ryuk | bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

Analysis

max time kernel
109s
max time network
97s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
Size

138KB
MD5

f62bb82db62dd6b80908dcd79ea51fb2
SHA1

e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512

869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08
SSDEEP

3072:dsFd0klDWOsja1mrT0CowNJ8s540uUf0WccH2hgcD:QWHrYNwNeQEBgc

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1492 bcdedit.exe
2128 bcdedit.exe
8592 bcdedit.exe
8608 bcdedit.exe
Executes dropped EXE 2 IoCs

Processes:

lMyNRbhtQlan.exeZWuvnQjJelan.exe

pid process

1584 lMyNRbhtQlan.exe
1060 ZWuvnQjJelan.exe

pid	process
1492	bcdedit.exe
2128	bcdedit.exe
8592	bcdedit.exe
8608	bcdedit.exe

pid	process
1584	lMyNRbhtQlan.exe
1060	ZWuvnQjJelan.exe

Loads dropped DLL 4 IoCs

Processes:

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

pid	process
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

7364 icacls.exe
1588 icacls.exe
1868 icacls.exe
7348 icacls.exe

pid	process
7364	icacls.exe
1588	icacls.exe
1868	icacls.exe
7348	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.RYK	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157191.WMF	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\RyukReadMe.html	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152702.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb	taskhost.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.RYK	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

980 vssadmin.exe
7572 vssadmin.exe

pid	process
980	vssadmin.exe
7572	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B360F51-8053-11ED-8DFC-667719A561AF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exetaskhost.exe

pid	process
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1116	taskhost.exe
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
1116	taskhost.exe
1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEtaskhost.exeWMIC.exevssvc.exelMyNRbhtQlan.exebf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exeZWuvnQjJelan.exeWMIC.exe

description	pid	process
Token: 33	1684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1684	AUDIODG.EXE
Token: 33	1684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1684	AUDIODG.EXE
Token: SeBackupPrivilege	1116	taskhost.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: SeBackupPrivilege	2204	vssvc.exe
Token: SeRestorePrivilege	2204	vssvc.exe
Token: SeAuditPrivilege	2204	vssvc.exe
Token: SeBackupPrivilege	1584	lMyNRbhtQlan.exe
Token: SeBackupPrivilege	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
Token: SeBackupPrivilege	1060	ZWuvnQjJelan.exe
Token: SeIncreaseQuotaPrivilege	7588	WMIC.exe
Token: SeSecurityPrivilege	7588	WMIC.exe
Token: SeTakeOwnershipPrivilege	7588	WMIC.exe
Token: SeLoadDriverPrivilege	7588	WMIC.exe
Token: SeSystemProfilePrivilege	7588	WMIC.exe
Token: SeSystemtimePrivilege	7588	WMIC.exe
Token: SeProfSingleProcessPrivilege	7588	WMIC.exe
Token: SeIncBasePriorityPrivilege	7588	WMIC.exe
Token: SeCreatePagefilePrivilege	7588	WMIC.exe
Token: SeBackupPrivilege	7588	WMIC.exe
Token: SeRestorePrivilege	7588	WMIC.exe
Token: SeShutdownPrivilege	7588	WMIC.exe
Token: SeDebugPrivilege	7588	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

