Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-d3l2bsgcd8
Target a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622
SHA256 a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622

Threat Level: Known bad

The file a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Checks computer location settings

Drops desktop.ini file(s)

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Modifies registry class

Runs net.exe

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 03:32

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 03:32

Reported

2022-02-20 03:48

Platform

win10v2004-en-20220112

Max time kernel

190s

Max time network

194s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006f0a9ab31426d801a6a17bb71426d801a6a17bb71426d801e78e08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454af252000373732626338623330613061376237373337343232613632306536333634663434623532353539313835306664396333613537313132393563626235396666340000b20009000400efbe5454af255454af252e00000000000000000000000000000000000000000000000000acc47e00370037003200620063003800620033003000610030006100370062003700370033003700340032003200610036003200300065003600330036003400660034003400620035003200350035003900310038003500300066006400390063003300610035003700310031003200390035006300620062003500390066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000dd3c6761000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37373262633862333061306137623737333734323261363230653633363466343462353235353931383530666439633361353731313239356362623539666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d687fb99499083ec1182d072fc3795919bbad9b5dc40371b4eb595e9fc647d27d687fb99499083ec1182d072fc3795919bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = 905f85c41426d801 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = 8a6b2dc31426d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\772bc8b30a0a7b7737422a620e6364f44b525591850fd9c3a5711295cbb59ff4" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000435989b31426d801ad7783bb1426d801ad7783bb1426d8016f7309000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454af252000613439323131633833616662313164653134323636363662376332343139373263623334643939373135643633353837396136646363373333316161323939610000b20009000400efbe5454af255454af252e000000000000000000000000000000000000000000000000000e278100610034003900320031003100630038003300610066006200310031006400650031003400320036003600360036006200370063003200340031003900370032006300620033003400640039003900370031003500640036003300350038003700390061003600640063006300370033003300310061006100320039003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000dd3c6761000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61343932313163383361666231316465313432363636366237633234313937326362333464393937313564363335383739613664636337333331616132393961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d688fb99499083ec1182d072fc3795919bbad9b5dc40371b4eb595e9fc647d27d688fb99499083ec1182d072fc3795919bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a1247a8-6ad6-4a7f- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\76e95318-de76-43e0- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a49211c83afb11de1426666b7c241972cb34d99715d635879a6dcc7331aa299a" C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ce1db9a6-b422-49e2- C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38830855-1fde-4809- C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\sihost.exe
PID 3472 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\svchost.exe
PID 3472 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\taskhostw.exe
PID 3472 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\svchost.exe
PID 3472 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\DllHost.exe
PID 3472 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3472 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\RuntimeBroker.exe
PID 3472 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3472 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\RuntimeBroker.exe
PID 3472 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\RuntimeBroker.exe
PID 3472 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\RuntimeBroker.exe
PID 3472 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2740 wrote to memory of 4808 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2740 wrote to memory of 4808 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2224 wrote to memory of 2480 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 2480 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 2496 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 2496 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3024 wrote to memory of 3892 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2480 wrote to memory of 3516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3024 wrote to memory of 3892 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2480 wrote to memory of 3516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1424 wrote to memory of 3444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1424 wrote to memory of 3444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2496 wrote to memory of 2220 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2496 wrote to memory of 2220 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3472 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 5132 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 5132 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 4980 wrote to memory of 5252 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4980 wrote to memory of 5252 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5132 wrote to memory of 5260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5132 wrote to memory of 5260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5232 wrote to memory of 2916 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5232 wrote to memory of 2916 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5372 wrote to memory of 1720 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 5372 wrote to memory of 1720 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2224 wrote to memory of 5648 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 5648 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 5648 wrote to memory of 5708 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5648 wrote to memory of 5708 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 5728 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 5728 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 5728 wrote to memory of 5780 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5728 wrote to memory of 5780 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3472 wrote to memory of 6020 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 6020 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 6028 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 6028 wrote to memory of 6104 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6028 wrote to memory of 6104 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6020 wrote to memory of 6116 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6020 wrote to memory of 6116 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3472 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 3472 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 5124 wrote to memory of 3900 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3784 wrote to memory of 4552 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

"C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2740 -s 1004

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 480 -p 2916 -ip 2916

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 420 -p 1720 -ip 1720

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2916 -s 2804

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1720 -s 1264

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
US 72.21.91.29:80 tcp
NL 92.123.77.73:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 tcp

Files

memory/2224-130-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

memory/2244-131-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

memory/3496-132-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5 1b7deacafd6d553beda85d5ca192dcda
SHA1 7f5cc602f7f8eb5439a452377d070f30d3ff2bf1
SHA256 a3cb6bebbc1243a61e09ddb8659af73fbb7960edc203000199971aa073f3947a
SHA512 87a098481a61529c0e1bd086fc2df63f37054b99df2deab4c54b87efdad3da0f2512a1fcda4367efd3b93c7651e0928ff23f0007fd7b0bc84f8e5f8290ed54b7

