ryuk | 25cb9bd4cd6df480d638f415ff0fa631e8286cf125858ae230a91736e09c25de

Analysis

max time kernel
67s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
Size

365KB
MD5

5544362f8a060fb0fd9678a450ab1ada
SHA1

3267d35994b321c2011ee7e2f52ec69517320508
SHA256

15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0
SHA512

fc0b98a10792073a35a8bd4bdc0b0edf769025b31cf64ac3e64b20fd0e4f48c2f33b20e81101e83d44a90900f938bfd245f096cb2eb69f2c91a8662d61b8f6a0
SSDEEP

6144:Cqv7LSCyncJdsMUZUaV9RTx00sAzqZJjW4Azd2gmmNS:CgnSjncJdjUZUaV9M2zqZplAzd2+S

Score

10^/10

ryuk credential_access defense_evasion discovery execution impact ransomware stealer

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (5222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	ZPmVOwz.exe

Loads dropped DLL 2 IoCs

pid	Process
1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
17164	icacls.exe
17172	icacls.exe
2796	icacls.exe
2872	icacls.exe
2772	icacls.exe
17156	icacls.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Enterprise\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnova.inf_amd64_neutral_b52d8db82d8c3be9\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_neutral_9fdc5d710dd63e80\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicN\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdvgwddm.inf_amd64_neutral_dd691eae66f3032d\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_neutral_14f9249844f1cf17\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\NetworkList\Icons\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net1kx64.inf_amd64_neutral_1f62482fbb9e52a5\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\nb-NO\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\Speech\SpeechUX\en-US\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmpenr.inf_amd64_neutral_34624840c3163a38\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\001b\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\Speech\SpeechUX\ja-JP\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-ADFS-DL\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\NDF\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\catroot\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\ja\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\XPSViewer\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\catroot2\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\SysWOW64\Dism\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\1394.inf_amd64_neutral_0b11366838152a76\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152608.WMF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14752_.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\macroprogress.gif	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR40F.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledbvbs.inc	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\TimeCard.xltx	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_bth.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e350eb6e50addf34\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_iscsi.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_78164d01f8c2de69\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmirmdm.inf_31bf3856ad364e35_6.1.7600.16385_none_630f6f699f391c3d\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-autoconv.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b9cde5d1c5d5daaa\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SYSTEM.CONFIGURATION.resources\2.0.0.0_it_b03f5f7f11d50a3a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_ja_b03f5f7f11d50a3a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.resources\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Downloaded Program Files\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\inf\BITS\040C\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0816\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Playback\6.1.0.0__31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-bootres.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e03d2d19634b8497\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmgcs.inf_31bf3856ad364e35_6.1.7600.16385_none_018280cbf469db17\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\880a680b2160130c8cf858a7d2a9067d\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_digitalmediadevice.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_56e7644fef5d7c57\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.Shell\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_es_b77a5c561934e089\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_lsi_sas2.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b8b562284a9c84e3\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.iTv.Hosting\6.1.0.0__31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.resources\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\1.0.0.0_de_31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.resources\2.0.0.0_de_b03f5f7f11d50a3a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\6.1.0.0_ja_31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\ja-JP\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12a9a5eba4e40ea1\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Boot\PCAT\ru-RU\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\es-ES\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\inf\usbhub\0409\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Wind74b7bf4b#\f3b97fc6e0780d13a9e007ff4051b68f\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Performance\WinSAT\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_1394.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6132b23b2e89a646\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.17514_none_d06ac9aad230c1d6\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_elxstor.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d0af5c24cc78eb20\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c6d72e67a09511e6\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\14.0.0.0__71e9bce111e9429c\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MMCEx\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6ebdee3975b6f113\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cca8caec1b8b9631\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..bitsadmin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_028b00953d3013a8\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..splay-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f823594127c06f53\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Idena7b556ff#\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Specialized\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-bluetooth-mtpenum_31bf3856ad364e35_6.1.7600.16385_none_5e768c29117894b2\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..questtool.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1009096f8c6a40a8\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehshell\6.1.0.0__31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_de_31bf3856ad364e35\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c72bd361b0d0697a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d07101ecaa44c4af\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..ime-upgrade-results_31bf3856ad364e35_6.1.7601.17514_none_21de7e134213566a\RyukReadMe.html	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZPmVOwz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2580	vssadmin.exe
17368	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
1988	ZPmVOwz.exe
1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
1988	ZPmVOwz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe
Token: SeLoadDriverPrivilege	2852	WMIC.exe
Token: SeSystemProfilePrivilege	2852	WMIC.exe
Token: SeSystemtimePrivilege	2852	WMIC.exe
Token: SeProfSingleProcessPrivilege	2852	WMIC.exe
Token: SeIncBasePriorityPrivilege	2852	WMIC.exe
Token: SeCreatePagefilePrivilege	2852	WMIC.exe
Token: SeBackupPrivilege	2852	WMIC.exe
Token: SeRestorePrivilege	2852	WMIC.exe
Token: SeShutdownPrivilege	2852	WMIC.exe
Token: SeDebugPrivilege	2852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2852	WMIC.exe
Token: SeRemoteShutdownPrivilege	2852	WMIC.exe
Token: SeUndockPrivilege	2852	WMIC.exe
Token: SeManageVolumePrivilege	2852	WMIC.exe
Token: 33	2852	WMIC.exe
Token: 34	2852	WMIC.exe
Token: 35	2852	WMIC.exe
Token: SeBackupPrivilege	2596	vssvc.exe
Token: SeRestorePrivilege	2596	vssvc.exe
Token: SeAuditPrivilege	2596	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe
Token: SeLoadDriverPrivilege	2852	WMIC.exe
Token: SeSystemProfilePrivilege	2852	WMIC.exe
Token: SeSystemtimePrivilege	2852	WMIC.exe
Token: SeProfSingleProcessPrivilege	2852	WMIC.exe
Token: SeIncBasePriorityPrivilege	2852	WMIC.exe
Token: SeCreatePagefilePrivilege	2852	WMIC.exe
Token: SeBackupPrivilege	2852	WMIC.exe
Token: SeRestorePrivilege	2852	WMIC.exe
Token: SeShutdownPrivilege	2852	WMIC.exe
Token: SeDebugPrivilege	2852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2852	WMIC.exe
Token: SeRemoteShutdownPrivilege	2852	WMIC.exe
Token: SeUndockPrivilege	2852	WMIC.exe
Token: SeManageVolumePrivilege	2852	WMIC.exe
Token: 33	2852	WMIC.exe
Token: 34	2852	WMIC.exe
Token: 35	2852	WMIC.exe
Token: SeBackupPrivilege	1988	ZPmVOwz.exe
Token: SeIncreaseQuotaPrivilege	17912	WMIC.exe
Token: SeSecurityPrivilege	17912	WMIC.exe
Token: SeTakeOwnershipPrivilege	17912	WMIC.exe
Token: SeLoadDriverPrivilege	17912	WMIC.exe
Token: SeSystemProfilePrivilege	17912	WMIC.exe
Token: SeSystemtimePrivilege	17912	WMIC.exe
Token: SeProfSingleProcessPrivilege	17912	WMIC.exe
Token: SeIncBasePriorityPrivilege	17912	WMIC.exe
Token: SeCreatePagefilePrivilege	17912	WMIC.exe
Token: SeBackupPrivilege	17912	WMIC.exe
Token: SeRestorePrivilege	17912	WMIC.exe
Token: SeShutdownPrivilege	17912	WMIC.exe
Token: SeDebugPrivilege	17912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	17912	WMIC.exe
Token: SeRemoteShutdownPrivilege	17912	WMIC.exe
Token: SeUndockPrivilege	17912	WMIC.exe
Token: SeManageVolumePrivilege	17912	WMIC.exe
Token: 33	17912	WMIC.exe
Token: 34	17912	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1988	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	31
PID 1668 wrote to memory of 1988	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	31
PID 1668 wrote to memory of 1988	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	31
PID 1668 wrote to memory of 1988	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	31
PID 1668 wrote to memory of 2924	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	32
PID 1668 wrote to memory of 2924	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	32
PID 1668 wrote to memory of 2924	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	32
PID 1668 wrote to memory of 2924	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	32
PID 2924 wrote to memory of 2864	2924	net.exe	34
PID 2924 wrote to memory of 2864	2924	net.exe	34
PID 2924 wrote to memory of 2864	2924	net.exe	34
PID 2924 wrote to memory of 2864	2924	net.exe	34
PID 1668 wrote to memory of 2704	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	35
PID 1668 wrote to memory of 2704	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	35
PID 1668 wrote to memory of 2704	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	35
PID 1668 wrote to memory of 2704	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	35
PID 2704 wrote to memory of 2828	2704	net.exe	37
PID 2704 wrote to memory of 2828	2704	net.exe	37
PID 2704 wrote to memory of 2828	2704	net.exe	37
PID 2704 wrote to memory of 2828	2704	net.exe	37
PID 1668 wrote to memory of 2796	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	38
PID 1668 wrote to memory of 2796	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	38
PID 1668 wrote to memory of 2796	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	38
PID 1668 wrote to memory of 2796	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	38
PID 1668 wrote to memory of 2872	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	39
PID 1668 wrote to memory of 2872	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	39
PID 1668 wrote to memory of 2872	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	39
PID 1668 wrote to memory of 2872	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	39
PID 1668 wrote to memory of 2772	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	41
PID 1668 wrote to memory of 2772	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	41
PID 1668 wrote to memory of 2772	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	41
PID 1668 wrote to memory of 2772	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	41
PID 1668 wrote to memory of 2368	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	44
PID 1668 wrote to memory of 2368	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	44
PID 1668 wrote to memory of 2368	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	44
PID 1668 wrote to memory of 2368	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	44
PID 1668 wrote to memory of 2580	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	45
PID 1668 wrote to memory of 2580	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	45
PID 1668 wrote to memory of 2580	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	45
PID 1668 wrote to memory of 2580	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	45
PID 1668 wrote to memory of 3016	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	48
PID 1668 wrote to memory of 3016	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	48
PID 1668 wrote to memory of 3016	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	48
PID 1668 wrote to memory of 3016	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	48
PID 2368 wrote to memory of 2852	2368	cmd.exe	50
PID 2368 wrote to memory of 2852	2368	cmd.exe	50
PID 2368 wrote to memory of 2852	2368	cmd.exe	50
PID 2368 wrote to memory of 2852	2368	cmd.exe	50
PID 3016 wrote to memory of 2416	3016	net.exe	51
PID 3016 wrote to memory of 2416	3016	net.exe	51
PID 3016 wrote to memory of 2416	3016	net.exe	51
PID 3016 wrote to memory of 2416	3016	net.exe	51
PID 1668 wrote to memory of 2028	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	53
PID 1668 wrote to memory of 2028	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	53
PID 1668 wrote to memory of 2028	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	53
PID 1668 wrote to memory of 2028	1668	15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe	53
PID 2028 wrote to memory of 1680	2028	net.exe	55
PID 2028 wrote to memory of 1680	2028	net.exe	55
PID 2028 wrote to memory of 1680	2028	net.exe	55
PID 2028 wrote to memory of 1680	2028	net.exe	55
PID 1988 wrote to memory of 17156	1988	ZPmVOwz.exe	58
PID 1988 wrote to memory of 17156	1988	ZPmVOwz.exe	58
PID 1988 wrote to memory of 17156	1988	ZPmVOwz.exe	58
PID 1988 wrote to memory of 17156	1988	ZPmVOwz.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe
"C:\Users\Admin\AppData\Local\Temp\15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\ZPmVOwz.exe
  "C:\Users\Admin\AppData\Local\Temp\ZPmVOwz.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:17156
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:17164
- - C:\Windows\SysWOW64\icacls.exe
    icacls "F:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:17172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:17188
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:17912
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:17368
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:18360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:18776
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:114384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:114444
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:223440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:223464
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:2580
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:90028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:90568
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:94152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:94440
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:210356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:210296
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:212092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:213084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata.RYK

Filesize
754B

MD5
51ef3c6b0f9464a095d0a88bb085e643

SHA1
ae60d527a6693a426bf0e5724c92cfc43c791801

SHA256
dc3e7dfa1c7dcfdb242d455dabd8a2ae5750d3afc297b94a425db235da294d28

SHA512
b62ca24697182f5f0588e13955c81ba7b5ea864a5cb347446e474a66cb246d02a81ba69cf0c18f4c702668e29a943394809dcaee170ce70b1c5f6802f20de547

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn.RYK

Filesize
674B

MD5
0458fce533a454c623458d0f0802c9a0

SHA1
89cf9e2c9de3aaf3cc4efd1d92ecbaabf8f0874b

SHA256
6d96eaf9b8e4d1a12ceb71998c747c04978df9d34b2c103fc5e8f9a6bd2686d8

SHA512
7c25f0e68e0fa4e4d56f3ab74ab30f66924799ea8ea103b83ae0c67a061e49d82b52e0efb9c72ee5f14fa48f3f452ccdaa6aeb0a70b92e0dbc9ae79a06f61c69

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW.RYK

Filesize
13KB

MD5
d1cfc8bab783cc77537ff2b4f9f86d7a

SHA1
cee9018f993bbe2488fc09dd22bed4acf33af9ef

SHA256
784416e9200ac725e4ee6d4a2f28faf3033d4455ea57f8206cf74c306361c182

SHA512
df567e204e8660173f94a37c6ed3fa73321c7f07c2a02a9a1409f8ce57575a675c3f92ad55f99160902ff9d32ceba680574202e6a7d1e46d4820fd5767b53f03

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW.RYK

Filesize
13KB

MD5
7e20fbaeb33cc1423dcffe13ac4a1d19

SHA1
5d038749fbdbd894469666881360da8253cd3b45

SHA256
5c34d9a9664fb86fef782accad5966c4547e4d2c7a29a2a9319fad080dc816f4

SHA512
9f217413a6d675d3c99d30342b61b326b7280dc6b7af3192505b43da20ad8e6f1f736c706fbc3d76fccddf70ea68cef13f2690c35d59cd242583ab06c3289a28

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH.RYK

Filesize
10KB

MD5
443b59d881c1f90b7b2b85d23cd80740

SHA1
0dee23cad3faee608a5aab33942f7c5fa5ec563d

SHA256
cb0acaebf1b93ec04f9835126aaac9c750d90a792e14ae381753fcae75cd0f3a

SHA512
309fdc92633a2a8e57ea92817a1a0dc0333548dc79587340696045129d5e764110a685fbe7b66c4b3e5cb2f9b8f6c237712905b4828103b67c553178b7fc17f7

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD.RYK

Filesize
9KB

MD5
e4dec05ec136fe2f182bb12b0dc094e7

SHA1
16f14e53aabc246b6277338f14c1030a558388a4

SHA256
da0f827c049a23f78d841f6d90328b8fdc2c16a16455dc718588a573bc1e46b9

SHA512
9844b92a8e3cc009814c28df3621e333f3b09a8de9dbee2660d7abbffcb46196a74533613a8355dd6074bc135daf3802cf7f1e3409b8bb2d22193df9251c60fb