90884 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

90884 iexplore.exe
90884 iexplore.exe
92044 IEXPLORE.EXE
92044 IEXPLORE.EXE

pid	process
90884	iexplore.exe

pid	process
90884	iexplore.exe
90884	iexplore.exe
92044	IEXPLORE.EXE
92044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exenet.exenet.exetaskhost.execmd.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 1584	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	lMyNRbhtQlan.exe
PID 1672 wrote to memory of 1584	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	lMyNRbhtQlan.exe
PID 1672 wrote to memory of 1584	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	lMyNRbhtQlan.exe
PID 1672 wrote to memory of 1060	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	ZWuvnQjJelan.exe
PID 1672 wrote to memory of 1060	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	ZWuvnQjJelan.exe
PID 1672 wrote to memory of 1060	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	ZWuvnQjJelan.exe
PID 1672 wrote to memory of 1460	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	net.exe
PID 1672 wrote to memory of 1460	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	net.exe
PID 1672 wrote to memory of 1460	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	net.exe
PID 1672 wrote to memory of 1116	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	taskhost.exe
PID 1460 wrote to memory of 1532	1460	net.exe	net1.exe
PID 1460 wrote to memory of 1532	1460	net.exe	net1.exe
PID 1460 wrote to memory of 1532	1460	net.exe	net1.exe
PID 1672 wrote to memory of 1544	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	net.exe
PID 1672 wrote to memory of 1544	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	net.exe
PID 1672 wrote to memory of 1544	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	net.exe
PID 1544 wrote to memory of 752	1544	net.exe	net1.exe
PID 1544 wrote to memory of 752	1544	net.exe	net1.exe
PID 1544 wrote to memory of 752	1544	net.exe	net1.exe
PID 1672 wrote to memory of 1180	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	Dwm.exe
PID 1672 wrote to memory of 1584	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	lMyNRbhtQlan.exe
PID 1116 wrote to memory of 1852	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1852	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1852	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 952	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 952	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 952	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 972	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 972	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 972	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1456	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1456	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1456	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1588	1116	taskhost.exe	icacls.exe
PID 1116 wrote to memory of 1588	1116	taskhost.exe	icacls.exe
PID 1116 wrote to memory of 1588	1116	taskhost.exe	icacls.exe
PID 1116 wrote to memory of 1868	1116	taskhost.exe	icacls.exe
PID 1116 wrote to memory of 1868	1116	taskhost.exe	icacls.exe
PID 1116 wrote to memory of 1868	1116	taskhost.exe	icacls.exe
PID 1116 wrote to memory of 1620	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1620	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 1620	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 768	1116	taskhost.exe	net.exe
PID 1116 wrote to memory of 768	1116	taskhost.exe	net.exe
PID 1116 wrote to memory of 768	1116	taskhost.exe	net.exe
PID 972 wrote to memory of 1492	972	cmd.exe	bcdedit.exe
PID 972 wrote to memory of 1492	972	cmd.exe	bcdedit.exe
PID 972 wrote to memory of 1492	972	cmd.exe	bcdedit.exe
PID 1852 wrote to memory of 872	1852	cmd.exe	WMIC.exe
PID 1852 wrote to memory of 872	1852	cmd.exe	WMIC.exe
PID 1852 wrote to memory of 872	1852	cmd.exe	WMIC.exe
PID 952 wrote to memory of 980	952	cmd.exe	vssadmin.exe
PID 952 wrote to memory of 980	952	cmd.exe	vssadmin.exe
PID 952 wrote to memory of 980	952	cmd.exe	vssadmin.exe
PID 972 wrote to memory of 2128	972	cmd.exe	bcdedit.exe
PID 972 wrote to memory of 2128	972	cmd.exe	bcdedit.exe
PID 972 wrote to memory of 2128	972	cmd.exe	bcdedit.exe
PID 768 wrote to memory of 2140	768	net.exe	net1.exe
PID 768 wrote to memory of 2140	768	net.exe	net1.exe
PID 768 wrote to memory of 2140	768	net.exe	net1.exe
PID 1620 wrote to memory of 2160	1620	cmd.exe	reg.exe
PID 1620 wrote to memory of 2160	1620	cmd.exe	reg.exe
PID 1620 wrote to memory of 2160	1620	cmd.exe	reg.exe
PID 1672 wrote to memory of 7264	1672	bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- C:\Windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:980
- C:\Windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1492
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2128
- C:\Windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1456
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:1588
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:1868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2160
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2140
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:76660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:76940

C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
"C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe
  "C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe
  "C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1532
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  PID:7264
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7588
- C:\Windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:7276
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:7572
- C:\Windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:7300
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:8592
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:8608
- C:\Windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:7320
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:7348
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ
  2⤵
  - Modifies file permissions
  PID:7364
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:7412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64
  2⤵
  PID:7404
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:8144
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:69792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:69832
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:90808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:90836

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\RyukReadMe.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:90884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:90884 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:92044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

Filesize
8KB

MD5
bf90ca3762cc3d9e7e56046c711b97ff

SHA1
db2862a5b0c0691c1ac1488b889453df7f263afa

SHA256
d813c0ce502e8441e73d586cf656d14a1c4020fd735c3ca448505df0324aa757

SHA512
91feaf37a21e716b0707573d67c7e1a399b3f4f9e138bb56ffc235911082177edf2c1cf5d00a80af11e267fa599696ff1614508b40e44611bd913d6e7f120709

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

Filesize
2KB

MD5
dd38c18944a06ee4a8cfacc6a00a39cc

SHA1
179102b3a74e13728d8128fdf9dbbe7a981a295e

SHA256
b0b1857e0ea13893b56527179cb95ab751d50bd0d66ab2e5b21ca8a9420b0910

SHA512
95f3da400e4f5dbdeefca0599df760fbe4f830f9fb71e8b08bdf68c15b3015793edab3d38a8e49831bca6c9c035927f23704a250d8b172ba801089fd7d5829d8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
723ae1e3f9efb68233e85071f964aa82