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 b6ed168733f05b4cd80ea6e8a6756a9d
SHA1 3a12afa7167e1ea367eec2b4689e41e22da69185
SHA256 1509ae2ea9e4a8cd9149db51034c81307cde7dfd46aa18591df3aa5efb82ef53
SHA512 442dee4c763e605a9f7e6261e9f3cd043487cba739b4314a3ac66b8ec1006c1920c45a2e86eb9cd41dace31e819b6421d05b010d42d438152945e17485671dd2

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 2cb75afcf9f00fa14120704f5d6311b7
SHA1 a40bb7678cb985f6b88fc23f18549028b037d7b6
SHA256 6c48115d000e4b697a1b5ee201b8398fa05c5c144b74b397fa7c10dea7faf1d6
SHA512 80ca64f28f5a0a45475493713984e91ace0b6d7b969c4c5c0ba55438f05ad963e3cad8e9d79859f57c9be0252f5e18f710fc698b03ac24aafab9976b34e7bbfb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 c5b0e3f3fd3a2880b24a52f79630da7b
SHA1 99777e33d3333ade87a12e14d9dd98c68fca6584
SHA256 268d20d5b17233c54375ec9995e05fd5604feb45076b25a9c4215d16130bb4d4
SHA512 558990b3b0d0f781f949cc3228dc863fba1c237ed9391abdbcaf02b354df130562689b1a4261ffc04a9b23670a9ba335baf3f704f59d8f38960d35dbb25b4c57

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 0a28785f4cef5fb18a53d9fe87600417
SHA1 da37d6cb208798af4541cc4fe3a5cc00f6e85a34
SHA256 b6807bb19e409bfaf510a1258fcb8790b1e9f3cfcf15c10b7b2d814c60224610
SHA512 3341656dbd15d22ecf6605d2f5701a30c74b0e5fa1dd1c444f456533b6d97d1461e5e7125ddc196c79ab654209401c71bd7d39d258a820d83ac7e25b1f0de224

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 fc22ec035825d0bd7600dd39a996334f
SHA1 74cb8e4d96184956a46eb469de198f72204a6293
SHA256 a718b388d708b07b6c8874b1c86b00cb1375550367289f239b0353dea453fd34
SHA512 a9f10b0c59e870a1b38113d46aa9c676e637f93a75fd3e55c4797f64a7d1c4fbcd8a55810af641e7064df449682106d07e1e76bbcf43aca2fe31e49dd20f1edb

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 b5a3d196612e2400f1d428cd57613e6a
SHA1 e4e28ac0f5dcaff154165979b56ce833edb854b4
SHA256 48fe5f4b54343c35323800f08e1e1e859b18f01ec16be03a404d1999093668ea
SHA512 f261657f6c97d819d7ad01945814ba9b55d18373ac45a4d974259a2904e9883bde48cb695b981271b2e70ece9c78280f983227854b4cdc9aec6c66c2abc8f635

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5 85f1c0efa79222a4f72505b47385a11a
SHA1 b7e14e7a07b9728273aa90f17b9ef76db72e0437
SHA256 78711837d132cd997b2efb1485a7856f16fcb23c635e84de506edd4c34baf4c7
SHA512 9e765ba4701b146c311929a491cce121d5be596408fcd9a059fb66d1a12773298f8aad1c9c8b30a66576220e1291a4ad669058a0b78c5ef99fc2d81e0495c3eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5 9198c7b56355fcbb2070d31d2dd4af15
SHA1 cbb004c4171fa0df536203590f61053f22e25edf
SHA256 784ed6721ea059b2458addeaba18b4ec62a80e14464f5ac74297db4619c4a7e9
SHA512 cbe0b3b8544501142015231411ff86af53e14f0a9168484031bc7edb95c666180a73480ddd169054ee59083484e332cba2c908c72504481d28d764ebda4b0086

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5 411c0dc168d7cc4ed7198b256b8aa933
SHA1 1499c72ae12bbc622081332d19c962b7be6cb88a
SHA256 72798e13fc164e68637d9a82b0a4ad50a942ffb73a3741b55358f02dae25c671
SHA512 c15d73eadab856e255ce3a4c3f081720a92b5ed2c608092bd947bdfa5f306a54fa09288b3776cd72656c4ee4ba61cbefc7104f5f34f2364c271df92b355c4f46