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn.RYK

Filesize
626B

MD5
24c1550b9c0e338f2602f209d6b91101

SHA1
c5b6e7b3c3c735c915f793db5c5e0b2c6d65e622

SHA256
4fb6c3ce813f866ed004e7c9487f5d5870a3cfbcc4277071bc6abbe0deb34d59

SHA512
3db66ed6aa16fda0310074c21a32ef68e8482ad5235e38c4de09905d4ec65778e4140cccbf56b53d23a035f8fcbf4634549d775ce74e59700a2c90919708bd3e

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.RYK

Filesize
658B

MD5
813853c3848cb12079878318c78579ab

SHA1
5748c7e23c7136e22270bad1996c0aaa4241dea6

SHA256
fe4ff97c2a5ee802d4ab1b54259903987fe34969f1851ee1f3882d4af705cc63

SHA512
aff64c4378ffe608fb7fef8e54f1548e9975fd357c24acde5aa43b935364f6526004326338306aae7a6b9261ec6fb54a9d12b7b3a28238077eff596a192cbf88

Download Submit
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn.RYK

Filesize
626B

MD5
f938d1f091769b34b022997be8c99825

SHA1
4a21781bd7844a33304c072f22231469e6f40a94

SHA256
565bac24119b2d1a666425917ac486e344b429cb9da4884c83509856cb936dc1

SHA512
d5cd063947cd6ab592ae8d4dc57a3ad89f0580b8a978ddeeab00f5bf749a150beb6edd4bb225f2f99bf477de5a2795e230ae964570c41a98923d87e9776f6b24

Download Submit
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn.RYK

Filesize
642B

MD5
4b9389d5aba888bdad075b10cc431a01

SHA1
686e1478d264a9284d67f47dff1162dde89947fe

SHA256
6e56c6e89cd01b225b4adcb33809a4e09c742e04ed9e74ee86ac771146c024bc

SHA512
c812a2627bbfd183e3067b4c0475e8db044490e2fb2451a8b7c8a930ea00194999c26e99658f0bee1143b9c3ca513e0560f0ab5d8b6ac175cde153baf18d39f3

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn.RYK

Filesize
658B

MD5
13cdd8666d13e6d56647cf62a45731d4

SHA1
d70ec523a61ad29c7f67025564f0cccabca3d9cf

SHA256
7b77c09dcc3265d9b3e742ec3637c04b8245a9ae0a95031d13b7876069c286e6

SHA512
f37e6d4f56df898d585ae05bdda69ab134aa36924960fc105499481e01ea25784c82554fc8e8afe81e47b7bbd81874780e4121850885399c81baf32a2aec97be

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.RYK

Filesize
690B

MD5
a1c219b5c4a45acbb82471eb0a3c8706

SHA1
273bc50d26d22b1a2df2bfef2f8f6911cb52b9bc

SHA256
e75c11eeab6caadbab5fae2e36ae6f7a207c2bbb31f80df33c503fe32f94d08f

SHA512
9a9d9d714b25f9d94a410efc928ef92d342c52cdcc7d4e4c4b3f7260912a8680fa6d305573e46fc091a25af3dcc49f7ba27d4714375d7fccacf68cf87ab1edca

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn.RYK

Filesize
658B

MD5
2624b5f988e119442f3cb7061dd3cf56

SHA1
109de300c45e5409dc890049f0bf4c8c51662b0a

SHA256
d40cf73d958dd48ddbad8d31e06e42a13c1f967fe5be15e77da3766e4a91061d

SHA512
24112a67cc21242aaf388d90e6859d67bed2316c337146a1017972a3502a12999fa6d8c41904242dae7f910b353949e59d95e02489e987a3e8ae81141b077cc9

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.RYK

Filesize
674B

MD5
ad2206bdefa7908d6b4f67214268ebc3

SHA1
44747c9d7d5622ee4b54dfcb9f621c5eac6cd179

SHA256
398b7d53293dfeeeb8af0fb6e5317c839b0382a92f43fa58d57301576e840d0b

SHA512
0b78608d7a01d35eaccd067958f8dd14a3dd6cb768b29b47f0f508ddd57606cca704a8cdca7ed80d3c2bc5c8bfcc19c7810712ab4c6bfc38258ba5e8383a05bf

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn.RYK

Filesize
626B

MD5
2b88d0710ef6abfdff6261ed88133cbc

SHA1
36db65de63000d5ce3e470c18c386c3cdc05ce60

SHA256
526178fd49c8941a9cc8aa3478c8cb7ed1c51389a733968086fa49b3d1b910ba

SHA512
01b81f27b0cccdd1363086dc8ba8e6fb37b93a33206e5de5809bb268c8d290d76f4a6407f7b636f766ddbcea1ec8d11d38a3c62b1955d007fe7373e71f8d2619

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn.RYK

Filesize
626B

MD5
d8315d929a126d0f744f5f7795be32ca

SHA1
a81c2e348eeb86f9d47fc3c77a0e8e33409bc87e

SHA256
e60c6e2785145bd08dcd179391b008eaebc8a759abbfee708181bbd8db73044c

SHA512
3e30d43fb0712443131637a2b1acc7d99d24812ec4f47a5cdc6f475d063278370a9767865eb7d2f1aa91b482d22ee7e8872c521430e7d810ed8e1f9699251925

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn.RYK

Filesize
658B

MD5
fc5289bb9d00d8440a5b16d17ac4c029

SHA1
2edf407dad50f479a8d7ca76b4fe19feeff1c8e4

SHA256
1d1d743c7019a7823609bdca39bdfa7c0241e240f2f8ce2808f2a3698844a2cc

SHA512
7f9abcb29942466b2726f0c44b565cfd9f5d9140b58c000f27e5e8fcc131444abd149017ada36ae40d5844da7bb87a33d9f078e12ee76e6f9f370ba61d3a11bd

Download Submit
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn.RYK

Filesize
642B

MD5
46cb2e1f09816483385577c2973538aa

SHA1
afea54a8a0b3089b06a283018975d600aa897b56

SHA256
6b633414c46cc38f8caec77f48e5f408fd8a0dc298b6c7d53062c697307f8618

SHA512
b4ae9ad952c784018403a12dbd03a4b6cdfc2a7e7021956ff80e5e6c076493072d03bf366223ad6507f62d4be63bedd2332cc7e3afa09e6533478157a243bb98

Download Submit
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn.RYK

Filesize
626B

MD5
e5a512e181b3aa775d11d413d78f262b

SHA1
d0f5baf8e2948814fe41c5e8147ae9ed2b5665da

SHA256
9b171c5df46b7b945014ec7c63fcf5d00dd361fe0ca345902fb9e2b467326a77

SHA512
c68eb184916509f965a862a03c362f036ca48a125a98fdb490025c3819515306e7f14834e97a908d26def3ad5f67a110b7077bc51493454c44ca86c680e82d16

Download Submit
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn.RYK

Filesize
642B

MD5
b37c82e01de45d67d4d98a644dd49a0e

SHA1
280e14262a52fc86b6e88cca5a01fe6434517804

SHA256
39674968ebb3b72e7c8df464bb16f84ee25dbac987f393ad8e5f15535a5c49b1

SHA512
7354dc23f1528e2fd232d898ed05c0565d9c3421e5e3f346759fba11bd32e015b08f872bcadbfb81d0274799c94d931838aa90ef0c02b44680b6b2b8269b6153

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn.RYK

Filesize
642B

MD5
655572cbdc0627091537725ce96d5186

SHA1
ca4820dc662ec644fdb6b5886ae0ed5c0d0cade4

SHA256
d54f2969a5b8f093bc8dce50ab1d7b7ec339046436077bc80162c6fb7ab72eca

SHA512
d909132e77ad00902bbcf2877ce97a6ebe8a70b0febdddfaa3c1319a61b491b64e060f125979806c274f3ed52d9595f33527aa15a3cd1fa4969735987e75460f

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn.RYK

Filesize
674B

MD5
7df3b908032d57d7e17b890423268b42

SHA1
b1e26fe0c5831755c3031cad90da72420f2869c7

SHA256
3cf596fb458c320ffb2122b56c6c758fda7328cd283618521e3908a9bab35f5a

SHA512
3a88e6636108ac0205e03deccb5429db40548f9fee824c6c756e66a66634b764ca46f3042018828c69fb4241f62f49a44eeeb0bfdb4a9b3fb378811b30df1da5

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn.RYK

Filesize
658B

MD5
c976fd25f901eb1c0fbda815206c6316

SHA1
314e3ee9382a94e23258811b88cf22ecc765a6e3

SHA256
c57b2f6ab6f9d583813e2ad1d4421cb04a80aae215e51db924738d97bfacffbe

SHA512
cc42c9630b4ce8ede8f03d23372adeca6348cd0ad63647ecdddfb04d59cfc8bea04c89c5ded556b0fe59dcc2f31e19d277791219a9f5035645817d12e4d95df9

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn.RYK

Filesize
674B

MD5
037d4935920ecf128f0dd130e808e217

SHA1
f81ea6652f6c1f8ab795c93486da604df0d27c4e

SHA256
e84671f227ce75e8d9d49c5002fad43ce961bd2363f9fb8890bda7d41a21e7ec

SHA512
8fcf98bf863ed4599d742871dabd7ef2ed7ed80c908d4d7a366ffce9b33a167568e8b3a5a06401c38c5c62e785110e7052f845e1047b09c1c3eb07f99271817a

Download Submit
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn.RYK

Filesize
642B

MD5
a3be4f7d85a9d27b23c1a5855dddcd63

SHA1
34e0f169d808ac5bf08fc9f1954fb6416a16b5c8

SHA256
e496c8caf299dc6ac02a5a00bf20c82689c3449812bfc59039d52771ce0824ec

SHA512
938ed52fb4d5a725ca74af78fe51e2c8a63d5f4d94f88f7fcd285196bd6db23b1d3aab819a5b9e1f2047dd13bbc11be968c7df0ca443bc0e69f7cdbfb1ae3c60

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn.RYK

Filesize
642B

MD5
5e8233ba4605978e4e48424ade0e9936

SHA1
f0818e4bd71cdd1f430713627067b39032263957

SHA256
dcdb1d4381ed68fe35b7c0554f1ca76fd1fe3b2df46672351c09a98cea872f46

SHA512
df6ea1e2db9980c7ddf22dd11e01e1e393fc7035ddd22db864393957c02bc05b29e6bb0577c50055451cad72484e37c81388a38d15f666090399efd4aaf60fb8

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn.RYK

Filesize
674B

MD5
58bdc148ba4da2493be131f258cbaaea

SHA1
e33bbafa99083b95f884ff56bce4bae064db1290

SHA256
b1c7ce5c4e10b3a76f468679b47fb296010987cc67aeb6acace17ad1c6c97f84

SHA512
6b5c27ca0f18e09ac22fc5f720c9f4adf1a02646900c5ee6b03eb2f99c1ba8f3098d680c1468e521b6611fead83ca046d75fef1c08da66bd553785195ca09834

Download Submit
C:\ProgramData\Microsoft Help\nslist.hxl.RYK

Filesize
6KB

MD5
1c966155fa3555fcbbf0331d57e0cd1e

SHA1
e8e473a6bf92a7ce76b43cc4d324fdb05b97bfa4

SHA256
b6c287d61f691af5765841f4bf859052d724f901af1eaf20450f91005440d2f4

SHA512
d4d38c307314ad901d92b40cd2d616eac97df7ce4fd5f4d5c232dc4ebfb1116206f943c7a9fd56d1f8b53d5b16f2a8556359fd031b461f11d96682fd3f3f9bb0

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_CValidator.H1D.RYK

Filesize
12KB

MD5
bed4a36b69687066affbbc6de5513ead

SHA1
b9841c44f8c553b46a4f784d1ca35f7dd025d98d

SHA256
a5d4f6011c0f337fb35a6e134061a0091d508b45c2f7b8606fcc38afe71ccb3e

SHA512
ee29cff221ea1fc08fea9f345aaca49cdd82e2facf6934c377bd0a0fafda495631d62029e2e4c7d5e51819815af7ccb30dacdbb489e10acc3a952cfcc2987a44

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_AssetId.H1W.RYK

Filesize
229KB

MD5
eb762e2933dfaba1a73eed6b481501a6

SHA1
1854df4f8b97d63626874f6e8f48408e9179c66e

SHA256
f4aa65861bcc2332a184a17ec63852f94e0aebd63989e1fc5dc3d039dd759f17

SHA512
35ffe39fa713fbea56328cdb6858abcb66cf2bac82193ad98c1d07eb7d0873afb2a8aec1d9f3bd0d6b64f6c047476f6e482a01da28fd37711957aca93fd36ff5

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_BestBet.H1W.RYK

Filesize
409KB

MD5
7f3643261bcbea901f78a3ce4556adc1

SHA1
31ee85dc6b6ff0dee79a8ba21c41259cb6296218

SHA256
b3d0e9224c0f98b0efe60c61c09f7264107f032795d6672c58835f8d253a4636

SHA512
f8840aaa71839492027e17b2a0c6d18abc7f7dd022388b9870d6a4e8720977983b9fa04a9e4c58eeb4e7b77ef37857a4531141e7825154bc211b0c940daceebb

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MTOC_help.H1H.RYK

Filesize
531KB

MD5
7aa5329a33d49f11deb7d4a8b8043c9d

SHA1
d78f128bba04ac2bbce9aa07f05bc18e37c11b14

SHA256
5571dab8a91693474e98cdb4cb0efeff5b84d03e5848ab5bb9467aa6e25a5e56

SHA512
1b1ced20ac34ea5595e1f228bc59dc104744030e57b57bba864ad7a00afb7226fe7c9602d5b508548c6f1fdfd9f911cf44771f36a5dbf6c85fddd70936b0b1e2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MValidator.H1D.RYK

Filesize
14KB

MD5
edb7968beb33426d8067f2fac2e482d0

SHA1
f43c227e41fe02655115a9edc4a39f37e2939102

SHA256
eb04cf6fbad421d07e4d9738628737c97fda5f43a8879bfb764683315087cb4b

SHA512
d3fec5bdd49a377aeabc0506d510a8fa6d323885ee0859bab0edbb81642337ffb30c89f28a68faf32accf31844c7162f5918730aff6b51a448e07b90deba9844

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help{45EACA36-DBE9-4E4A-A26D-5C201902346D}.H1Q.RYK

Filesize
1.2MB

MD5
e180abd0b2e6d382fbfdc05b4bb199b8

SHA1
65e21e113f0972aed9ad0580916f734593da7d4c

SHA256
15f1ae209b9a971a82598e313a54f161242e19c28eba099208e42991f026aa9b

SHA512
9ccd2ef7977187ed7c9366a57fc58251f6b42e5bc46c73560bb0ea324b21ccd79c1eaa955b5d8575df712f500fae9c1b16523d008246b501be192089c38426ac

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D.RYK

Filesize
12KB

MD5
49cd8653025ac7adf07a4438282ef71c

SHA1
92ff0da9ab7531676b5c80c4e899d0403bcc4d0b

SHA256
682e85401799f6e081e98072144d7e69a8a69cfde894c19006ebdbeb4342f101

SHA512
5c5cb9e9decb3163a1fd1ca71f317d8a4b7e10ee316a44af52e83c8d25eb0837cec053916efce75d5ff5c3c3ec16123b0caee63e4480059dbc7540289fd9deb4