SHA1
ce13c356632d00500d65f138d9836d554247cbf5

SHA256
2fb79c60cbf81627ea37859d1768b0ba627a720ba68e49dfc0d7202d2a85c078

SHA512
908735ed57b906bbd81524541aadb613aa7e984e441e9135f23d9ea71e80189facecd7daa6787f8199351da291b29ee11155a67c0608058a18241388ddca0a51

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
2780949502724b7d937cfb0232ff83c0

SHA1
c9395bd8c161f6b20db325040f803765c0976f38

SHA256
686ef708963d0138c9dae936742ffaa2cdec2a986dd6760a3ae1b4b690332eb4

SHA512
b32ca097d180c430e0a1c7c7e1e4684b658404f0cd43d001093540fa86d67b2fe43ea33b5274217af51f59853eb8eb016d239692f2a8e20fe1029c48e3dc0317

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

Filesize
763KB

MD5
897156ddc27f633c5e11b80c84d6b7ca

SHA1
34808c9473137bb00123e6f12a29574d23a857cd

SHA256
0945f524472cd3bc8e67d8719a52feb4c3ac11e62630caddd1a52580f9907e69

SHA512
406296be73f1442fb5d798817de4f0fae7454a84e72aa87ea2eb4b956b04498695913693660d0ff6e90997b2cfc307ba855550baec25b5f6b129321a6ac59ec0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

Filesize
48KB

MD5
1b76c0afc705058d1f8c0f3a085ce961

SHA1
cc740f103e19bd5671cf3369ee43a29d1aff991e

SHA256
6eadb3c3e12c7d7ffa49a4b64a5667dbf9706c0d68d0c5ea32224889368f087f

SHA512
7cf4b1aa3fb58064cc69dc9c32a48573f14b7bc95353f7854d49d2df9d85518940db16c4add7d42ee77b044c216485991cbc1174bdf030bdeaaa9396422f2dbe

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

Filesize
5KB

MD5
fa51fa3dbb0a25388a7fc25fecd8fcba

SHA1
7333cb9fbdbbcba4fd35997c4fd04e00c759934d

SHA256
9e8e6b1145413c06ead94c320b1ca2ebe984b62a76df210aab9ea7926aa35a1f

SHA512
144d0ecd8d057bd77ec13117dc7b40feafcb850d93f9356317af6728e8dd7c9395d7113d7a2b900ca6bea789e42e4c2b3c16d083a869c2c192b713ff4f9d9a42

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI24D0.tmp-tmp.RYK

Filesize
9KB

MD5
0310ae8a0f3558d2b851da71a754a46c

SHA1
e156f64bb1a8a0c5507374fc3f45810b2d6fa580

SHA256
657ad475883186d7776b91b84e460b8c67dab45c9841bff0e414b5ccd86af5e5

SHA512
3db935fb8f10209239afca7366fc688b475474d5c9a583ee5c5596a0c27dca2ade13ff97c1282d28f400e794d5f98e33a65a21cfd553b661365b8c1bef15637b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI24D0.tmp.RYK

Filesize
10KB

MD5
5c1f800b4e236131343ef7bc3da4e358

SHA1
4cbde89a7fbb17595557cdbb333d3c0e2c31fc01

SHA256
f362dc1bc0314afb4d1ed71806cecaff867a8f0df89e59736e9d75d1c309bd41

SHA512
f02867c0f604958adb621dc42792b7ee038dbb037fb76de80234ba1a9400423e8405ed7c22d9e228f3e595dafafdfb40f28862fc04d35a2c950a830150d114cd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK

Filesize
170KB

MD5
71e9601619dcd47e4159c38252015616

SHA1
93fc169ffb92bfa28b5f4a2d56acc77f72b9051f

SHA256
634ccb1a52b5ae68eb932244f8e4f1d5829e07ff40ae17dcabf8954357d03458

SHA512
662d1b7d4269609926b3743a201838d486d74af26da1e98c1b220784ea123b20303fa655da06de3464c6401f579bc67f4549e66e63a43f72eb7f36b4db6614ee

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

Filesize
626B

MD5
7bc036a6a70b43a52ea270ed11a6d2f0

SHA1
04179f22cdf45ea2b0a7f8ee86ed2b5f2637d940

SHA256
f17fa60105feb0e2642c02336da2b67993c3f7a825e53f85c0368be32fe3d256

SHA512
7f9cae843372e0fd1f7c3652014b712794ebe259fcdece95dff949d9c7efc1072dd5abae17b423835bf7d03a7e35a5f551ee7ee4936f59a8acf748d909781ce1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

