ryuk | bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
Size

138KB
MD5

f62bb82db62dd6b80908dcd79ea51fb2
SHA1

e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512

869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08
SSDEEP

3072:dsFd0klDWOsja1mrT0CowNJ8s540uUf0WccH2hgcD:QWHrYNwNeQEBgc

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1964	bcdedit.exe
864	bcdedit.exe
9336	bcdedit.exe
9668	bcdedit.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	pyGChhyEUlan.exe
1624	QqxlXGJRqlan.exe

Loads dropped DLL 4 IoCs

pid	Process
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1060	icacls.exe
1736	icacls.exe
8844	icacls.exe
8856	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.RYK	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.RYK	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.RYK	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.RYK	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CSD	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.RYK	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01434_.WMF	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1400	vssadmin.exe
8828	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1216	taskhost.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1216	taskhost.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1216	taskhost.exe
Token: SeIncreaseQuotaPrivilege	1124	WMIC.exe
Token: SeSecurityPrivilege	1124	WMIC.exe
Token: SeTakeOwnershipPrivilege	1124	WMIC.exe
Token: SeLoadDriverPrivilege	1124	WMIC.exe
Token: SeSystemProfilePrivilege	1124	WMIC.exe
Token: SeSystemtimePrivilege	1124	WMIC.exe
Token: SeProfSingleProcessPrivilege	1124	WMIC.exe
Token: SeIncBasePriorityPrivilege	1124	WMIC.exe
Token: SeCreatePagefilePrivilege	1124	WMIC.exe
Token: SeBackupPrivilege	1124	WMIC.exe
Token: SeRestorePrivilege	1124	WMIC.exe
Token: SeShutdownPrivilege	1124	WMIC.exe
Token: SeDebugPrivilege	1124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1124	WMIC.exe
Token: SeRemoteShutdownPrivilege	1124	WMIC.exe
Token: SeUndockPrivilege	1124	WMIC.exe
Token: SeManageVolumePrivilege	1124	WMIC.exe
Token: 33	1124	WMIC.exe
Token: 34	1124	WMIC.exe
Token: 35	1124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1124	WMIC.exe
Token: SeSecurityPrivilege	1124	WMIC.exe
Token: SeTakeOwnershipPrivilege	1124	WMIC.exe
Token: SeLoadDriverPrivilege	1124	WMIC.exe
Token: SeSystemProfilePrivilege	1124	WMIC.exe
Token: SeSystemtimePrivilege	1124	WMIC.exe
Token: SeProfSingleProcessPrivilege	1124	WMIC.exe
Token: SeIncBasePriorityPrivilege	1124	WMIC.exe
Token: SeCreatePagefilePrivilege	1124	WMIC.exe
Token: SeBackupPrivilege	1124	WMIC.exe
Token: SeRestorePrivilege	1124	WMIC.exe
Token: SeShutdownPrivilege	1124	WMIC.exe
Token: SeDebugPrivilege	1124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1124	WMIC.exe
Token: SeRemoteShutdownPrivilege	1124	WMIC.exe
Token: SeUndockPrivilege	1124	WMIC.exe
Token: SeManageVolumePrivilege	1124	WMIC.exe
Token: 33	1124	WMIC.exe
Token: 34	1124	WMIC.exe
Token: 35	1124	WMIC.exe
Token: SeBackupPrivilege	972	vssvc.exe
Token: SeRestorePrivilege	972	vssvc.exe
Token: SeAuditPrivilege	972	vssvc.exe
Token: SeBackupPrivilege	2044	pyGChhyEUlan.exe
Token: SeBackupPrivilege	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
Token: SeIncreaseQuotaPrivilege	9300	WMIC.exe
Token: SeSecurityPrivilege	9300	WMIC.exe
Token: SeTakeOwnershipPrivilege	9300	WMIC.exe
Token: SeLoadDriverPrivilege	9300	WMIC.exe
Token: SeSystemProfilePrivilege	9300	WMIC.exe
Token: SeSystemtimePrivilege	9300	WMIC.exe
Token: SeProfSingleProcessPrivilege	9300	WMIC.exe
Token: SeIncBasePriorityPrivilege	9300	WMIC.exe
Token: SeCreatePagefilePrivilege	9300	WMIC.exe
Token: SeBackupPrivilege	9300	WMIC.exe
Token: SeRestorePrivilege	9300	WMIC.exe
Token: SeShutdownPrivilege	9300	WMIC.exe
Token: SeDebugPrivilege	9300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	9300	WMIC.exe
Token: SeRemoteShutdownPrivilege	9300	WMIC.exe
Token: SeUndockPrivilege	9300	WMIC.exe