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.RYK

Filesize
229KB

MD5
44f0c563a8b5696bd30946b3dc5c88c7

SHA1
45bfb0945b491afeb0d7a05821b6ca3abeeac0e6

SHA256
01dfe5b93865c44b1d75fff7ba1827c416ba6162fc3cfa4ad5822b87bedb6754

SHA512
a281a610b62ff353c884418c7fb2b93fcc9f151d0355ee59a3e66f803bc69548abca9066e906a0518004ae236078ba10df050773fccae41f256a4c172ed3195e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W.RYK

Filesize
201KB

MD5
8eba4153ea971821502d28f39ff4d4cc

SHA1
a957758c7ee2031ff561470e7e049d41dc56b4e3

SHA256
193d262d00b4b959b48f1bda43bab56ab141b90767a5d22d82576ec6a5ec3ba2

SHA512
6a688afe2e3a1b6984d638ed2318250a83c62672e101d733e0c40a8f21473f2aa987b1a305c32022264dd9d5e70e97608e934d06183bcbbe888681ab6357d96f

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H.RYK

Filesize
491KB

MD5
279bd6d74734b1080f6b1606a2eb0983

SHA1
d92f2a8716c1ef3e38f3fb102a6260435e5fb9d5

SHA256
4cca5919ea0b04ccf45d99b6b1ad9be11f04e6f578494d2d455e703551d937f7

SHA512
4923b36c62817c2728565fa9029b284a980b8a412fbaf83257eab9413f751fa04e89e2d98eb945333dd2cc4dc568e807f74b7541003a9a28f183a35c47d5fae6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.RYK

Filesize
14KB

MD5
5cf3455a914e157c86dea0e46f5813c1

SHA1
f5d442ee4e75624a5acd0d4c8a604eb7275bfd64

SHA256
7a05a9b7b4779022549de6e1b9dc3275b403cb330475e1190a0ede1d24629fca

SHA512
d2e2279f7a0efc38cb21a877ec78c64f0c1313060d48805cbe46ec37dd514d85845e00bce35eff0c0c250a794366d169784ccbffe800cc3180b3d5451f8caf5e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.RYK

Filesize
864KB

MD5
da05201c5e1d71a1fd639d50f110a3c3

SHA1
357d17e57a385227c45b2da2781c30c0edd0dac4

SHA256
08d5fb457f8b6eb79969916d4c85c5b3a0f090d63cda699e43e1fa0d4c59c8cf

SHA512
b5eedad56dcbe798d25bbfbed9b79d40fbe0b0343c8c47794ee2eb351766dbd3a34b1e446032ea19d40c5d239bbc268768279c30535e9b2d7aa295d701b9e7e7

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_CValidator.H1D.RYK

Filesize
12KB

MD5
1fa428e4ba93b757bbf9da8cac89bd0a

SHA1
e2a6d10e28dd86dc82a77046675b1f8c4b773d75

SHA256
3770e094e0928a576f4ee531069ea32279e0f7ccf9b713a564ad90c83274c790

SHA512
4749b71e3b237dfef12649cd61fb04b356fb902f3b3d93f538eb6a537a356283fc7127c3c2b3e50f0263d2824114c262fc63b5f1db314b2e13ef8c7c518cb9a9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_AssetId.H1W.RYK

Filesize
229KB

MD5
72e8a35c48bf8bafc965d2e40a1ccc8b

SHA1
df5dc5590229f534a641dcfcd11a2ca31f583757

SHA256
0be87844548305f154666cdf1ae4104626ffc62721070ca798d3a11397fcc205

SHA512
3e64e7d17ae0341cbd2aed14fdbfe95b269a6928b480171f86e2e68dde476cabba1ec5ad40f09be9585e692acfe5fa1593fad8692a50a3e54b02e21bd509b3d2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_BestBet.H1W.RYK

Filesize
425KB

MD5
56e9a0e17430b3623c5d9db8d036ca4f

SHA1
7901e6893a76a162858186a94157ded67bd9bcbd

SHA256
134b0e06dfb5e310ef9ea2e3f6bd00362b174e0e3feb28b09dd83cc601002ac7

SHA512
79b46aa5f28d81f995f5ef887dbb12b14450c758d85791aaae471a553762f46790e14363773f7b2c0f30cb6a1a7c73e54ef1cdd51856b75243f155c500c4bb09

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MTOC_help.H1H.RYK

Filesize
531KB

MD5
8f857c97b9d12ab3eeddf80c0165768a

SHA1
07f973520926e4ea54c6d083cfdc3af0e641768c

SHA256
cce4d09fa9ef1bd43605908c1ca6776ffd69bc84adfece495502251aeb10ea4b

SHA512
3d1f57c85c6e079f83c5a762bd4d9d5c4280e888cac4945d75f4197a7d7c759f2213c1c0932772e8a60e50dc8f25f37408a19b4c947531f96618ff1ac9f5d980

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.H1D.RYK

Filesize
14KB

MD5
cc96c889274d2c7530e338ea9c3a7d68

SHA1
4f6ed9a19a6be45996baeb6f6e5f1fa33309bc6b

SHA256
f1c45e951c3415c00c65e0458a0f25b35634c644e0633036f7eb79a8a3691b5c

SHA512
c4aa361e8118c0831aa4ccac3ce67388e999db3ed7739eb69e9bace20c2818bfc9bac2aafb9df8684fba488200bd20f4f5234dc6ccd1075945400d154341725a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help{68DC71DC-2327-4040-8F03-50D6A9805049}.H1Q.RYK

Filesize
1.0MB

MD5
0a671e6ab8787aa3c413be997310695c

SHA1
173cf0a2d9e5ea9d90a802559355192d58cc9762

SHA256
75cddfbcde211b9d1e7b9f510dfac571657755bb68c04d454b880fbe63b5da1b

SHA512
aa1715e0386af9ab5887b4251ed5c3d8ac7e509570c1fb965842d43fab3ef821ac503b03ac860752f2ebd56d876b423482709416b593ddad0a6e18d6bf3f70dd

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D.RYK

Filesize
12KB

MD5
b7a776f6ececadedeadec67462b631a8

SHA1
5cfccd369288eb062fc8dff27b1b023567e480cc

SHA256
3196df52a76310c416fa1f88d77dac8e8b33d563626dc0ad064f359a93fc4309

SHA512
0dfb01d7e68ae699c4d8894b18c9ffd5f74f151835fd27cce1708f285a59e9a3521a56f2ef3e2369684ebee8399f14e5bcab84d10dc28584e02a8d9b7d326f6e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_AssetId.H1W.RYK

Filesize
229KB

MD5
786eee373bae1b226234193412a0a007

SHA1
81495ca757d12d04a88c24aeb960a572f39fbfef

SHA256
be4905567b195f1bab9ac26a523b7c494fcf56c7372daf1e0267de0544d8fa28

SHA512
53a15b718b64d6cf0cb55722ffc665c9c18544d525f3166d1100db1a7055f9b2adaa848607831dda899b3e421e3a309ba78a5645883fd25b8d1be858926e94be

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W.RYK

Filesize
421KB

MD5
825ffa64c98ec5c14638e2f3cf4e9c78

SHA1
98881b487b3a67a7b0be16af90d2417f1040a8dd

SHA256
e4e30bc69af5bd3e9bf969d08802b457a25dc2ed532180b12c3530a95a5afa34

SHA512
a406375823bb4a19a1162ad7558df25488b93b5f2373ca6eeae8f0ce1709d423cea188e812f79037fb600929b35d505e5ee5366b38adc85fefde212c2680199d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MTOC_help.H1H.RYK

Filesize
546KB

MD5
a5f36bcee61714c24397b9d85d4f9754

SHA1
4763215f214ca26a0346e239cf4c679f3682b1de

SHA256
544b489f29adb8340c02512e0441feec9f1fdcce2b962160922acce672601e56

SHA512
6b9ee4f9ade2d9015667b80eceb02d949ddee10948f1d9a4c097339a32039f4c96d1a9371ef9c4f64e8f65f8cff69db9c4c0db0e8dce3b99ac36a624b7011971

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.H1D.RYK

Filesize
14KB

MD5
e35164453f5bd373867ae0e5fdb1e8de

SHA1
974208d8aafac0e6179c64d239f08a5686ee7677

SHA256
176b7fb7305b32f0a4e3243c43c02ee947b778a4fe66d4704ec2a2bfcac0a558

SHA512
21bdd739a54ec5a29afecbf13b1d23c52630d05e52a86996b232d7d4fb9a0dbf245776739c827d63f149893c2204a32206826e8fdd8cae6ec52f12eda3b3941a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help{92F2118A-E813-4A4D-9DE2-F96A9DC02C53}.H1Q.RYK

Filesize
1.1MB

MD5
a719cbe89924921492667dde38f2918f

SHA1
5e1d876f0c7fe05aec8d41ef2dc42ae63d0e1e08

SHA256
8472e6cbe4874651e0c938053be6ff4114d3f5a8015e3b6a19528269c08aa248

SHA512
61573bb63f7ab9a0c0b8f4654a2c126dbe0a375cd4cf86070823d6e579bdb59183add6921570c664616af88bf23b470348c4817c18c7add2042b6a344d14b8c5

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D.RYK

Filesize
12KB

MD5
9686ecd1170c4ea83314bbc53b8cbfa3

SHA1
663c8073ec298afd1f38d98cc9d631b5ece66c9c

SHA256
58353094fbf6453a3550a97e8b0b1a79782b4524adafc1c1f06046a7e704cc4d

SHA512
381092f3821d8ceb8f8665f8aedf78871d09a5bc026beb4f4febab782dff88e15cea6ad1281f41c732ebd52d00d217a21c97a65dcf2a3042a51e56a54de571cf

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_AssetId.H1W.RYK

Filesize
229KB

MD5
fea0a6808f2355b53d04f751ae780134

SHA1
4d8814093054971006ff177516e19f48e8320061

SHA256
dc792630c22d320cf0482ff8094f4a975785bd7986d1d8a5817b12d85cd9927d

SHA512
18b88ea935892dfbd8da2d9acb38c8af2eb8ab9d6efab68a3429968482740ada41d846d3ea0e40f0b537c49a6680ec482df5e55872ee3ea2e737ac2e59a6246c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W.RYK

Filesize
421KB

MD5
1a30e1ab9524bb7bd17725216f5cdbdc

SHA1
7bf63b3cdd5ecfde89d070681f8707b9fade87d3

SHA256
9329ba1258c80d6e33f39b37a2e7a83f52c5388f7be2c0ccc0d03122ca539d4e

SHA512
3f57ebe63e87ab4381e3817710c50e15c55b38beacff28c81b2518c2d0158d519fe8433bfd43804e0c1cde0624a0b9abd3d568f64f8b33c7bd061dd6ae33c15a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H.RYK

Filesize
530KB

MD5
cbee6d6a9ab7e51ad717d57c94a99ab1

SHA1
598d08e2d2744b4c0ac5d9a197ad5796b533045b

SHA256
dec2e2ee9a6566ab5b8603e9a4f39ca2b6a3484bda9e0eb4b8fc01fdfbefdfd3

SHA512
73ba212427b84ac18d938aa0c0d696b74fd310db19170f2bcf4f02f2d3a68c86dced32f90541ba840bcce37aa187bbf894936b4d8f08550124adab325f81c618

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.H1D.RYK

Filesize
14KB

MD5
a9dba248b6e5d77dc31ba8c1a92ffa56

SHA1
76401eb7824d26cab30221d24fed82ec38b7d05d

SHA256
07200e783046e99a4e389e64d99c62039f9a294f3ab322b65c03d15898412a74

SHA512
a4c537e67fe06ae6e04ecd8bbe5438b04b432142401c10d4961a19b2ec461e4cd82f04b869fba32c5b3a11987765331ca4bf3dd8c5bd4181adc3a7368c5efcda

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help{7E352021-69D6-4553-86AC-430B0D8FF913}.H1Q.RYK

Filesize
1.0MB

MD5
09515c672208a9eaefdeefc48ec279e7

SHA1
f5ea07dcdc7f2201180e56ed64d8d42d86a10e75

SHA256
dc576c3d91c3a553e0bdea64c5764ffc3af6854dce74e3afef0ded6b0a2d4a46

SHA512
4d0a5186030953e8e6e49e20034a95f4a4b76968960efcf09b82485fd98e7b80b8c0d86e928d5858dec7058a7786740592cb5e06f56c2f196cea5b81e51e2a26

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_CValidator.H1D.RYK

Filesize
12KB

MD5
cbee18ddc719d3385b1a2acf1d9d0dbf

SHA1
f53e14760ab9749eaafc42f64dd5e26207e69da2

SHA256
f420b783599da6509e1bedb1c2b1a0606afbd94e86664a99d251b37d79c26580

SHA512
73f3d32d96c28881e65942955f774620d1ca38f44846ecd6ad222f68a9d9f686c61ee56cad1e8899f132fd7af9bf7b0ab71c08dbc1fbfe271302bbbf106274c1

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W.RYK

Filesize
229KB

MD5
de7bf96dca5492961f8dfb73adc37091

SHA1
d6ad0282cef32e341fe0f54a38e1788980d96393

SHA256
b4a03fea89236dbb2fb7d744c3d8d117d0253cb525f7705dca0b5d83747fe597

SHA512
95e216e9b7ffd0a47e4f3e83daa8b2d41133736b28262dab5eb4ddb67fd5d95c1fefbb1408be6c44461cfd6dde7dd239b5897e1b0362e828b12ded51eba22b8a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W.RYK

Filesize
357KB

MD5
77f4c8d2291070a97c2ec0168b0bdaaa

SHA1
f38ef0db517cb62aa0cbc2a34465c7fd635efc17

SHA256
635876973cc699988d49ef6dd313b662fd3c56deb03fc5746199f1ee95555fb5

SHA512
f8a641a1efb80d09d53a276a14d29e67fffa7025bb02f9e549bd7d345e0dfb364a1a1001802857c5e4c5a49baa7222ae07dffd0dc2846222096f84e63f2683eb

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H.RYK

Filesize
352KB

MD5
fd0385b69ed6e1df8f71a71794bc4ebe

SHA1
016f84f00c0fb3cecc26df778e4f8117236c1871

SHA256
58027c03c3b136741ac82fa9f8b062bb683d907d92702873dd15fc271b4f42b3

SHA512
6372b0df92f348482981de716b541b7b7e7928d384ded43f4a21e464df58358434afac8805dd08537539104cdffce9bf94749e0189bfebe9f5e57fe754cbd9ce

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.H1D.RYK

Filesize
14KB

MD5
3081e7ace37e66fcbeed736cb6cf968b

SHA1
71dbb49a417630ac19242eefedb9686a0f1ccc40

SHA256
2acbc71cecb4aa70be49d6962e6123cece483fab56cedbc1e9378b3c9b45cb6a

SHA512
d8d93c7de70437cb0863393164898642742d5cbd2d5d09e38235ac233cc6283c3fb028a72c99ab932d133cb06ccc6f5e7224413d836b5f41313c730f6e2ca240