Filesize
1KB

MD5
4f76be2df9ef93cfbb9acab294f03961

SHA1
94e31ebf3d928327bb65198acc84ce2c7ca550c9

SHA256
192f760fd538400ab075c149de36887834fba30fb8c1b7d2a5ff06bab924331c

SHA512
96028f16b0aeeed27baacce704e3c9c6d91b62947fef2ee5b6003cc4e19b9e96d13ca4d237497fed5e6db0363da308f5ddb96c92c18edfd5f64bf151a07950b6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

Filesize
7KB

MD5
a3d999fa78ff731c87c0f3a531eb1d8a

SHA1
c9cfa81df75127d66c774c6b0b49665714ff2d0e

SHA256
2958b36bc007fd1c3844b88e8fc793e8984bac5fd5fc72ab93e4341ed47970f6

SHA512
b182a033f0ce1abccf09067336cd2eca758211894451ecd703e744937446e27ab8d36c2f3ac4dffe644c328fabe51dd5ca7ca7765ba27a1e6a004adca7f198db

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

Filesize
12KB

MD5
0a11dbd21dc8d6d57ae9c8bcc8c8f606

SHA1
a65eaf4b6e88b7c17dbaf8a4aefb0f683076117a

SHA256
f57c118d645bccc8868bb7b8b3b225de82ec8bbbe8f4ec58b4488c237e5933be

SHA512
57093e5c7bb226c488be606cdfb8f73bf63af32a971a397ad7cca631aa0ab7b879b377ce653bb8c2d4c415cdc168062f41613583af2f55568e846b1fa1eb5f9b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

Filesize
6KB

MD5
447f8f3381ec1b12fd035b277b10b94e

SHA1
cc345b79af03703be09b8d2074a27c8ac5fa274d

SHA256
55751e1ce4bf2209f71bdc2fe73268d921612f2253e52776b0b9655d60b677f1

SHA512
3afc78f62e4c8c8b090d9ab2d45bbee3ce71fe3d26655bafdbe01924975c7cd12f310c60ad69c569ffc9295bb563695c087d413b8be4e2ece146e74dc0a82fd3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

Filesize
68KB

MD5
324b02213671bed4b3ac55fd44184514

SHA1
5535fdf3034e1f153cb45c92b8f155ed7f130d06

SHA256
31087ff2d2868453f7c525f8210b97ab91a7dcdfb54ef60ae96b1b8917601fe1

SHA512
5905bcf9f902e049121df00dc2a47c342f3cf1cf365bd5e80e1b01478861722ab21abcd092c53c308a49d9e53e51b4dbe2b4e9073ff9bcafda23f520055bf7eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK

Filesize
8KB

MD5
1039764a48b3a9b34b2568786b6e9fc7

SHA1
8c0279561e1cc9604dd8a8fef4c3ad308966804e

SHA256
7c19cc4fc7b285fc95c7f1f2e0260fb754c79a6a3e6f62c1d32049609bf9e757

SHA512
471f3b6b09493c148cebf55f150c47a93763a59eb6c8fefbf579b7c4ca10cd1aa5b0f9ce36f0ad95188a2f7286d4d246c6abd6c5c5521d68ee5c0e550f060abe

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log.RYK

Filesize
2.0MB

MD5
be3e049a5c32e1fd9b0fd0c84c405ac0

SHA1
2ecef2f0e62f303f2d83378a3170f85b25aa6364

SHA256
8f8f6d9058059e737a2aaa7d5c0e0ec06f0bf3329cbc967a10d9a57aa6e9a7aa

SHA512
cd557d509dcb2581f6a91ce52eda4fa90b8df1556ce24f7f19524ffff227a081ff69653f0ae31fe0bed7b69f311c6fb38a6fcde40753222f18228ca212b715bd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log.RYK

Filesize
2.0MB

MD5
90ff23f9771f1633ab5f188ac03a830f

SHA1
3575e0fc498566068a49dd033d5b1fca13439a21

SHA256
8512ea122434d355e9e9cbccb891cfca837946f5b2beeaa50d65f945d4a35bdd

SHA512
88276e4005ea724fc012b4e36a098c20ae59b17c7c723d95d3db19ca8b50b631b584f7ca9b34007b9bb3a5d4336a7e52672abf91b894c599a7a23b0062687493