Token: SeManageVolumePrivilege	9300	WMIC.exe
Token: 33	9300	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2044	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	26
PID 576 wrote to memory of 2044	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	26
PID 576 wrote to memory of 2044	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	26
PID 576 wrote to memory of 1624	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	27
PID 576 wrote to memory of 1624	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	27
PID 576 wrote to memory of 1624	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	27
PID 576 wrote to memory of 1616	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	28
PID 576 wrote to memory of 1616	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	28
PID 576 wrote to memory of 1616	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	28
PID 576 wrote to memory of 1216	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	11
PID 1616 wrote to memory of 1536	1616	net.exe	30
PID 1616 wrote to memory of 1536	1616	net.exe	30
PID 1616 wrote to memory of 1536	1616	net.exe	30
PID 576 wrote to memory of 916	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	31
PID 576 wrote to memory of 916	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	31
PID 576 wrote to memory of 916	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	31
PID 576 wrote to memory of 1316	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	17
PID 916 wrote to memory of 1680	916	net.exe	33
PID 916 wrote to memory of 1680	916	net.exe	33
PID 916 wrote to memory of 1680	916	net.exe	33
PID 576 wrote to memory of 2044	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	26
PID 1216 wrote to memory of 1296	1216	taskhost.exe	34
PID 1216 wrote to memory of 1296	1216	taskhost.exe	34
PID 1216 wrote to memory of 1296	1216	taskhost.exe	34
PID 1216 wrote to memory of 1416	1216	taskhost.exe	35
PID 1216 wrote to memory of 1416	1216	taskhost.exe	35
PID 1216 wrote to memory of 1416	1216	taskhost.exe	35
PID 1216 wrote to memory of 972	1216	taskhost.exe	39
PID 1216 wrote to memory of 972	1216	taskhost.exe	39
PID 1216 wrote to memory of 972	1216	taskhost.exe	39
PID 1216 wrote to memory of 1712	1216	taskhost.exe	36
PID 1216 wrote to memory of 1712	1216	taskhost.exe	36
PID 1216 wrote to memory of 1712	1216	taskhost.exe	36
PID 1216 wrote to memory of 1060	1216	taskhost.exe	40
PID 1216 wrote to memory of 1060	1216	taskhost.exe	40
PID 1216 wrote to memory of 1060	1216	taskhost.exe	40
PID 1216 wrote to memory of 1736	1216	taskhost.exe	43
PID 1216 wrote to memory of 1736	1216	taskhost.exe	43
PID 1216 wrote to memory of 1736	1216	taskhost.exe	43
PID 1296 wrote to memory of 1124	1296	cmd.exe	46
PID 1296 wrote to memory of 1124	1296	cmd.exe	46
PID 1296 wrote to memory of 1124	1296	cmd.exe	46
PID 1416 wrote to memory of 1400	1416	cmd.exe	45
PID 1416 wrote to memory of 1400	1416	cmd.exe	45
PID 1416 wrote to memory of 1400	1416	cmd.exe	45
PID 972 wrote to memory of 1964	972	cmd.exe	44
PID 972 wrote to memory of 1964	972	cmd.exe	44
PID 972 wrote to memory of 1964	972	cmd.exe	44
PID 1216 wrote to memory of 700	1216	taskhost.exe	50
PID 1216 wrote to memory of 700	1216	taskhost.exe	50
PID 1216 wrote to memory of 700	1216	taskhost.exe	50
PID 1216 wrote to memory of 1484	1216	taskhost.exe	48
PID 1216 wrote to memory of 1484	1216	taskhost.exe	48
PID 1216 wrote to memory of 1484	1216	taskhost.exe	48
PID 972 wrote to memory of 864	972	cmd.exe	49
PID 972 wrote to memory of 864	972	cmd.exe	49
PID 972 wrote to memory of 864	972	cmd.exe	49
PID 700 wrote to memory of 628	700	cmd.exe	54
PID 700 wrote to memory of 628	700	cmd.exe	54
PID 700 wrote to memory of 628	700	cmd.exe	54
PID 1484 wrote to memory of 1748	1484	net.exe	55
PID 1484 wrote to memory of 1748	1484	net.exe	55
PID 1484 wrote to memory of 1748	1484	net.exe	55
PID 576 wrote to memory of 8388	576	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	59