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help{E1E8F15E-8BEC-45DF-83BF-50FF84D0CAB5}.H1Q.RYK

Filesize
1.2MB

MD5
4ac6cc940177d3a8d8f1a37ffebb29db

SHA1
44234f6bd9cccea0e5dd346719f8289e1844d507

SHA256
29a4d619bdc45aecac747ea531fd4ec6f0ea17f8ca5e6652183f141bda684782

SHA512
1f280fb57cecbdba699ef658a3e4646996a73c7193c7f7b8eade92e5c1e23045cb605dc063b36eebb7a407290adc9079b048e1a2521da191e488e295fad4bc76

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_1defa0c0-fc04-4155-83bc-b490dbaa3679.RYK

Filesize
338B

MD5
b622730872eeea5e94e366d7d6152907

SHA1
96a49862380b2cb4d79b41f0003904c5325a25fe

SHA256
5120799579eb1834ba9f3edce601a8a7f8fab3ee38ad12aa8eba6db7691426f1

SHA512
5865d680dc2b4cc07366708091c3afbff8c89ada8000d87fa9c813eb8393e90d57fa559e9332d0c17f8b224b508cf5d8bc2adcaed3393df8cdc48b65948aa823

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_1defa0c0-fc04-4155-83bc-b490dbaa3679.RYK

Filesize
322B

MD5
f5a8aa6501139d6d5a29ed0f8ada8f93

SHA1
75aec30bd3ee9fe909b833dd90fe4a963469fce1

SHA256
5b3344147e8b94a8fbdcba0b51dd2ee898272a79594e7150f5212f3a5c95900b

SHA512
7073502cbe0187efeb8458a480a3c178d3241a3fd3159cbf7b0393b875d095644c264105f0b7ce3e66308214a0ade8b37f30b9c198bb67ea97a8258c247fa63f

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL.RYK

Filesize
14KB

MD5
c13dde30f164d2bb57aabd4b56a4a4a9

SHA1
29bb90d629b29f998d1b7b6879ee4b26a1e97d7e

SHA256
e1fc419db5980a2c24c8a29c10589dd14aaf55a7f350e25300077e72d809d9e7

SHA512
0766bd3c292d441442d9b561e2e401e83771ed449dc5ea43756451041791e82c42559f2f6af37369f50fca544e0a5d4914b764cf1c2e7e86afc6029f30575710

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL.RYK

Filesize
14KB

MD5
05a95f4888042e8fcc281a7b46141127

SHA1
dd796831b07df086afb0bd206633c423d18aef8e

SHA256
8f9ae1f3246fe1d675a67fb239743739c60be585258cab56e91133b5214dab76

SHA512
dba4e39f22cee3f8ee11eafae340fc4a1c9a27606a2127f4006ae4d16f4f5312ab29e61af8df960b15fa723f6e7d25dc0e51cd62938f48d15ebac9a23e972240

Download Submit
C:\ProgramData\Microsoft\OFFICE\AssetLibrary.ico.RYK

Filesize
5KB

MD5
4fd138d8f7d60044457e3053e6c5042f

SHA1
419c6a51ad6dacfb1cd1e6f10634919b0f577d16

SHA256
c88c74489b30aeaf15c55a5bcfe0a210e662bf8b05976a724b00bed810e49e7c

SHA512
5a5d9ef04da1ee2fbeda099735fb9a68c0633a6ef0b631dc5df8052f7f3c4df4300f603fa18f63fa9e6a06398b6ae353533995ea7bc47a5ca0025b571f4633cd

Download Submit
C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico.RYK

Filesize
24KB

MD5
6920283f962cb346acab9c641c4d209c

SHA1
95e4cad081a503b6a937b7c88440de9e49ebfcc8

SHA256
ee5a9a17b24dc8625ba42eea311f128a1435bffb9eff369e9b6e3494da9adbd1

SHA512
ed54fa5a6542347098edbb8a26452b194352432d5b05ff9e67a007f8b9a622998c6b0d8d62814cc7e066c5546eb3990aead4dacb0b41fcd01f2759f32a5ff6ed

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico.RYK

Filesize
341KB

MD5
973b3d755e605d94067e0057695b14c6

SHA1
b63cb4028a22c636d9df66b5034a80207ec50868

SHA256
52598330d87bf97f4c9e96c7b7d43ffedcec07b760cafe60c3ad8963e541a9f3

SHA512
1d8d63058df58b49927f3ebd40d7908c551eaba2761bcfd5b0bb195ed865d36672c2046f8585d5642624c900d4b8cf96e976061c43c2ca668dd7615b649a6320

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySite.ico.RYK

Filesize
24KB

MD5
3600c1ce03c9bbfac9cf4f5c1ca329ef

SHA1
deea17e86d882d5c6e07debdee2ef6bde899258b

SHA256
79ddf58416bc7593f01b0ffc3e1833538663634576e98aa9a79dc822473fc937

SHA512
c28989a5c5663a241818fad35de180db7b4a013bf8d4125bbcf3351e6c1ada5252c8298b83c06115669ce4de4213cbeb229fea6051aa9aaa3445b863d9fb96fe

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico.RYK

Filesize
24KB

MD5
2c587192955d7b0bc01f3553f5188d39

SHA1
47ec37cd3770fe0237ef72351d717b0d6a098c8c

SHA256
75538fe99a4d45cf641616fa5dc0f3c8abedee29d190b41de9ddc9b0020144d8

SHA512
7efb5ddbaefde2f535f0e7b6ae9ae70401b1d9d1df5fbdede999bd3a0406afbaa6f06caceb0b1c6a6e66c91d140e24ba765adf8c66d6a3e3a847ce7f0b15480d

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico.RYK

Filesize
24KB

MD5
dc448cfea03cd9941a94cf4265f8f982

SHA1
aa25eaa860f60e7b803ad2adfd3a4d9a072b5e70

SHA256
52fda43ec97f7c1c12b5e1f73a9ca2958eb816e164664e7439604ec4b21eafcf

SHA512
52332c603f115bcde5cba4468d3944236d08354f02cf113146ecfc4b8035a0da4ee43a9e77e25d100a4ba2019d8306f400cf524b274dec7be13a9796fa87becf

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat.RYK

Filesize
31KB

MD5
e5c75f016c62a79bb28a06227ec321fc

SHA1
e08a1ee406f92e020a6b11197a406f7232846e89

SHA256
f5b6716259f7a8239d87aa545cf174235262ef945a99132059e8d9823401ca98

SHA512
0d29fb51f2712b807af157d059b5bfc2fe4f0b236ffb96614cc79b879800bc730788f927d7ab89d2453ffd0d41c18c4abeb149e66b8bf7b33da479b5c39b3034

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.RYK

Filesize
48KB

MD5
da5fba76b2fa831a93938db67fd29045

SHA1
5461ed0bf0052fa00e88bd51c7ea532edefe6419

SHA256
cb7b1080c77fe571ac138d975ddb61f6ef78986c776b7125524e2b6c89e09824

SHA512
9218f80eabe6ac6ac191865a1446ffa61a9ce281b08ad95179388fc44f692527a74447d618c6ef9fd5aa2fa5fffc1672b0488399a268010cba053eb48416cf3b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.RYK

Filesize
48KB

MD5
7a04d87820ebd8a7d10e6ef60f666209

SHA1
3c3333ce717f89d00ab14680001efd1640680b4a

SHA256
9eee98adec84b30cc4dc9c7d0b928bfb8023a6cef6e2050ebed9570188bd1465

SHA512
4b7c120b3609afc2e8eb7b859ea638240c5efc548212d65b1e9326d5519db41d74f96a97b295e8b4b47d70d616fe490d124f1787f61c827a3e97fb7a6af26106

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasbase.vdm.RYK

Filesize
11.1MB

MD5
fcabe37640529000b68e391ef84dd053

SHA1
f9874cead373869cc83b7d16d9565f01ee8580c0

SHA256
968f035dd51d7e18aea78da3277efef6a2421ea811cdac1109015c42a0d626f4

SHA512
3abcbb5d2d3bd33d72f7e6497e3640a9d4e1de8a49abd83cfbc7fc424b75ce71e6894ea49ea35453e238d5d35c71c1d0befff4cc8feaf03eee6c2ae23d637842

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\mpasdlta.vdm.RYK

Filesize
331KB

MD5
942b90001e93aade65ed83e52a395bdb

SHA1
31d22313be2ce556cc34115f6fc211146506e58c

SHA256
3a5270d4eb004c0e749f83c8a58557a0ddac7b0784afae7c041d7f1534a066fb

SHA512
f420f28b079e45bd5a8dd9990f74e0e0b894cf614fce1b60b979d97f78759eada4f09ef838e328f41e4e05b1d29a401be0c54c7077dae45e0d811fdf45723ded

Download Submit
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log.RYK

Filesize
7KB

MD5
d4865a6a9dd80d9e1454c2f31e894504

SHA1
6598e46278fdd072e9c7488287d33064d9ca0934

SHA256
f1ff8bea542a656dc7b320889b1643d1e1c1e989c89c31e31ca8fe4c208a740d

SHA512
f48f902d670914c30197c14d7d38b29e3311a67929dbbab75e7c9126a53c2278c3fa887918ce2881675d1e2ec8415cbcbac3a6a86c906123b9d59c054fae6601

Download Submit
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu.RYK

Filesize
1010KB

MD5
2b425a23ee611b4ecb4ea390bc44099d

SHA1
a24a60b4c9a094578570cd36cb9633b8778d5a2a

SHA256
a77e05a4f08f4d791e2763f594f091a70180ed497f6a0c434ec32e59cadaa78c

SHA512
f5762f31a0197fedd018f1f43f6ed125506c37a1880edbfd6d500446d7c81077142b09de4e5e1ae68b9dd50643390e2a4066008a01e26951f7c95b3ef4b1c996

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.RYK

Filesize
914B

MD5
a21d330bbe3398c0c38eea0a3ef49248

SHA1
b600c46634cf683e260ffbec542b61921d80e340

SHA256
6f231bb4539816e3869cfbe20f166275d13015808872c20121482d9b43112d6c

SHA512
f9f581aa928e01e23900e317581987f4409f0d9532e8a26a6481ffa6880fb9a0762f293b914f9e9d2c23b4a073d939cc8f2d277f1bb51a7af9e959df397ebda2

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.RYK

Filesize
5.5MB

MD5
9d9a9b75c05581319f317e0ec1e4bf31

SHA1
dab6559ec0ebc96f07a4d6aa5aeccef767a8f4b1

SHA256
34bd6e6c749f0e0a259a12a6d542b1f3fbb107b355182428835d9d1aa2a0c61c

SHA512
ba8e70cfbe08ab2088ae4671b5722eb552138bdd6ff94878e359f58045423cd0ca6ac685280098136b85b2d2e595f63e0edd846693337e2ac0a92be6a3402f06

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.RYK

Filesize
148KB

MD5
1ffc8489fc6ea2612e31d049db8c0861

SHA1
18884f5a1b35f4ccc0662eb7896a4151183f2a24

SHA256
ff5319bb417e896bc2ed0030a6a0da4270cd8236a8776f974761b3703119d550

SHA512
a2f14d8f3aebbd239de894907a821c62b8549b167944d4383994f57f8a05f3f0c47f9a624e8a94947953aab20baae5ca897e4e2c45b7b64f582f375eb0645906

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.RYK

Filesize
1KB

MD5
1d76850c2a4dd3b2daeb89c2104a8e6c

SHA1
6aebc8d472b102a9f6c406670eb2926e820fcbb4

SHA256
9b24947968a894f71cc0bea416806dceb4a59e7b38977a00d3ab81d74e66d857

SHA512
9f324dbc012985a59560aba7196583d7886aa4e1427f087ad597bf4705e574038c7b70838e18ff91d994c24bc6b6416fcf0d3d8abebd3beb509af42a7739c0d5

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.RYK

Filesize
5.3MB

MD5
a6891bb3b198d599f9a5fca7bb0e4d2b

SHA1
d238360a89e8332eb940310c0a0a89abdffaae66

SHA256
b3cdfeafc922a88c7e1cf890c2e2ec605e926a483ee74afb12ee792f02a4bad2

SHA512
6f43fac6f76bdd077c7e11931faecba3a048b36192a4cab825b6857a935a8f66597327318cc435f0b1b3db4aac4fb1998ff146cd77e88a2163e7cbed12598c2d

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.RYK

Filesize
140KB

MD5
8a38dc14c16f35ccb170de891447b017

SHA1
51e2a5cdad15f1b9fb15471e386d6d1d3b71676c

SHA256
bb9f10f2405a814c4ae8e71cdd62cba61a2c57257f031ea9f33658ec9f1fb807

SHA512
ba362c3b6ae2f625344f91f4ff8bc18c5907ca60fb38d08792f5c07d30ae6866d4993629d316fdf719ec126c8286f67118c946955a2f1be9f24f32168128ac1f

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.RYK

Filesize
1KB

MD5
8e1adc48482ca4ac3e0f66453e0a684e

SHA1
373c7b661b1861957e48696435a9baad2c75d784

SHA256
38008b2bbb11a583da27bcf213b0504739dcd0c31f03550bc1efb008e10c54c8

SHA512
10c2d08055b947521ae284763e145ea12d5d58bd9a0a508a856a98fc71964b3ba9c1f9c2e81fa6d8c33b9fddeab2c447b4a8a9c90dd6d611dc5890f1d258eb8f

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.RYK

Filesize
930B

MD5
d24e88092faf7a3edcd765b900801f5a

SHA1
58c05b7317417a5ea70b0652b0d124f8c120cf97

SHA256
e7e80cf88bc2f3ea75cb290dada2b616b56c377c6aeb9fcca2d1ff1eb9ccafa0

SHA512
683ee3b215581d4f51b1ee88b98a59d838551b2d27b202251e9c2b175c1968f31b6f56eee3720296c02e0e28a6c21a0749dde33d8e412776102b76c96d2f17bf

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.RYK

Filesize
870KB

MD5
e93cc81e379b035add9a67e65fc85af7

SHA1
6bdf21f95874166fbcd3e661be99507ec019e010

SHA256
0e0b702f9287c3021c5209d493c550c31ab8e82c4ba110b04519579ac7831b9f

SHA512
ea803aff8404cced378225c10f53b41cdd37d69d7fd0c4555d393fc5e9d1b2d3836adae0814ad1e94211f4cb55b178ec3dfcf8bd847bd684c4d2b39216bf67c0

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.RYK

Filesize
180KB

MD5
964e6cc819686e49c1f399c252c84628

SHA1
71b4563ed90cc37978f782f4f69a8a64486c9815

SHA256
7654a61f34ee0db5783aed3de77eee9bd74a45f1d2727b0ef254731367488ce2

SHA512
1d0c144b52807d061412d2c20abe4437c2780fe513d409f1a13e27b777539b22d16d1546ee5bdcd854f864017ff78af102a12d00d7c0ae80742f2f7e35420199

