d7c51d906cbc55bdea7bf5fbebb3c6784ffde58506b1ebf63818aee77a8662f4f7aeba723606e655db0a75aa95b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\RyukReadMe.html
| MD5 | e5a0d49ea2478881d00f2043e603c9dc |
| SHA1 | 3debe0b34a7edf304a912ecc51a086a31c86c2cc |
| SHA256 | 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c |
| SHA512 | 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK
| MD5 | 6f92c08c9ad6cb0b0f066c9f344c9f00 |
| SHA1 | da85f28c7691618aa6411f6ec2b3752360d4a01d |
| SHA256 | 5be934968d0ef20bb3c40e2023f47b97a7e1fc901528f487ce3689c31a9b2814 |
| SHA512 | 63aa65ce074fb4f0e9ef41f199c3ab3e6df64c7e7424ddb4dda1880adc9560506acf694eb71fd524a464bc529f0b33027f2b8ba94a47c9b4eaf661821ff1fa21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences.RYK
| MD5 | 8027020ab8f37590e19e63918faae205 |
| SHA1 | 849dce716dbee71eb8e50362f44f44948bac7b32 |
| SHA256 | b71b35cfa94dca9b2996dffa2368895276954d8c98288e85a4876990b1f0078b |
| SHA512 | 265db3637c0d54abc0d3add55133594821742aa4f765987a74ef736b072432502397fcd52c86a15ba1fc86141f24db1c2537e488127f977ba005c922bc3dccbd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 53e5e8009d5f518a971c2b723f31fe44 |
| SHA1 | 510b8c780509e8a34b3d7b78c07e9e21b47e08ae |
| SHA256 | ea4d834a70eb7b8af48932bc25038693c2dff764433e36548569a69fa3e63a42 |
| SHA512 | 71bd04a7df5beaf937d6c224c67967f85d8f9face1d607099c4f920a3ff3f17863a26acb4c856498314c82a9a85b2b31b67b00150618c6c5c608d7dd1a74db44 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data.RYK
| MD5 | 88426a8668533bbbaddb97d6cd63f3e0 |
| SHA1 | 9c161c9404949e99d9797c3d8f0b0a7630c4e310 |
| SHA256 | 9f0fe99c93fc3c8a0db9ed9bdf462190932754e6e3d7d200acf0a5ebb05d1e5d |
| SHA512 | a97c3b1b2f801650395422b0bbb9cfeccb8b995f61cb6b3361fb546199fd7a09457ad6b7637b84945460dd3a6ef8d5292f08068ce6849e696abb897c166baf95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 6177ebe738bbe57d483f9ad29d41ff53 |
| SHA1 | 258772bf1b4d16fff4c42055159e87ad70f1a30f |
| SHA256 | 769c9a359617c0412b6804af516cebad8fb86b7f03dc74471a0f1b85a447b302 |
| SHA512 | 48786d5a8f81e68abd4636912342da81c3a7a244a93f7fe99ef9a9a764f7d227561cc9168e097f3b7943c5dc2919895112897a32fbf351ce4cd6da8e6a5026ed |