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1400
- C:\Windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1964
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:864
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:1060
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:1736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:628
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:75136
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:75164

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
"C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe
  "C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe
  "C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  PID:8388
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:9300
- C:\Windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:8756
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:8828
- C:\Windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:8768
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:9336
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:9668
- C:\Windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:8800
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:8844
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:8856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64
  2⤵
  PID:8880
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:9752
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:9312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:9728
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:66804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:66832
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:78088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:78132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

Filesize
8KB

MD5
4f3a1332a3f015335d9feac94c8322a0

SHA1
39983305d7789255fc10d1e537cd772ce4997a88

SHA256
c49a8bacdce854a0bfa938d8baff71188ff385fd046f70b2deb8f7a91857ce68

SHA512
fabe1f7310ab7e14cff59a7e47554a39e0063c06cc2d1d753f8fddfafd885b98a2b88382986d36351bcbe34aaa700bd4173bf9546ddacbcc2627a76f715a35fc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

Filesize
2KB

MD5
f1827cf65944f0909e1fee829e7b8757

SHA1
b593a7cf11971bbe61f38df8e0d6d94fb6a80042

SHA256
e3b23775c6130b4c0a8491c2f2265c8b65f5bb664a8f436f27a21df225cb5d57

SHA512
79c62909eacb5c61cf8cb153fd9e9255a0baf9b2add0324c52c3bf3e41f6bd932354a58cf2e447c8a36b5c51c4b9f9dc7b4ae39a352f8593e9ee7fd9c01727e4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
e325c762077ffc8509cd208998eda206

SHA1
6e89b7425d4f704f9dc8a2f48edbf5a24cb6124a

SHA256
58d433d769cf415da014da45432a7467a2cada664c23b16ee69c7f2b4ef2eeee

SHA512
e6df08412c713f91aef32ca7516fbd80ce0d4439389b2ef6c999476c2e7fe73a812cff089aa1ce6ba5ce6185382dbeef0d48b5162b2cce0746dada246e20bb05

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
2ce0dbda5d9f1375ebf8e2626dcea016

SHA1
5b37e4cefe717115be07e038090cb9e3529e24d5

SHA256
45dc782221ac6486109ceef9c267deba3f0ef333223542917b4055af5d3e4820

SHA512
763153dec5342c873bde53de2378343ad4ff24e9ed8f453daf288f173b54bfaaf96f7c918c2b32838bca1df2e4a8ede09cb29c42a1f8add61a4639bf1a9379ec

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

Filesize
763KB

MD5
13f521c9b37e4ef9e61048d28e3fd429

SHA1
e5a7635e5d67ecaaabc35fa41aed8a83c9d0adaa

SHA256
93d08c332ffb4f4251976dff7c0a7e629197ceae156e8d0c1ef295dff42ab106

SHA512
b096c6864fa02ccbf7fd592716c6c5cc757df22c533b6ec3c735425472eb7ae14fe10598fc212e08bcc6d2019f479f10b7ae9626883b3e6a62fbd68a32ab9583