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.RYK

Filesize
5.4MB

MD5
1805b7888bc3c10298d4fdcf52281097

SHA1
4f0bcab8ceaffba1c767505a27ee10cb1532383d

SHA256
a739c90a8e6d53706a0efe21bd55e5679b247208047a5b3429e581fc91428d6f

SHA512
fd025f8eaf8166ef05162f7abbbb89a7733bcb583e68b321618a85546a79a751cd856a7dd324cabd68066b8d3391701b77ed0103c9a4d7cef856e0c64361dbc6

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.RYK

Filesize
180KB

MD5
bc6f7cf321bddcaf16d2207880e8d5b5

SHA1
3ce12d04666c5158e430652d723b75a8321706ef

SHA256
dca940b769d2d5753bfbbbee72cfae9f914ec7c244b9f25c9b85189e93ab766e

SHA512
666de2aa51d512d0890e363cf623b5c04eb1208d186f071afb22b70b0c96ea010671b662409a543ad95c81a8f2cce7822cdb6f2bb5466ac2137866e6606f497c

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.RYK

Filesize
4.7MB

MD5
e99f98c7553ea15477c80612df0122b7

SHA1
3f2ff0648422c25723499cb28e658f01f1cde1c7

SHA256
8e2929741479ebf3c6a312bacd5fa7c732fbe19db45cba0ba3eaace5e0c117eb

SHA512
0f78b0fcfd4f8c5a56c3e03b88bbf653a252109cb5551f06a534bd267416619f3489c409c7df5660cb169595ca81848f6b6f64acf83374a321e01f3c06be8c82

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.RYK

Filesize
140KB

MD5
944fd70bdd6a58e51298d987ff2e8988

SHA1
d126fa4092631157f0817fc83b9ccebee1a3889c

SHA256
aa1e9b893b2f71c4168738c8d2eac3ca1b3f1da3de3f2af73d587b98b064da5c

SHA512
d66b5e915738b041195cfbcf33c3d464a3a28f027d01e2a6464def12d0e58aa8805304ae1ec20b102bb8bad2eafdf2b7b314f5e3dcda70337c379cf57d114bda

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.RYK

Filesize
4.9MB

MD5
85e995233e7834bd35167bf665c03305

SHA1
ced69e57ab38af106068a16d6ffe9e14f98c78c8

SHA256
44a144d294bd6c537fbf06e6853b64bce929213a4983707324afa8f1c4806092

SHA512
9dbd7b3c3bd51501af5925d4513dfdb705be6cda6d6976d6cc902e248c793d5043535bfcaa6afa1283f8e6b5c720847ba6f01bb36228e9c29e6d98dbddc50811

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.RYK

Filesize
148KB

MD5
f58ff63cb2f9eb53c66810cf09c4f1bd

SHA1
10dd31680d47eed6bffbc5e12c5c934e3a9d494d

SHA256
ebbb51605790ce5d19138c8a4beea4584648a0605dd1f2d069d0d6953f79f309

SHA512
c680d5fa2bb38d78999c3b72b2048256ff5b9548c6818b75e4a2a38b0cb077d275c056b60438d084f306368164dfe74e36ad961591e4738c5fa0b16e3dcff664

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.RYK

Filesize
802KB

MD5
3a89514912a69e64e09c8dacd449b78d

SHA1
a531c54d8bea9dbcf20903a44cb2c9efb502aab6

SHA256
b09072313d61dfc5e6bda6469d4aea042670f445270e5898468523c75ffcacd6

SHA512
8e7619c19945108fb700746051e3f7b926390d3f278239e38ba0ea8b1e4eca97013198208d6ee12b3d6e5748adb83e05abd2aed92de1befabee79d4bd1ee1321

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.RYK

Filesize
148KB

MD5
93429a0ea25a2182535ac89841a87578

SHA1
9a23cc1ce899346dc49065a986e27ded04813bb1

SHA256
a3e18d442d31d88beebc85cf0a3eb8d6f6fda6893bf83c56307c6b9fb7c25f9a

SHA512
c0663f64eda0872def46f65798cf99e29547ee1f7c49ee5d812a5f31702f9f25168e5a4fb92b3488953adb1732780ad45c2979d7d44014a5b41449b62b6f24e4

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.RYK

Filesize
4.9MB

MD5
e9a387f4a5242991b8e3df7d2fa1f17a

SHA1
374dfd891f27add59ad9cf46e876d031c15e76e7

SHA256
00be45aecdaae42c683a7891e57fa08e040386be0ea7fc0ec762d7411b5ae776

SHA512
f9ae1de983a5586689d5d5617c7c9d1d037e0539ecafd653763d218acb0429b8da1bf9dbe37ff3e4ee92059fb8ca06ef930a9fbadd2f2c6d5fb522edd13939ab

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.RYK

Filesize
180KB

MD5
0a66f3abc60b0a37bf4822a8a633fc91

SHA1
da98127a6c2c975c6c345611a51fabc9617bc33d

SHA256
40ad5ab66b3877dbe6982284c3e7e2688a252fa6d6e9bf8503e21205fc03fdd9

SHA512
fe347a8806d6a01ac9e3d8ec4843669758bdb8648f377b05739bb9ad0f73d323283502a4e8975b5bbe53e53b7e7cfa8765b4b949ba4aed1d243c5cfd79e9cc57

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.RYK

Filesize
1010KB

MD5
5800fcc7222304b21bb206220a4c133d

SHA1
9d1d488ea0a5a427c16e99532e95407f5ab814e7

SHA256
48fadc9ccbcc5f4ee65f882395aa509da47f93d254df3b7f06ecddfc1c7cf603

SHA512
22b3f791d75d5ce6bdd299ed6ecdba67b39354b125e15b0ec44ca04e448903e47e9874cab7125053be368591246ff4b311b972ff20d0b8d2ba395d4760812aa7

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.RYK

Filesize
140KB

MD5
bb187506f95a1c1260aa0cab7c911233

SHA1
f15f37b8d8bcee76e08a89dfcfca29161145352c

SHA256
94706425ddd00b7ad85ce772c8a99b5db2eb96c3189202917fa51951db289df3

SHA512
5e4c3108711ffc0bf0cd1b910ea8db278495c628a3af5860d2acc43fddaf0868573d27dd454ff58edcf20703e12f3e84db28975e2e6270694f1ffa1d21275998

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.RYK

Filesize
791KB

MD5
ac635c10beaced93b444f4abd571466a

SHA1
fe3198caa96f51188eeb82b0ad174c80e9f5e7e7

SHA256
43ab3985efd911c53434fd130fe0584fba98ad23531880509827709c6958eaeb

SHA512
c29299452ce3f4956a28e0608a2fa127b932fcc825bcfa9cc0a14645d3a5423d9fafa1ac0e50b2ea61249c9c1a6728334bc21ec8452cb0b81a5237e55b167e36

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.RYK

Filesize
148KB

MD5
079af4204b76344a2f80c735508f28a0

SHA1
3e413a567c85e3eab8309204f5db7d0bdafd90c5

SHA256
db97dc36ff7c5de81343b2515022ed6c2e84c9bf12b94600d67ecb50b187463b

SHA512
f3ac7b7e6d2a4fdc2cd90120d943cbab8883add02da494c5c3b7b999bcdfd79ae651dc99379e8a92aabc7b058f01f29a61b83fac1c94c496196596d9f1d5fbcb

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.RYK

Filesize
974KB

MD5
f7a216864c16c85c4a5216bdb6d007e1

SHA1
40ebb96dc18d5e48ad336e0758dadf95e8e67a4e

SHA256
b895685964b8406e4635ab7da3ef6496ed9d4cd56074ea72b7b5c87772096af6

SHA512
52fad1c7725c57e4628f75a3b30a5b5678e473a348477ac4d1955a45683e996f1785a54a344ad3ab64ea68add81ae9c5c534027015da1dde0655086dd2f61239

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.RYK

Filesize
140KB

MD5
135d4fc4684edfa3683288a032f908c1

SHA1
84fef3e2776dd1eff0f74002c6fc985ea5222bce

SHA256
0e432fd5a64695b9b7efa9b39a1f6660b3c15a6268aa68423241c47ab2b3e649

SHA512
478e923b8f9d4ebf07dd751dbc800d24c3eea9d8607b39150a87d6e8d445bc719907addcbd48bf21e468c9ab1b147e5b66314a68c9a584f42c966f8e4892f2f9

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.RYK

Filesize
742KB

MD5
14e76d21cedabbfc40d297d482dff6d8

SHA1
58833f9d2e06fc08dfc34c043b4adad8fb9acf55

SHA256
a453653a9999d222716849ef58d7fd833bf5d8560fe47b64caf7fdbede7e3a50

SHA512
b247c9fef58a33082f7178c88eb043b16c63033c61551817c266aeebea9eadc2f3271b0588394a20bbe8687ce9077e73d9aa5d416d96220fa92f82d8dc3b2623

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.RYK

Filesize
180KB

MD5
4a829429eef13760ebdf7d201fd611e0

SHA1
d8a9a9d934a21652dfbe8a038f8a4dd12a87e3f2

SHA256
135df9ea04fa72e4858a6c72b3779efcfdd768815acb68460a78b831eeb74f31

SHA512
1828aa7eedeae683202e3e3c21537b129c92ad11f3f7bf8fba9c14d1e316fb4f41ad702c23db20d9b29200f3927905df856d1dcf40e992ed4df42357487aac23

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.RYK

Filesize
914B

MD5
0d9ffc46e64e4e14cb4b2f735a404146

SHA1
47d9ca3bc7a624a035914ef7ddb75d2618161a88

SHA256
f131bdddb33aeb0586488f78cdf2c17ae9daf1d8c875cc50eb579e3e9cc39b61

SHA512
eee62f885ae4f73a5310ef79f081fc43e75c222a2b4d2e0ebe8f5522f07cbf5a4f47ca9c37854e4eb1658cf2dfd669db89a6792581435e978e3890722ce78031

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.RYK

Filesize
930B

MD5
0ab6df1392eb9f98e9c2526abf48ebd9

SHA1
206a2405cba155db76a6e43a9e0855d35fa746cf

SHA256
854518b8ba462d6bbfd2fc00ed06bcabfb533407dfbfc2fddb32361d00c3564f

SHA512
34a877e18c16d050b099bc4ce351cc1513f1d1f1484b98e646b985b048a26c85399ea024a7a72e509f6d8ed2760c9f10a26f4ec8e2ec10d7baa9476c93d2fe4b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

Filesize
8KB

MD5
d664266f797c73cd2c65e694753b7335

SHA1
3302e2e6c36d35862597811d690bfd3b04e84344

SHA256
45d2620da6422bfe14dc98c52a0bc35d3769d8661cbfc2946942dbd83dba9504

SHA512
e51b3340d180600714c65fdfa12fe3193870e9b61da36a4e210e7ebc5465d5aba261c8578753b6b432c83cb7506f316fc1b07d7b0c7a9a01070facf963a66155

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

Filesize
2KB

MD5
312dc99b8c153f9428f65290c5602696

SHA1
cdd2d9432aeba969ddeb0a4d6a9765758d9b294c

SHA256
c58c97a1a0c9c956d51e5cb12062f8cd380f039b881bde6ca080377fc16fc9c3

SHA512
6aea91d3e927bdb60ac1a85ca98571c3bf779ce5855764f6cbd6c1d8063dc30201b1afeaf9cc3cec1f1e0bcfc50fed46e1838f789afe292712c0234baa28ae1b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
75baadb966a5808826de585bd544b7e1

SHA1
4c430c3f34e9a316b125d7f1cefc02a5a87939d4

SHA256
c2592149dae71f7672de9102f7cbf60b6fcfafe1e6b267c6edcb2b0a4e99bd2c

SHA512
23f2fc4131df8df7f0b0520f1bcafb3df218b21969b6769b93de80e24f213f9911701e0ac53973fc5c719bdf78c02edee65fe82974cd06b06e52c892e4f8f0e1

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc

Filesize
64KB

MD5
e9058108edcb7c08f54cfa8dff8d1589

SHA1
9f5c6deb85876cbd64af5dc6353b6f76dac78fbd

SHA256
5152a9869c67c8dab15525e1ec69f25be075ec99ad0af8eaff3fdb1e247ed260

SHA512
20c37453e1bee6e975986640b1aa19fcaeca22f68f7c20bdc523ea2b279e1957c0a0fa11b20aea50ba759505463786bdc7e35e82921bed5760e0f9d91c2570c2

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK

Filesize
763KB

MD5
3dc8f1fe3ce01ebdcf59ace59dad27ac

SHA1
0e89cfbe5c03a9091ef90b0d13870be9d652fb86

SHA256
39029d20a00f1be38e0f3de6b77e5d981b0ef0b985267ea178b4ceee40dc63dd

SHA512
2dc31b6080a14fc9ba59c22ec0b12ecdf9680cc9a1da17a387a07ec0a1aaa246c09ada6b8c8e24f65c1f239c6181a0dcb92898ba5b8bb1b14000e162b89b828e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

Filesize
7KB

MD5
6ff57ce60cdfd1399c2864f4a4cc6028

SHA1
0e07b79c338742b9a593bd8525eff7bacd5484fe

SHA256
22b50753748303a3957a7edb333bf4db4c971ce322fc5fe3afc8f785b837b87a

SHA512
c2d0c8e2a7d51d6b8e83dadcada8dc19d877db9b18e11e29fb034087c5bd24d4127da1c064afdde650c563639bbb10a89acc444e9316904bf8b1ff2868e3798d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.RYK

Filesize
28KB

MD5
0290933da50bd435898fc1d9019e4117

SHA1
77680e6fe1c0d430fc2dd298df30f448d42ca639

SHA256
286adf960f4302305e996372a73f6af285c0b78b22f6175697b565b946eec4a3

SHA512
44a00e8ccea94a14679b01dbb5ba07a2ed069ad8263c05220b461ce73af78c7a1345ae4b23703fc2d06ae353a7d4906e4deb1d179cabb2c2894f41e70d393894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

Filesize
28KB

MD5
7ed7b6a15a31ef0d4db508fee662144d

SHA1
a7172af7fb38c00f7c487401a2a5a4c8ad11a7cf

SHA256
5727f2c2780d5dc493407ae1c51d67dd0ee36f066d46685fa45ab03a06409e04

SHA512
1ad3b0bbebb07b42a5442e85c234e2f27090d3c47ad75b1ce04b1ea879868d32e2850c05df980b0d8b02442453db14eb7a6f1f8b408c81f05f4cc2f8e7580fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms

Filesize
28KB

MD5
05ef2896e139203088790a5d9b67bd1e

SHA1
6cca903608aed0d3b1d798f2e4a616c199adc17d

SHA256
a51ab9bddb097486ad4a96b1e3349bd2e4a183841442d5fb2754ca0c2b66d14c

SHA512
1a57d5fe7e4935929c9e1ca24de86a1862200ada2569d4ca002513b80531e37c574cef474b8e6e7a0b98809b2dc5ae2ab4e9006890d59a7a4f0d7eae328831c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