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 6d808f951b802d46c3361ee1203e0706
SHA1 5689b23fb711bd66d8c87afeeedf36f4528c816d
SHA256 a40ded1a2d6aff65fbbc6ced8b728cb8aded0040274d7e56f268647be979d718
SHA512 49ab3819da28e8be3fdcac3c449ffe27cf6348fcb3ea808e8a3aba838c4cdecccc1e37f1065a0be006e892fb8052503258d60ec5b0752e84894c03100804abd3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5 b07476c878ed01d6d57c7e9c6682049f
SHA1 251e06b9f6902977b298559ff8b5f50f3993643b
SHA256 d5e8aaf0a1af5a4a5d516fd38d8b6b1c3dbbc122c0f28af23274dd1d88aef813
SHA512 42b355090993791bdd85e88347d713974fe31e1928955057fb91f83faa83e473430e5dc40b7678cb763b7875eda1a330512a6702bf5e41dfc8a11cee0082c436

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 4cbffb796b64d018dcbad715a7eae1a7
SHA1 4cd2a7d24fa6cfdf53925098e042615cea403c4c
SHA256 9823e95f6db826977f2534e8bfca89d83aa0aad955aa7ca8c0fe1faada189cd8
SHA512 13bc4a089019949bdda77f2c77c1f56d4ffba86ef9f5133a0e41f6cb94a45dd27306013e673c42f14b623f48faaa13c2abe6a84d3b293123c90d4b224dd41b0b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 a34207a8c5c25a0ee9fbfb3bb205a052
SHA1 656d6e9f1eed36eca08d2480344ea7d89bbb49b4
SHA256 35da6ec4ecc91abc782be86340dc6c75545d827ed0a0202bea45e9184a0b7ef9
SHA512 5de818343aa068366f3b259517e2d46f2f235b867f0ed28d6bab408f26a58b0824e85240be1256e0bba566d8362f1df2a92f66c6cfaa7b232b0b9c6f9b7cccf3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 5996360ee760280ad864c889fe5168d2
SHA1 473fbbc77d57d200e00a3bd962380c14442423e5
SHA256 e6348816340509705f5a226a685badea8b6ae5d2200a7ca468cc4d894ab19b9e
SHA512 86a8022b292c919a6feafe87c59c9b83cf3b7eb6378b43dd5190a39986e185dc4ae680d20f4061fe9cb57a4371d60a7c2b40781404d5f5a5206fb7a3cfe64411

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log

MD5 b8c67169480b15e8022e6afd638bbf30
SHA1 9fc0a5c29ab9c7763a3b119ef33fcba4302c892e
SHA256 4588776fcb835691133a541200b0530ebe30f81e3ad89c0b6fc0b87d87bee5f6
SHA512 33236b36e15248fb44f932f171a5c5cbbf754d1977dd9909705a86e8f5368d1e5f14d3b5862bb67041a3289b64b8ba86837f7fc93899b29c67a343b44b478a27

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 3d3fd9dba833a366c3f7f18c5c1869f8
SHA1 b6e8feff778a59bf48ca23cd22f3fa76dba7f8e6
SHA256 faa474a5059f9acf0734a00c3e9eec1b617f8c2551697f24d9eaa1e38fcd602e
SHA512 2bd1ca9782c6bb02a89495cbe95173fc1796409f031a8e20ed8d0e266d93759dd4ef721b5d9d8848b7b28666e7c000933303f27494ac1fb5e9db3194fa2396fd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs

MD5 0f456abef8a526f3320cc821736116fd
SHA1 9396f263c858a0bb7aea0d407990b3416c248f73
SHA256 a17d762cd21d8e9f5279ecdd119981d2dc88ec6e1afb2584dd9d3634dc038126
SHA512 64b5d7828931346a26aadbd84be5199c9925b43163e78ef9da48654f43c468de53af1eb59a1ffe7b8f52178feb6084cf26a474b6f496b055c0071cb55501a29d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline

MD5 e1dee09a89f28ec3a8b914312d6480fe
SHA1 4e40159367f6af6dc686940eb4396ab04b9db8f4
SHA256 49d7d34770b840cb8be73cf4069bf8a40186aefe908defd27a365a137f017805
SHA512 9d7c6e39e0c7df7dd6e5bd1687b1364514dd6b77d102884ece81ef92769914996698649c36f477158979a41fe7b37342ebb82d8daea1f0bcdba5ad7b66972581

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs

MD5 0f456abef8a526f3320cc821736116fd
SHA1 9396f263c858a0bb7aea0d407990b3416c248f73
SHA256 a17d762cd21d8e9f5279ecdd119981d2dc88ec6e1afb2584dd9d3634dc038126
SHA512 64b5d7828931346a26aadbd84be5199c9925b43163e78ef9da48654f43c468de53af1eb59a1ffe7b8f52178feb6084cf26a474b6f496b055c0071cb55501a29d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp