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

Filesize
48KB

MD5
608bc918754568b8561c757d24beed69

SHA1
7f3fbc1f77c46f5cc9488f06da085ce49d0452f8

SHA256
4b4ced0556dcf143a8a0e879d6e8b5c96af23d80a006a86826b3e438dc81f8f9

SHA512
843c2f6c79fa2e4918afb87d2bbee46b0d7a4ac2db3680007d3b91ce036b6255f3b19ae8d435bc2290d98bd8472b53a5fac706cdd01445bd8f774936dd0daffc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

Filesize
5KB

MD5
9f4ef1918167aee28694042ba450fda1

SHA1
ae8030244189982d1e950643b4d4898ef9216369

SHA256
3cce69b355d116bb0e2764107ab47ad6e52705ff67c94a7e9258b50f0e4cec1a

SHA512
674b3661c91d2bf577b4535e7624a9a6a3c0d128de9f40b87e18b275f2714b99cb707939fe26699151ad464133eb5ce063c2bf4fe83b1ba0149880efff4f380d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI456A.tmp-tmp.RYK

Filesize
9KB

MD5
4dca8584107bc18c0e38b64854ba72aa

SHA1
10d06dab95f65cb16fe6dc4552a12cf1b25f9d8e

SHA256
90e3bbebb987b9d0ce330213a00008a2ded5fd002d6cc68b93274b0638b81c92

SHA512
e1c6d993b48793ec35263bfe13130ad0158539bc78a0bc8212ecae6307591caab32f2f815b8758299c9e8869a5ea866cdbf5b27ae7e13d09f714a4559f3d2470

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI456A.tmp.RYK

Filesize
10KB

MD5
4a9b13abb26147580193171c1295ae3d

SHA1
6446abfad92adf8dc59ac6eb485537324fe59245

SHA256
9cae1d59a94d422519501da21c24c81540b03fccabe87361d14eebec940f2f34

SHA512
914cf6783a8ac2d7ee753ea1aa9bb3c1fddd50a6a7e8a763a99ab622e7f1ee72b9c23d8a37e5ba499f50ecd9c23ae75d8275dbabfbae7eedd2e752cf81e31a94

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK

Filesize
170KB

MD5
f4eb25c462818275aa7f4b8ad2cdd6e0

SHA1
dd97f9074afa71eaf3e5d756e99c9f1f1bcb6c42

SHA256
ef71a76f5124ee684c5047dfacc2cce06168054fe29315f845d54396bda9a62a

SHA512
eee20f17855d90866f3d28d1ee679000cdb1713da1e40830ac2eeeb00c74d85e49dc41efcaf97a1a5e4296968e81b3d6e0347800e0fcd70d65f7aba89a871239

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

Filesize
626B

MD5
b39a3426a6d7c686f5a981c8c1041f89

SHA1
9e760b525bc5fdb9591ebeb9338b783c96e9bec1

SHA256
88c6b9d47619b05bb9e2e3d72a643db3a409a63ef079710c68c5b9d114290a02

SHA512
cd791c4586e0f8cfd382b30c07f2e8d25d352fbcdae905133a9c18f084632d9d629dda66a6b2f4a82dcfa73b576a08839b989bd0b69de643e07412ceea3ee240

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

Filesize
1KB

MD5
00d8337394d81d947d35170c4a684f89

SHA1
dbcec9c12f4f7f85a8060ea6b99f3b8f9f78dfcc

SHA256
56f6830bf605e0f9df0999dc361fdfcf4b34d4a568b0f9d1086241224f72142f

SHA512
ed58ad6ce0ed6e8f166fb13d9e22c9f6b00bf4fdccadf3b1ebf68171187e7b976e524b7b77de9903b9f84628a7c788d5b09e898b94eefd67203a9f88ed737e07