Filesize
149KB

MD5
aba6ca2337d8ea69577ea0d337fe6e93

SHA1
ca503f060fc60740e62a45d0f560cebd62ec1af3

SHA256
330a510feed940296f36a882d7bd59e71dc689d209a25234275f95a39e20c3d9

SHA512
745ba512baaab339ca639c2f8f77724ccd546b2aa27fbd3601f907e521413162f5b13865f4bcbf70eeec663cf4da0a187d139d16a75753c633258861d9a1a8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{7B239D00-69B4-11EF-A4A6-62CB582C238C}.dat.RYK

Filesize
4KB

MD5
c905abe203ee1793cdbaea30eb49b588

SHA1
c1233919447bc0515b7edc126fa5809f5b437ff0

SHA256
7c66181422a28eb9db114dc756d84693009041eb0d6c6cf5716bb27ba1fe8a82

SHA512
6daa31b9cfd5526e97d1750be6310d7f496b4a583a7044ccda76830eac14911dc04dd1c231f7a9531d3b2538896bc11237d86a1b1e9ac22e39b81b17e1978f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

Filesize
12KB

MD5
a1bef90767db2776e77f2fb80ea976be

SHA1
06f1dcd5c20e67612318409f15ba3b9defb1576a

SHA256
f94e51050ce286b4eafa29d2e2346322bcce1191b594b388bac812edee5c86bf

SHA512
a118b23a993e4558c6a7982a3f37e573c29ae67bf519193918f5b90738cb2f24257a8824bafe535901373ccaef473998d9a94a250a5d072552258938a3be525b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

Filesize
6KB

MD5
bff56b3c243dd7782bdb35819035d88f

SHA1
e11914154ab7e09c70105257a8d8a263d57ec8fe

SHA256
77f921cce43437858ccd0d4b6282462d119ca678d2d4f7cfbca5fad07de2c0b8

SHA512
7a342d28ab861402d0c9e6223443f766ef4080f784ad07c274146489d0428c079a6255a940da138b6f95aec51f188d72e3538668ba28162bfa269f4e5ad41f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK

Filesize
1.0MB

MD5
1b897d105ca7e71409436c311ea59d6d

SHA1
46a85b183fbedd0360448614e64eb6357ed9445c

SHA256
ea361be50e4256ee6ede3287f90ccc1fdba0b21413f87acb35b12612a26757b8

SHA512
3902e0b9471d0ca9b43747eec99c55c007cc4fff517b3243910bf65b319592e78e39f714455a7e89e640162bd831bf4158d4b5ae092a060c163bdc388ff87069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

Filesize
68KB

MD5
a7ac3ca96dc13e8e62b2536012a9db89

SHA1
d151d07940a1880ff2a384751ce31a7a576a8600

SHA256
573c24acc105fa17de7c3474212ad36edaff51dc9e7c2286664edc90caddcb80

SHA512
bdffa1269802df90c14a6eb9ffa46e672baddd51b4a5dcbf74997c9083f2008713f8b6fd564f6defa043cd0888657e3cbe321704250e8287ef898de13de486ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.RYK

Filesize
530B

MD5
6372422771f9fcdf87a2fe679d8b6f67

SHA1
f3f8772c5f67237aa97952101ec87cd4b4aca103

SHA256
e3c1d7eaef48decda3fd9f10a29c932b2b14e362028b20c953fe564f5e5ab3bf

SHA512
dd8943ac575e93d40c7211e33fa221e653ff5f4430977c6713e4d3e6c7c04e44e295a5e99f414d809c1ac26466a9be5266c9592035c26692a6bb981255667de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.RYK

Filesize
1KB

MD5
40f2970803b0c7e5a6c7c2bc7690c341

SHA1
86fb6f34279bc0d09c339eaa1bb7bae66c1838de

SHA256
9e6c5f2ebf2a55a468775b3ee32ad5e307c44965b7d3bc73950f208ef62b6bfe

SHA512
8615e5c22f44f7907f06a532ac56fcd52a94c2a7b2d9a6653c92bab7bd4931791835b28620588e50cea90c7534650671e1b4e2efde6f7c05ab7ede6ee99d86e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf.RYK

Filesize
114KB

MD5
de6a2c1228d936b7a75b1ef5a01035c9

SHA1
19c08e4fc7e5c92ad056c08b29f06ad58572d7ef

SHA256
d61f45cf0fbdb7a3641e1e7af115e25ff06560ae0d7aec292ab0ee2067004886

SHA512
547e4e537f440c9fb3dde1ee017ae2261415d20af116090ce49d9ef61ed6078d4d6b2b6f76d86c572110ebdfc902c3c38acad31f29bcf2538e0eacd852433755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf.RYK

Filesize
149KB

MD5
5d9aff8917180bb14b547c799d21ec92

SHA1
101891b890a6f40b6806599d01e067095f22cec7

SHA256
e8798d47e77e7f7ff957373056153a2aed9a6a32edcffab489f3f31d49b3b57f

SHA512
3b3ddac44c8d1584ab7cbf943093a2feba6d910c61f85a9370b8cdb7e2bde769c70b5500b97027b0c1da745f00d4b66138fa52661383e1ba3c1d74efa3e80df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.RYK

Filesize
2KB

MD5
a004f5528fbf35f6ea3de18d946208a2

SHA1
5365a41fedf0019bbbb79409dded117ce7f632c2

SHA256
a06a9adb3b912117fe8fc8d3fa0190d2b548ca79f9348104a4d27d8244e0e8fd

SHA512
efaa795ed3c303ec3b664d564784c6e29378854b06b178d71f3303f2ec05450deb9b19b74d66b6b5abc96a25fe63c3b0ed7a7033fadf5cd750e5a667636322ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf.RYK

Filesize
25KB

MD5
01cb1dbd2d2415432da9a35af1b780d2

SHA1
319ccb36efa31fe41c8d6b8a4a021276ff684bd6

SHA256
a98846e8ab97fef4815b576926f8155316e96fe41a05ee13d8eb897fe008744c

SHA512
80a6e912ca8ff0ca8bd8a3854b8e5fe2707c3fb8a5026ad1f77c02ba276aa03f7fa7df16f86fc2b1dd95d5012cdd94b09d3736c782bd3d3876d9de6e3c662bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm.RYK

Filesize
514B

MD5
eba1b1f29a069c56b5db8aca77215931

SHA1
f1e62ea44af11798f9b9b138d72d1763358060b1

SHA256
7ca53108ce70baafdab6261f29c846210ea37f787a2c24e714984912971f23a7

SHA512
88fa43817b5d72b0661d317996577fb31177eb925430474de904c7f4e79802619aaaddf43a8136394676ee41dc4b481ea87d696e157bf231f3086f8ce4c0b612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.RYK

Filesize
2KB

MD5
7b261bbc2d181a913f750200cf02f078

SHA1
69f921609c4d7d4dc6138f71e86aa7a97424d464

SHA256
2042e4a3e6aec9f504172addd36e38c7ff6e6bb8c8fff2af36d003379cacfdd3

SHA512
6ad55a77e2635b0b454b7352065b98fcda9b09ceb0d9eaf1d365d176870298c1f5bac64b8035e55259f9d615f8bb402bdbfb8fc2cb2ffc7b9cc5f557b6f91409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf.RYK

Filesize
36KB

MD5
5bd71be4d0888f2a3e232397c1854190

SHA1
7277df820864be45d78246d9e5f2270668f9ab41

SHA256
58d2c210a869ea3a1f61b47076e6b47a159dea6f4b4fd7182ed769a91fca4763

SHA512
5707fa2a10050b91d38150c89beca011bf400308150a95b93a587a2386cc32a98bf8f1b31470b89ac8dee4b66cbeae7d8ba0fb3dd7c186f28b6362cf1bc4ab5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm.RYK

Filesize
514B

MD5
bb7e18414b41225ed5bd38e3c530b208

SHA1
33ef1fc560c75df7761616dd693eecf6309c6bc6

SHA256
411ea3326a0dfafed1da557c9e8f86ec40227a8ca877dd65445d73f1ea50b829

SHA512
8683cfd7bf165340acc770d1fb4ad8cdcbbb5516a1bd8fae6950daa2436f526c2e33612e8b1527e57e6dfcf76223aba75f9bc43b226a97a34945953e23c1db75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.RYK

Filesize
7KB

MD5
ceb27759e4b7971360dda17f11d1edd1

SHA1
b96a026727bc44a12e75d62adec17c58c53dcad8

SHA256
7a636d6d886690082d936944b18810d5cae76f845aae730e8970e47c23b566d9

SHA512
409e9a1324c155395f131a357c585b625071532c5d05bf903d5f430ae350a913d5739afcbaf5826ea09fee392521d4636fbc301a459fca52c9e62ff39035c11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.RYK

Filesize
4KB

MD5
887342c55ea96ad10117722187ea61a9

SHA1
84b81dd350da12f1e7042e54933b49950858dc71

SHA256
b8f165d7c47e02067d64526016c4f65d2fd7038cd30df1e2b5e55eaafee42d0a

SHA512
2cfc37a23a99bdc37fcb3c4e39180da8627ca8de423e753674a472d4491940cc6748b75491b65b7f19e9800681a3352c4669004929ebb6fdafb281990e0d6a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD.RYK

Filesize
786B

MD5
d88f15786079a96f38836baca452c05a

SHA1
4fd1e93a56065a742bf03bf43d92c2413aacde44

SHA256
f5fa0e760eab05ba2027edd6e1c35eff6f885123ace0791642504007269ce754

SHA512
433a2c3ec1a38e737dfbb9d50f9366bdcfe17c93adaf4b91f616574fef8573157bbfeb19faec41b61b43f83bc204913cf07a7b1a8d4178c27063f47632428beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.RYK

Filesize
10KB

MD5
e16eab7cb4017dc780d99381b5c66742

SHA1
61c5dd9e1744f474b54cd81a901f5fe84985533c

SHA256
c3837123d367bf28c762bba4f3dae57d980c3cf8a13d258b9d5029412e1687a1

SHA512
f2401e278c9e2f4591cadc09b4254c278d89fb3efb43cd245ac7064c89e769d85d7cda0d4b7f35a6c6095450a6b608af725d66311dd16593f9829d271e213e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\favicon[1].ico.RYK

Filesize
4KB

MD5
0e088a7bcd5827b9aefcf725243fb5c2

SHA1
5215068e1514f66801125a80a39270e9eb032aed

SHA256
504c9e1de4914a33fb7d4822954846a5db2fad2dee5657de764ed54af3d857ad

SHA512
6c934c51573ecbb1e5318d230c3f121bd7d30388a202060d2f95a51a8017f0f75148cfd9c6ae0e846785e8a870069ca191566cc719629a3f982c0ba29571a723

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log.RYK

Filesize
4KB

MD5
247ae72aacbfd2c312eedacfaaeed543

SHA1
163fa6081991758161d0fc30ece0091de5bdc566

SHA256
2f8422f3dbb3ea0931cbe0bd497f63aa67a033115a59579a5755200fc5e9b496

SHA512
86c84424323f53936082a20f502a011883614e89d9e077a472228f22023b975841b3a2017c5bd402df2117be03695e92954228cae66ea1f24313c60cd58bde66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log.RYK

Filesize
3KB

MD5
9b40b6319f2869844b2ca79e0a7fbc7c

SHA1
f3959fd4a90f8b33d98a4a8f946f03611531a239

SHA256
f96641897e574260e88372d5ded79e0595f778999c3f7a97a3de68e683b800ce

SHA512
5d8b6634e2a7c0478d301b58559db10d71121e2ba088e69ad478499e3f7e53df66263a7114fb891737cc61b9d18e6f593fe8975878f9e406467e5b9d2c614c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp.RYK

Filesize
48KB

MD5
bf01f700f4e2d1241450c3bc8817ea81

SHA1
6c0b325f8ca14a70dd66812568fcece036ffb41f

SHA256
ee18703cf327e8c351898cc271ff17432659138445d2248f986f80c510c5889a

SHA512
ab3ff72efd85ef3ac4455af1dbc35625ec61a7a9db3f8204fb1b4dd1d0e41f1345aff64c90b2a29c58848d6d382ca86f7b1170a3c9ae3e6e7f7df6c0c9699597

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051516914-MSI_netfx_Full_x64.msi.txt.RYK

Filesize
12.7MB

MD5
e6e6e8525f309c543114bc3a7ce9d5dd

SHA1
eb004c231401be2c0468f831f21b54fae696475a

SHA256
45ed324f7472fece935905c9199851ca7eb3336ddad8cce61ef0a2e6a2f935d1

SHA512
a60458b7380a071c2c2017366c857478e3cc8136ce623716b64731ee4cbcb0620e80709113c7f012795e194c3df7899da2cbb38708e9a5c7891d2f99b026e0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI1565.tmp-tmp.RYK

Filesize
9KB

MD5
834cfe64b84c756e0a73dbb4e830501d

SHA1
3fd5b798757dac5b66468ada03748a728f38ee5e

SHA256
9a5f5a14179845edcd11ea10782421ca7f421bc45ccf7203b2105e6bc6f75753

SHA512
28d2aab57d754fe10e3a3d9c543d984078dcf87a0c6fb17d0bfb4a4c80cbf3062cd2140a688ae3476ee3358fc13eb880c4e5199cc955d89aa891cf6e0fbb0959

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI1565.tmp.RYK

Filesize
10KB

MD5
fe395f06d4783701e263857ac5669e2f

SHA1
9bdffc35e87e075773b1a823cfd53c52d4880257

SHA256
6ebcee8365633963e289018e9bb15e2d596eeac53f0ba69f99de7dee2ec66ffb

SHA512
1e5d2c3f6fa407dfbf7bbd7f6b64eca3f17ed683598027ae81005e968e8298cd92edbc871f92eacf2c4401ad4178fe8d685c7f2773853e06b4d12d855785d990

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZPmVOwz.exe

Filesize
365KB

MD5
5544362f8a060fb0fd9678a450ab1ada

SHA1
3267d35994b321c2011ee7e2f52ec69517320508

SHA256
15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0

SHA512
fc0b98a10792073a35a8bd4bdc0b0edf769025b31cf64ac3e64b20fd0e4f48c2f33b20e81101e83d44a90900f938bfd245f096cb2eb69f2c91a8662d61b8f6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.RYK

Filesize
8KB

MD5
89dc80d33461574f31f4e1e6bbeb1be4

SHA1
1e71c98e139d8e7cea4059cfe146af8a2d1c54cc

SHA256
9cad1b9ffd7a038fdd6788799f55985d95f71ec04cd151fa7c4a82b5f681ad8b

SHA512
9e75055eebcae8c9510f17b1b621ab1d37fc06076f6dae2e1a61e5da844e827b292f06db6041a627615d1446fde6ce40545f97fe75ce64e6a1d23efed3d706d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.RYK

Filesize
2KB

MD5
2bd88110ddb00105b7f6f56cfaa26cfe

SHA1
14a90706d0f39624bd2be049760ded01dfb70e91

SHA256
30f2d088b537488b996cd5b025afddd014586daa0502a39fd293013d056e4dd3

SHA512
f550e96730668b912122917e527428633a9faca38019e92d00aacb3ab70d8c7f5247b4dc38f3233b5766d882c453bd263ce7d6ed8413ad4b067b46e065f32d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1DEC.txt.RYK