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs.RYK

Filesize
2.0MB

MD5
845736c2f94a26ae4fba544b315097f3

SHA1
bfc0f010fb36e5cb82bad05fc01370f433719662

SHA256
5e022fc518541d2df49e529305d0f9013ea173af93ed33816193042bea22ab5d

SHA512
42b3295f673b0c9e5205676f180f8f36f38153c98c0f47fb96c5efe5c7ab4b4f806cb58050d317a48c73b0d09d50f318eb4945e65d58528dfd510310cd0fe670

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs.RYK

Filesize
2.0MB

MD5
49820cb073bf1dc1653e62ed7c281aa3

SHA1
4f84dadec334761dccef8fe18e1f19dbbd5e76b0

SHA256
d3ba3d4977a6b70f4217fa89c1808cc24980263c01cead11e4b614f4fd496db7

SHA512
042800802c523fbc749ffe948ad2e02f0f5ddb7c58f89a1110c246d17ddb22bdaf4df74db5def2acb707b0051c93f72619da209dc1166ac7f5758adc9490a254

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Documents and Settings\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_8e28fefd-2db0-4dd4-85d7-665f2cf2c74b

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
627B

MD5
98c5368458ac9b511e07fc7b1dafd2ed

SHA1
d16a5c8f6f63d7397f6b42e455f81791b7d4ac73

SHA256
cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2

SHA512
89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe

Filesize
138KB

MD5
f62bb82db62dd6b80908dcd79ea51fb2

SHA1
e635ba1b935adf31ffd055d71884098567b3dd4f

SHA256
bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

SHA512
869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

Download Submit
memory/752-70-0x0000000000000000-mapping.dmp

Download
memory/768-82-0x0000000000000000-mapping.dmp

Download
memory/872-84-0x0000000000000000-mapping.dmp

Download
memory/952-76-0x0000000000000000-mapping.dmp

Download
memory/972-77-0x0000000000000000-mapping.dmp

Download
memory/980-85-0x0000000000000000-mapping.dmp

Download
memory/1060-62-0x0000000000000000-mapping.dmp

Download
memory/1116-64-0x000000013F6A0000-0x000000013F804000-memory.dmp

Filesize
1.4MB

Download
memory/1116-71-0x000000013F6A0000-0x000000013F804000-memory.dmp

Filesize
1.4MB

Download
memory/1116-161-0x000000013F6A0000-0x000000013F804000-memory.dmp

Filesize
1.4MB

Download
memory/1456-78-0x0000000000000000-mapping.dmp

Download
memory/1460-66-0x0000000000000000-mapping.dmp

Download
memory/1492-83-0x0000000000000000-mapping.dmp

Download
memory/1532-67-0x0000000000000000-mapping.dmp

Download
memory/1544-68-0x0000000000000000-mapping.dmp

Download
memory/1584-57-0x0000000000000000-mapping.dmp

Download
memory/1588-79-0x0000000000000000-mapping.dmp

Download
memory/1620-81-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/1852-75-0x0000000000000000-mapping.dmp

Download
memory/1868-80-0x0000000000000000-mapping.dmp

Download
memory/2128-86-0x0000000000000000-mapping.dmp

Download
memory/2140-87-0x0000000000000000-mapping.dmp

Download
memory/2160-88-0x0000000000000000-mapping.dmp

Download
memory/7264-90-0x0000000000000000-mapping.dmp

Download
memory/7276-91-0x0000000000000000-mapping.dmp

Download
memory/7300-92-0x0000000000000000-mapping.dmp

Download
memory/7320-93-0x0000000000000000-mapping.dmp

Download
memory/7348-94-0x0000000000000000-mapping.dmp

Download
memory/7364-95-0x0000000000000000-mapping.dmp

Download
memory/7404-96-0x0000000000000000-mapping.dmp

Download
memory/7412-97-0x0000000000000000-mapping.dmp

Download
memory/7572-115-0x0000000000000000-mapping.dmp

Download
memory/7588-114-0x0000000000000000-mapping.dmp

Download
memory/8120-125-0x0000000000000000-mapping.dmp

Download
memory/8144-126-0x0000000000000000-mapping.dmp

Download
memory/8592-127-0x0000000000000000-mapping.dmp

Download
memory/8608-128-0x0000000000000000-mapping.dmp

Download
memory/69792-162-0x0000000000000000-mapping.dmp

Download
memory/69832-163-0x0000000000000000-mapping.dmp

Download
memory/76660-164-0x0000000000000000-mapping.dmp

Download
memory/76940-165-0x0000000000000000-mapping.dmp

Download
memory/90808-166-0x0000000000000000-mapping.dmp

Download
memory/90836-167-0x0000000000000000-mapping.dmp

Download