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

Filesize
7KB

MD5
e855e4d68be1f3670b9c54222182ed30

SHA1
d4dad99cfd5f85e88fd57b5103901a909b443f44

SHA256
d74f731e3c4c3fde51070c234f214da31b6becec95afae1d5ba23a00a8311614

SHA512
17037cd9484195a0b5c1c6213e4ddf6661f4ac90c50456b72aca4d7b65eed1298bfde1d70b094ffe3d43f7dbf77a5e937f53c0f37802c34d9c18ebd7f72166a1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

Filesize
12KB

MD5
14fe72f8edfe808e5468f5fb96bb61b1

SHA1
f8fa5b1a926724072ca2ff22b4e04ca5c7999ada

SHA256
1867686b6e382a5f3d4ee76b19175b60977292e9c1f1841c7ddce5c867e86c11

SHA512
844577567f176552763142932eb802bfc3d72ec95fb91a55867b33851a38ad71a7f3e84d01410d2edf0d65dc17c65c8f023d92df3de80dc656c0beaf511525ae

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

Filesize
6KB

MD5
c219d401b84d57bc1d0abb1634e87996

SHA1
18715db929bd7a38f63f926e41ab2e898c2609c9

SHA256
fb1539042e6c18111e0eef4bceb29350e9dfdab72d6f5d24ca81f0bb8744af4e

SHA512
f4c7dcd8a88229df289f6e52d34d7d924b4f2cd65d0ca570f348921260b31293a49330853af51caa4c6f96058509d01ad1e276859a8cff4ccbdf3732bf6ab1ac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

Filesize
68KB

MD5
dca99170b6a27702d379a4e5dbc100f4

SHA1
603894f11166a48b322de94372bfcb7e202f778e

SHA256
714f4b6dd713a06d9636f2404e5ac86ece8380aaaff2ed4a13c627cdc18d9532

SHA512
e20463e11c033e6647f47533919e7e7c28549a86dbc9fd6dec131b8e7b05a76c6ab4571e88d03d8b57c88bfae3b2f04f746499900144d6a9d72f070cf9b7ae79

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK

Filesize
8KB

MD5
1ddbd92923bc83165c9282ffb39adfd8

SHA1
2b9cab32593c2aeebe38276534af4d0fe4dbf1fc

SHA256
44c7136928df0371356fd7040dd4d9ab742c506d3b10d7fb0f017a88899157e3

SHA512
48f036b8f7f9e45cd08e699434276f921a85eb0ab7f5bc2577a4bc8b84fd5cd7bdd413d8ff8481baab0056f323c5e34c82c5a6e82c4286b816fb572d03fef9db

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log.RYK

Filesize
2.0MB

MD5
5f77578b9615d9d8afc29b5589170c1f

SHA1
08efcd421e934d3416aa379557b55efd93322cf1

SHA256
94fabe3de54a1519ba34bb2a56775a6e71281b98ffc7d325fbb2f091204cc9e4

SHA512
04f7035429c39c11adbe66d9ed804e17bde663f389d95c4786a84df51e548d51a53f5c78c88034f59fdc4f7548a6a02e2da6c1a494a6fe75239bd10b5876f919

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs.RYK

Filesize
2.0MB

MD5
bb24816b0e93a1c943838cec7c66238f

SHA1
8fc191fe81825064911cc979f9886d7a6314825e

SHA256
0790dc92e3c9bd588b70164dddfc149ce8db22b2ab2a6cbd0f3a1e03997baa37

SHA512
70f2cbfb3ef99d8a3377ce297c88f0b9ef6777754ef892af610d06081ca1b7269b75933bd4b51ee989926f1437d192eda807d789768d5711cfd8c601a7498346

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_4d2ef0d5-1240-4a07-93d0-06481c31e0ad

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
memory/576-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/1216-160-0x000000013FA40000-0x000000013FBA4000-memory.dmp

Filesize
1.4MB

Download
memory/1216-67-0x000000013FA40000-0x000000013FBA4000-memory.dmp

Filesize
1.4MB

Download
memory/1216-63-0x000000013FA40000-0x000000013FBA4000-memory.dmp

Filesize
1.4MB

Download