Filesize
11KB

MD5
010d415a90b635d6199d26e285c0d217

SHA1
dbdb103d9de8ede6c80c6f06ff5c136b76ca837a

SHA256
13a953c7673d9266c12b237ed8fafa75269e180cc497ea66e6ff3716ae4d48b5

SHA512
f9201857d17f5da62f4c643d1729c276eea1f780cb3fc6584254caa78a80aac2471aaee25a1b528eee111f5c5ac4c60d32efbd64499af369f4f8d9b760e667bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1E26.txt.RYK

Filesize
11KB

MD5
8ede60dc5d54d7d23f2b4b5b4229cda5

SHA1
2792fb4c6cc5729b6b396bde988426c4b85dff62

SHA256
a5b738f209683f51e51046a83fe62ca334c22345f3beb58eae6f8e729398fe10

SHA512
c24e7dc005fbe100d25107a285e5c38812cdf7a9bb06d1099534aaecc4ce3259ebc45163e7d07005570ad39c0cf4162bb84e70c74289d1ebe5d60c27ac36ab75

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051526_992.txt.RYK

Filesize
7KB

MD5
d0db9e69aee1bec43b9aa2b73b313f57

SHA1
63c6105983173a8e5e0fc844078d824264fb9f31

SHA256
c759c0ac611c6ef99cb88210a4f2c957f16a4d60b1e535f547312da181620016

SHA512
c6a56a1c5b80d710f735a6d49865602079ea55a885568e38a9f1212337df64611d0efc6a24e7113bf5a7b94ccd76036ee0daf91b2c6dc42dc2d2c52ae5e5d80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051527_522.txt.RYK

Filesize
2KB

MD5
68c36cc0ac63f8961c0e47f4cc68d9bd

SHA1
e0eeeea68ae54155bd5d83edb0083907092bb69f

SHA256
49b71eca0087269cd8b4daf4d40e7aa02c08e4c8cc6c87043b01496573454e5c

SHA512
fab09f99be685aa6737cc111baa669da8851b5b934fb23af931b19c7fa5ea54d0d5e0407e4c51723dd2bc871a52e282adb9a1c77430cc17d32a5c3135507fde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log.RYK

Filesize
170KB

MD5
86a77693ab54dc52b1e897f95cd892bb

SHA1
65d5086155a7e6896a269430df669485dff2f5b3

SHA256
5dc6b5d4324365e4594937a71a555f097bdb341949f443df0d5542178410c2aa

SHA512
a98b2e4f0b5703bd1cf516e7c0e51901816dcfff0b39718d101f49527171b031c57293e5ce14ee391215e27047ce5f850c4e53b2796450c87b7d82ecf18451d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log.RYK

Filesize
4KB

MD5
15ea3569aed0aa4354ed15f31d6114be

SHA1
45aa580cceeae352f26d403ed12d42e77680032b

SHA256
1304e1ab452fa1ca856707cc4da3a5248d39ee884de9fbf496acce2ed0807be7

SHA512
587fc22049c60fc1a489ecb2f3f1f59c1746dde4fdfe7ac4279154abf6cdc2b9f6bdd7275ca7ca7111a62c5b27d7afb19c4098560c365b1f9a4d5c89fa45f0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK

Filesize
1KB

MD5
64f266f906ab92b3986c0e0226f8de9c

SHA1
d0a364a35f4ce30af7c70baee2ccd7f039c9573a

SHA256
cb0deeaa3952cf7adf21c4d910a193c35703103d482101566084dd6c956b2341

SHA512
7cea6286cbf4601ec66cbdb6e6fe25ba196c8a652d9995db955701753fc2fe1852b5381d47448f38ad8646db84549b2fcd12090d3a4e2dd1249e4fe67ebcef78

Download Submit
C:\Users\Admin\Music\ApproveUnlock.xml.RYK

Filesize
276KB

MD5
79ecaedc177179af86b01465497522be

SHA1
64b6ceb53b024635c94def4ea3e2b735271ec5d5

SHA256
19b83674261202c8c421f94658e40cbe30c14741e3b0b258258819fcb65b5524

SHA512
0246400dccb4a5cb630442611d9ea043b29f253234badafff34d3b3288df5463efcecb55187d7d3cb573ff7ec4e20fb7a193a2ed2caa5f2d4537cd1be73b6d37

Download Submit
C:\Users\Admin\Music\CheckpointDeny.docm.RYK

Filesize
376KB

MD5
cc40861d6b1637358d4c4a282787da67

SHA1
f845130e66200555a945330ea87c7eec05292ebf

SHA256
4df2cf279f9902e1cc3ea16c27a967e67f6980ad0e932735106c2c0811867a9b

SHA512
c45267427d435958f708a08e378f8e8fd2f53000b83235ae7e0165e58efb5a7f9eb2836224df9880b77d504e9205c6c476b6e379b73871f8f9b0b1d4e60631de

Download Submit
C:\Users\Admin\Music\ConnectComplete.css.RYK

Filesize
305KB

MD5
4f825df4a97784d14d10d8446609fbdb

SHA1
93f160ae610211f8db5b3966bff8bf6890fe5dd3

SHA256
6878e0f4292553d40388c89bb612b8ddc40fd7f2f14cbb5f72fd31efc5d98b7a

SHA512
912d5beae87686f9e4c9f00155a6ad27f097fbf3cd3de70e90dc7dd5011b6ac663be93ed8052fec704d471a91db994f54a4c0d97d0d8927520fe8e280872f5ee

Download Submit
C:\Users\Admin\Music\DisableUse.tmp.RYK

Filesize
205KB

MD5
9781eabb9df18691e90da0dcd8ecc775

SHA1
028f558963ae5cd570fcd4204d6c993ec8f87953

SHA256
fadac68ace35472a85cb98b9d68003e0f459a3c416b3b42e51a22cea34bbe169

SHA512
11ef6abc99a580c157b9ab9c66d1e94d6f8909f7f639c177f6928e4202a4d9b33eba0b088f7b025b44bece3b9e984aa999c99b75d1131d85d1f7c6affaeee787

Download Submit
C:\Users\Admin\Music\FindClear.txt.RYK

Filesize
525KB

MD5
ebeefb491fb4e54d665c8941fb9525e7

SHA1
ea2182527c2771155882c450e68ce024ab7be283

SHA256
cc8cfc217920c85eb10d8d63fdadf2e5e498a948ea977be10d18c66309525549

SHA512
fbdb52ee9ff9aa2f4da4df9b9d103549e89281a5628624986658e39a7ec63485e3625b638a8272952f27a53be2bf715881e9ef823d0b3cd541493def4926a7e8

Download Submit
C:\Users\Admin\Music\InstallInitialize.pub.RYK

Filesize
262KB

MD5
852b9b92d28da96a6eb3e86cf265af65

SHA1
ee74ced36ee18072df23987de5f14e8d075b2eab

SHA256
485c66c45aee11e98cf59b01287b3df5e3f913ca6c407495be6ed8e419ff09bf

SHA512
3252e9dba67085e67e7b6b9be22f561466339612783ed479055d74721fabb2943d211c8443cfe85d97bd989c84c8b7e21120be759ea1ba7b05ef1206c20940dd

Download Submit
C:\Users\Admin\Music\JoinMerge.lock.RYK

Filesize
163KB

MD5
64025de4310732d6558e8e45c1418599

SHA1
99eb4ead8600d9f0021f68b5219b2569b5fda6ea

SHA256
75a1f6b3543f301563dbabe90d04a04bdf8f0fc0f99abb2ff39e1a73dce7e5e5

SHA512
0af6da46239256c238c6ccce5b375454b6df22906cc2c257df7e277afb69bf6e9bf466529ef048bdeb12b8ab3f176eb9f86ee38148c071ecfbb71f9c77cafb29

Download Submit
C:\Users\Admin\Music\MergeEnable.vstm.RYK

Filesize
361KB

MD5
404a6e89d5ccffe7a983477084a8e71e

SHA1
7bde498d5713c0ac3dc8730ab4d415fc0469696b

SHA256
7264ca325edd17c568796b570a56eddef0ed46f44723950afb415cdf83772f2c

SHA512
d2e62d1c240bd5a0d2ef2e3295b58415f0823be21f07ee6d7aed00bd5578b8cc24a5b36997feffa1f1798ef9a16b9b01af5120d1996938c43a6dafef759e9442

Download Submit
C:\Users\Admin\Music\MergeRestore.html.RYK

Filesize
220KB

MD5
8e02947e1165fad9a579316da5159bba

SHA1
e7318cc7633310ab83a39e3908af2dc26cde4c93

SHA256
6671c0090ccf06ce58516b84ad3bed125b6732df728e9c16345072f7e0aebd71

SHA512
bedf646c63819b9bc1ac8a555eb7ebb70c639e841b9fff3c26948d5895e2607463887c2f4ccba7aaf37dae223551c1f8f2282dfe64b9363250131f5a1e7b0a84

Download Submit
C:\Users\Admin\Music\OutMerge.vstm.RYK

Filesize
234KB

MD5
e546084320ecad93613c3390a9aaef55

SHA1
6503efa66a767fc9ae38d80c41ecea77e5d3eab9

SHA256
d0e5babf03c70231d9c6b3a4fc6fe19017e2bff9840631433ba79bd7923e9561

SHA512
ba2ae99ff639dba5d8820c68df4f7c679541a35c829eede933a5f5ec23fb8f8c7274e0420e66e9e35368e74c08dd877d22c438e360dbc202d408b975d5fa5f50

Download Submit
C:\Users\Admin\Music\PingReceive.ps1.RYK

Filesize
347KB

MD5
860c47d5f7265be6df46fe3b66513088

SHA1
064429610a63b112432f9d24f58a235daa85890a

SHA256
1ae72af3c60b0f81cdd6143e3de649083ff3ec1f7f89d94c483fb55d734ce3c2

SHA512
9d0f64b3d9126e6c624794d1290ddd79ea0471f910284dbd198a11766543707f977ab81b30b4640363490822dd5f87067dba462495af76203ff7b6002ee0c3ac

Download Submit
C:\Users\Admin\Music\ProtectUninstall.wmx.RYK

Filesize
191KB

MD5
769457102524b6232ec5d32aeb3c3327

SHA1
8fde24b5da57ac940031c4ddd1658d553ace3de4

SHA256
afa0ca662adb6eb1f052434684dfaf5892c1601f040952045ec329e7bde5b0b8

SHA512
f19d0ee552f2da3f0a59e057ac91556e157cd460f5bdc1c3e2b65f9e11ddb06ef7264db57cb7aabe634a11c1e65ca6dc81ab5e8025d21adecdcab440bd975b3d

Download Submit
C:\Users\Admin\Music\ResumeConvertTo.emz.RYK

Filesize
319KB

MD5
006ccfc300cf659c3d2ad5d6aa50cd7a

SHA1
fa0402f2bebb857173f6cb6302a0a3b54ee14863

SHA256
04ab948de6ab4cb6fde9b997ef6cb26c1eed7366308cdd8cdb0703926dd8aad4

SHA512
588870cb8cfda7eb029e35893b0f8e730ede370688ef9d09544ff4b28fde55b6586c14b4077fcc38ae5bca6e7570eb60adf2ae99ce894371b0cd27d759ca1c7c

Download Submit
C:\Users\Admin\Music\StepRedo.asp.RYK

Filesize
333KB

MD5
7d6f5db61475eb04c1272b3a8be5152a

SHA1
24b1f4d75d97db7e55d056841c29dd3306a57da5

SHA256
56dd9d2f31bafd8fa8d0b7cf1944d8e36186f63d960e9729ee1a0534ae3e49f7

SHA512
bc0d74df8d5abd0ab5f9fabc853e532f0d26e22528fe287f8d9403121e5e0cdda50f765b4a76b87284dc558af4cd5e310a3df3ea92b37677182266aa85277dbf

Download Submit
C:\Users\Admin\Music\SyncReset.docx.RYK

Filesize
135KB

MD5
5c947bf7a0435568dd20f725fa855b28

SHA1
ee79894236340c34a419aa4417f65efade832bde

SHA256
daa833b9f1bf143af79dae4bce5d822ef667272f4e21621c4cf81c8acb3c267e

SHA512
0ab4ef2d02f2e4060bd009f396e5d233b84377567637e7218f1c50b4045d9d927d2b355bbbcee213dcd1a0b666671c2a280c72b0df301da87801c7935394d86a

Download Submit
C:\Users\Admin\Music\SyncSelect.vsdm.RYK

Filesize
248KB

MD5
a486a7aca3a344a0823253ec64f51c39

SHA1
ea791e34f8e75ef52ab2528e55aa89990448c30a

SHA256
3ff8912aa9e6f50b71a969f8d0089ccf21c1b1345772a6b7e1c1b0f4c7fcd1a1

SHA512
0f5435b3e44f9ac46a189222d9e1d65f2baac2707eb33473b4238189836e36594313a326ee46be81229439cbe7571c921162bbd47f7690cdfa7f0009db3bf8d1

Download Submit
C:\Users\Admin\Music\TestWait.cfg.RYK

Filesize
291KB

MD5
d04c3c84ecb589937a2e829e6e98d6bd

SHA1
a987e5946412ecc47581887795e76177f3fa373f

SHA256
5a6ebc2d3832af68e67fddca5d83f4f879b2d65885fde3ae540731625d815a1d

SHA512
5cb750b227f27270f816cf7bdcae44cd86668b839721b1e7be3441dac1e21350ba8b88545ee8f0fb6c6573191f7cc1eb9c850bb05278bda705f4a0f8ea56dcdf

Download Submit
C:\Users\Admin\Music\UnprotectApprove.pub.RYK

Filesize
149KB

MD5
c0ffcbe779a5f653a5a32a9125d790dd

SHA1
011046cb3189f4b26b950d5ac3aba174339bfdae

SHA256
b63025d66b880db3116222dadb8410222bdd31faf6d98c60f2586ca2af554fdb

SHA512
2d781c54fff272349621f627d9f3388fb8661a2135a6ac59ce054345bf439f40c487a6e2b751ea91097282cf2969a46d8fb2723ed0fd6c71d4e8c9ee1f681f87

Download Submit
C:\Users\Admin\Music\UseDisable.mov.RYK

Filesize
177KB

MD5
5e8014503b9820076678c3d31d8ac709

SHA1
a54d9433bb39f47f70697e3a227e85b5e060373b

SHA256
c08b613a21a4f8ef00858b28ee94b2a068468a395a4a05d3047943aa7d04305b

SHA512
9dff42ac48430df0709ec54871f78ab7dd75465efee11216a81bf880ac0e841ab7b4e5ba33ff1ff3da96de608f2a02b7b58550aedbf0f28f7c5fea5c141a7985

Download Submit
C:\Users\Admin\Pictures\CopyExpand.svgz.RYK

Filesize
601KB

MD5
c79ca1dbfab11865b500a9b1171c8aa4

SHA1
f912937ccfbe7c7bdbb5b581eac4b6fb3f97f037

SHA256
6a0e743ea42261b6758b55763ea4d74d542d40ad98cc64ca395b8b92fc4ba70e

SHA512
af2341eb10c9516d217f0a239a955e9c1ffb8ba10a2d6fb55fed4267be5d608248b8363c18ebcbd0111e11a66a0c3108241f88a2226b1bf83151f65bfa0b2427

Download Submit
C:\Users\Admin\Pictures\CopyWrite.dxf.RYK

Filesize
418KB

MD5
d57694d4f14a51fbff5f930bd369c459

SHA1
b0155bd5b807e6a064fb12a8cda3e6a264cadc0c

SHA256
c012375799fbf7e52ad49f5fb74ee73d035477496006278095e9886e04249c27

SHA512
088aa044ae3bd59db6d9c0ea97facf7a5fd9ce03efce43ea6e4985a2bbd6f432b3a1cecf35f00553b1b80655787e60bc640cb2464a2289265e737133e57b1c5e

Download Submit
C:\Users\Admin\Pictures\FindExit.png.RYK

Filesize
455KB

MD5
22eb8cca82ebcfd878e4fa81eb9b033b

SHA1
a24f5f6ae1de22ca8665e8b7d0be38064cdb12fa

SHA256
388cd5d0619f9c9f61dc7612f9d6aabf4990d8923efd19c6bf533a7977da5e5c

SHA512
26c32b77f88b391c08452447d223c3a223525cd2a54b50c35fa12104f8cc01ab51432af6a7be7e85f618ed8faf54766f204e9b049bdfefc7948f8e2ddbf81fa7

Download Submit
C:\Users\Admin\Pictures\FormatConvert.crw.RYK

Filesize
710KB

MD5
4d0b859092d0879358b0a002a560ae2a

SHA1
48aa7c40ddc9818be85953e91adfb2031412604a

SHA256
443851c9b72ddea2fb7b461ef42b7c362c6def80ce554aeba6bfc611577551be

SHA512
be76f140d846585ecfb3b94c1b46f30b4a491f98dd6ffe60ba22dbf81790c31be04dbc871baebb3daa9192374a42658bb3e0d23bf3a54ecbcfc13891d69aa256

Download Submit
C:\Users\Admin\Pictures\ImportBackup.wmf.RYK

Filesize
746KB

MD5
93ce3d8fd8997db8ab72cda4ed4d3c36

SHA1
2ead5d0db15b371d5055c0554c82a2f5304cb536

SHA256
dc5e74a634e40565d0162d2c47f0f462dcb219893a02daf7612de248f67d76a5

SHA512
bac0387108d71e94ed31d555a13af3b3335988be023cd9ffd0231f580efba2d2d58ce519977bc45a9ad8afa8b38d08c842bb9cdf90c9d69fa72b71fc51661e89

Download Submit
C:\Users\Admin\Pictures\InitializeResume.crw.RYK

Filesize
564KB

MD5
0bacf45c9589cf3b15368ca7a0f363f4

SHA1
8e241bf826611776ab8448321c3d3e4dfbc790d7

SHA256
9e542347f69f0d163a2c269fffb862d83bfc28d13fb90fcb60c48df16fad7f83

SHA512
64c051e047500427c067b4306c76522faeca48200dc8735f612332b4c7893120f517155ecd6f07d6cc3bb498226bed43d61c4197e930ca65a326703eef24f37f

Download Submit
C:\Users\Admin\Pictures\InitializeSearch.tiff.RYK

Filesize
491KB

MD5
960ce7f572474a831418d41369565258

SHA1
b682742dd7359645962dcf9e49c44a982c635e22

SHA256
58d29d567bfbbc02dae50f3589a03c63b2b52ff70d7c14a048ef712d288dea7d

SHA512
cdaa64ace48626955f74404591afefe310641766b03643df7a17007aeeabef823c8790d3b2fd22d3c63271850aff68b472d6a3bf3c40c793aebc8b3c395c172a

Download Submit
C:\Users\Admin\Pictures\LockCheckpoint.emf.RYK

Filesize
382KB

MD5
772d6eaec5f7f73fab4437d5beff7de0

SHA1
817463ace5829d7a94ea00b6bbc16bb709c84491

SHA256
a2f023d241d54366624aa8182f7ee6d03406407d4cbf1cd54ca2005a70272851

SHA512
da1bb9f290123f62cb8d6c8ceeb074c4bfef7566ce0ae62a7d608ba95731381fb09f634b86ac83eccc82e1db98ac794659d1b1eb4349013cea60c891aac2d3e1

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.RYK

Filesize
24KB

MD5
28b39e9abd2ca658b7d24ebab730a920

SHA1
05ffdbde82207896ce8d6b63848d56b433f949e6

SHA256
d67430d23ddd10806d82b19d222cfb4418e9419b255efc1956f2f1e76289291f

SHA512
dbc0a4a9d50818200dc261d326abc0819918ed092d8b5be4a6510af2f38d92f7e8e2b18450b69e3a60b2f7882c427e13549fcfbadd596b678d3fcc5a0fe6ed7d

Download Submit
C:\Users\Admin\Pictures\NewRedo.emf.RYK

Filesize
637KB

MD5
e4ee41cf2164c68cebb460054e774e9c

SHA1
373a8566dace7e5be7ce3a482000efc70f633e88

SHA256
71c29ac7dbfde652e01623860fa229afbb003dd37a5ebc3df97d340706ac19f0

SHA512
d419d517b3c8755f7c770da4fe1a6ac3623871145cf31c02402b7b44ea60b92e0d207c250895f9d40ed7cbb7e48c2520e7664854f0e1be0e6595914fa16b80d9

Download Submit
C:\Users\Admin\Pictures\PopSave.dib.RYK

Filesize
1.0MB

MD5
c609d5cb67521e356aa77f16616e5fc2

SHA1
63a171e63e025e8b17af4d7c1e0121e4f5722f7c

SHA256
e58cf20595011026d833b1fdf8274e63a04b9bad3d4bcbff52164ca2e4d6fd07

SHA512
455f164fbbee4c57e2c8a8b712178ebe5faeed7c2291e8dcdaf5283a848e5dc1de7c129bc1c391e566eabc1454d86e4042e2cb96c02641e9861c9dfb3d96dc8e

Download Submit
C:\Users\Admin\Pictures\PushEnter.cr2.RYK

Filesize
673KB

MD5
e0b740666008f7ce619a2a2b041e29a4

SHA1
8b378089d0c01bf405a799e16a7ebc9083fd07af

SHA256
822690a91a6bfab3b6c316d31b29567abe68fdb82ad5089370917597134c64c7

SHA512
fb4e1a498504b61eb0b8d238f557c4e232d44290393711fc044777ac347396c694a8d1c7783f3a3387ab52d70ae7fd6f97ead2d1ba993a31e908ef98f5701862

Download Submit
C:\Users\Admin\Pictures\ReceiveSuspend.jpg.RYK

Filesize
309KB

MD5
d8683791e9b7116c4cada1423b687c94

SHA1
2db0efcf4b14f184b64eb5f69df2f7c2d39ebbec

SHA256
9a2c07279f15983554795cb6c306c6fa0d22d97f92ee13b0a63271e1a5b50e59

SHA512
70b55d71e4c422e01e1782b7c262e21e6a5e606dbdc31dc509186e828dde11223b5a63821f7acb2852692ff866931d4cfaf91a91adca35ef702f449e0ffd6953

Download Submit
C:\Users\Admin\Pictures\ResumeAssert.dwg.RYK

Filesize
528KB

MD5
53224a26c63cbf16f81faf9cffe570d0

SHA1
02769c9bffec8a5560613064100e140a6845f951

SHA256
82d99d4794cdf8c822c9abf2e0ae3100075003b8540cb46dab88e0735e810390

SHA512
b1e938e00399a2d2402369800d8e19017ea92aae42da42696689bf8973cbec6fc0f437175a3a318d2872b438430ddcd77a75c79b71a5bdfe2d622716bd6cec54

Download Submit
C:\Users\Admin\Pictures\SelectSkip.crw.RYK

Filesize
273KB

MD5
12bf4689ec08a4a0cfbb17ea14307698

SHA1
3a93e64b5c8194638e81250cb638fa2596bf5135

SHA256
4d388f6eaf4c85122388f2bec640ef0cec53ebdef71e265e117df019fe8825ac

SHA512
f1677d7d665d1917fe819647017d4627d97e0479d4aac94fe48adbe6c0188bc9c609d25ec7d85a0fc7e3ff29e7e00bdf2a2ccbc67c304bfc50d856e0e8c8abbb

Download Submit
C:\Users\Admin\Pictures\SuspendUpdate.emz.RYK

Filesize
346KB

MD5
8fb5542d2187c135e3b8e23dad6907fb

SHA1
2ef5382b4ce1f052ee663749017c112b6cf37d81

SHA256
69b3de70eb47f3e8e9521861f5dfdfa2ca151484240818c9548e25c05abd02d8

SHA512
027a70629aa668cc99e16b28176722a9e513a93d65a3e017558624862ae89498a0af0b2f7f7fbfcf2ec5d242e476eab429b133dafd5c4517c532f9318e27945a

Download Submit
C:\Users\Default\NTUSER.DAT.LOG.RYK

Filesize
1KB

MD5
50724bff3783c414e3a587b8401bfec5

SHA1
523b6d8c72cbefbe9b4d2e4d6a6071a52c9f0bdf

SHA256
f9927054045edfbce2f59303781eedd1d35a4cc3ea959c2e7ced2c7071c6f0be

SHA512
f043cd5031d0eb8436246215b62078a1ebef8bca4095b34a322d502244700ff61caab7718def50e1927fde197377556cf25c847073464544ccd4d74acdd6036c

Download Submit
C:\Users\Default\NTUSER.DAT.LOG1.RYK

Filesize
185KB

MD5
bb5e6197841466256c7634bfd943c181

SHA1
a94f0177d65bfc45f38a0e12cbb88df74b8bbe05

SHA256
0f44a9ac240a7a930516ec32efe0e4dc0679191c29b1f6f84dfa915fb1305c5f

SHA512
d28c1718fe1f61074a0fd57bf01f665bc5518198e8079fe5f8cb6c5eeccce35938e0fa44c1acafd539ea63b7d61edba00cfa4b41ed536d45092ba7f0a91747ce

Download Submit
C:\Users\Default\NTUSER.DAT.RYK

Filesize
256KB

MD5
46667bbc9deadf46d102dc2daa0a2ec7

SHA1
50ea218d41b3533649615bd42b87b4ff71a97582

SHA256
dc3306b959f523af97a1568237ee55a2419a69c0c99302940b9dbc940da6e4ab

SHA512
2e55c01952e6f1af2df8e4bedca853aa24e45e8e2f963a9abd3a642dad856487823b62cbe5dfad88a99b607d135037d58ce8efa8e8e8a4b9f46fae596aa77f46

Download Submit
C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.RYK

Filesize
64KB

MD5
6c4543791e34bf34d1fdb0b775428cf6

SHA1
2be445c3b4ab426cc58dd0589734550eb821f645

SHA256
d76e750b85082bc4df79e5ff3fe4226dad4d9e8dd6717ff17c6786a322f133cf

SHA512
488c314402e63269cad13bb02bc068b5ca6d05d4da1f6f2c7fcf4529b57afe6949ae7af875e37e33bce0f57a7b28f803aff907590b46beb3a31dfdba52e5f480

Download Submit
C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.RYK

Filesize
512KB

MD5
99e618e4bfdadbe804f0c3274ed3ee95

SHA1
b8c493383e36daba6e7d9656186fa098793cc285

SHA256
b25142e4f842fce6d53b2be51ce06ccd7d089862b78080fdff83f11c7255a8fb

SHA512
a7067a954f5356fb0afab4a39bd527b3a3ecc59ef30251229cb50d54de97a1f7b044a706200eaa2c32c32b47fc01704121ecf65b0d1c725063e459a5edf6d131

Download Submit
C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.RYK

Filesize
512KB

MD5
8666ba3482e5683e09830ab8cad303c9

SHA1
f04b5f9d41ca55be52b849fba82269a35e8d52aa

SHA256
9371044d3a2bf21913272278b14c96100001e8ca021597627bb52959a6762d97

SHA512
8362d1c7d8cde462ec2561f685a5035a4014d5535f142625757871194ab388a49aeae1722c20c9accb85a01c32f9611c2cacd7652c6d0c4b82c3f51b2cd3fba8

Download Submit
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.RYK

Filesize
3.9MB

MD5
60fdfff90f494b630872081dfcfdb614

SHA1
4ee13735d8954aee2585b919266e0d05dcff149b

SHA256
3677925969494e5ec0495e59068d019c7a62dc7e8587dcfeb5e13b5d56c45c57

SHA512
73aac619c39bcc1ed3474e0838564f0c6fefc8f976c02f8ce37c5fd85ed540e685bcbb634962891a94a8e03bc38a87bfe93f3f838a71ac328ac90086ffa0feaf

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.RYK

Filesize
859KB

MD5
75e378223a9aebfe339ae01a6743ea48

SHA1
bb6aeca66d7275cf5bf9c2a208a576d000f8a5f5

SHA256
396aec71a30f42d871591facfda62e6e5335a28fef49951a433dd0bddc776143

SHA512
725e93f7e6d5611a7423f3740f41b4bd884c4b96f65f41a28d0534ae3530fbb398ab9cc30fe122c763a69fca9b4d2056de3b6dc31e018eeae212ae4b3b994cbd

Download Submit
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.RYK

Filesize
25.0MB

MD5
52cc6df1b8a0ca1d14c982603ab9e254

SHA1
0487c603902413d5abf1aa9af401cd556ef02379

SHA256
7b152086d625d16a1049e2592e74b2200469146adc110e0158dc725fbf30a871

SHA512
53c876ef1b65cc02d58b9708c70ff118014475739b0a23a49987b33f76751a04c4852cdeae83289a64f47bf5b9150cb71978848557b788a531ed493d73994e03

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\RyukReadMe.html

Filesize
627B

MD5
df03cf6cc49a3adb1c09c53702b7559f

SHA1
c7c0a9d6ab5b8cc8440a270858692440391d73d4

SHA256
7b8f414b945c36e17e485575214b4d7c7b5dc9b582a652995c09ab0fdf40a793

SHA512
13871e9da55156b184f9abb01a4ee89070416ad56201717bd23c8ec699d01e5fe737d14ce5807aff20498f01791e707c84199c24adb4f010538413076663f08e

Download Submit
memory/1668-28616-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-5609-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-13839-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-20017-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-23596-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-50040-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-4150-0x0000000000370000-0x0000000000470000-memory.dmp

Filesize
1024KB

Download
memory/1668-2-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1668-12-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-1-0x0000000000370000-0x0000000000470000-memory.dmp

Filesize
1024KB

Download
memory/1668-5137-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1668-50033-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-5554-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-50041-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1668-50042-0x0000000000370000-0x0000000000470000-memory.dmp

Filesize
1024KB

Download
memory/1668-34567-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-39915-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-39919-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-39921-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-39923-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1668-50037-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1988-28617-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1988-39924-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1988-30340-0x000000000E560000-0x000000000E569000-memory.dmp

Filesize
36KB

Download
memory/1988-5607-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download
memory/1988-23597-0x0000000030000000-0x00000000329DB000-memory.dmp

Filesize
41.9MB

Download