MD5 d794d1783cd83e71da90582b4f5eaf18
SHA1 8a26584d69ea8aca817fa7189d3b58ad2415367d
SHA256 24ec014aec1a9c117a9c33fc17600f5112a7911a424d13d922d43acb09aec4bc
SHA512 c0ee78070bd91287c304159f7780f3e066f0625a17b3d3d74ad4e44af95884f433e3c64bd3f32ef76564a8d1b83f281dd58266e13704f1ba98c72579c4cb798c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 764c5a111d5520ac280eff05901bee23
SHA1 89c488002b4e3ca53fb423b63e183abe29bfbef6
SHA256 38fec6d2024aa04494afa33362c2158396535874289b60b3c799f6f741be1d43
SHA512 a188dea5b796aeca602b93eb272e01215e59d1afd85203ec7a01bdf2dfcc9d49e44ce0a06bca5e5aba57f28a6c7048b41cf4e2ef61a22081535f6661a16d5140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64

MD5 c4bc25e91857334019d8a450a8cfc302
SHA1 af53706ef85de6ed890a1352932197f8ce245447
SHA256 aee922ac5a61047bc65dffe3a51c75b5d5438d426aeee6df608f5f8ec69310b7
SHA512 2cf23cec32702bd03b40e72a3fcc4337fe581c3e07c08e39ac715328614d99b6ec73190006da19c11a2b4bf2be620daaf506d28c2ac55dfa9c4ad499c12e83d8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5 29c338a6621a9f8613da0fa0ead5c8b2
SHA1 ff69a4e3bb65f9bd0561fc4b090b8dd71c1d5f17
SHA256 8327b850437a48f8ec57908dc210ef605106e85be9d8e081b04f864f0bb135ee
SHA512 6669e691fe1284ce954a389a8664da977a57882068155e8eac19acaa64f42b3462585eade5cd77b8e480bce4186dcb25ff82bb6da5090eed9ae2e46bdcbee413

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp

MD5 e9b55b291283316801b7743727462a63
SHA1 642742320be65b1e66ae1d312fdddc3393952851
SHA256 5f16852eedcc10e3578fc50514ef61eb6df88ff6b2a455c8b720b7c47e353300
SHA512 6be8e470c582eaaa444e4484b63ec6f2d105890d6c6a9d96e574fbdb6e69d434468dbac3521f6ae771961b6ac33cee2bd9ca72f312f7bf2dc2b47552b679fb17

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp

MD5 40d8da44f9686f783ea47fbd9471fe61
SHA1 03bc0930cbb3de32ebe3639485eba0efc3f5dd24
SHA256 c130f3035ade7b7b14afd3d6303251d2730fab3e3e3926b27edac57973a27f5a
SHA512 27def5d9f50223deeca62fcb17421abaa86e9e086798ba37caef3212034b766ce34ab29405129b02e848c32a682cae9f8611906b05f6ed6c368c0149a1a805df

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp

MD5 bdcb2d8986304791e3d2d0b97931c959
SHA1 72375f8cfc6835c6aab83bf864f6b78dc2130391
SHA256 f489095a0309d99ab6a0af134b2832733130b5ed98939aff0196a5f6aa3d8085
SHA512 8cd2892c3513b2093deea55ef975e651f7269fc1eb1f6407a8d761277f758b527de28e4b98f3025d7b79555003a941310f68664498ae61abfaf766b1ec4e55f1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp

MD5 d9976d93c95276417007f8292fef27c2
SHA1 dec1ada0f0cb9a8870224f0a92f44be5a18111b8
SHA256 63a9ef792c2db16c58c2faac355b1e7b815a7d3c2e7ffafe97f3067bee44d5a8
SHA512 3ed8d8d46722fbe6cfe74c72e33d10b30b24b83d8cd95e2be026af58119f4e49fd8ce358873205fb9707f87dbb4f247c9d198d02554b4af4dea31f437e79c23f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp

MD5 6e0f5c4bf287a659191ae0b3f5b455ae
SHA1 fb6ebf0207d0a002edcc3be0b593d00797b862eb
SHA256 1f4edc0fcb36d225115c3f5a7d98ad508898dd87cd480b5ad0c736ffc8e25a6b
SHA512 d97d466e7953ca0710cc800e52c133e8f2929d8c3625470fb79fe595737e92ca5a3580b935972b3958c06c3f2139065f0bd42cfe2c1548f3786fb1d232ab2849

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp

MD5 1ac36f00b6561049bec5091b0212cd70
SHA1 11042eb58f9d1a9b7c82f079ec6b79eee6c93d11
SHA256 72f9669cffa4db72466af3f429b177a15c46444cdf1b5f16445816bea8f225ba
SHA512 6156cbbeac3411a6b32faa9b0e77b47fa66b9174c016839d506c1eaa4af44e2a6ce6361ddd31a656588ea1795911ad17b4d103bc70e880ff6cb1d2e4a57e2cd7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp

MD5 364ec7e90186ee63dd777c688c1ec11c
SHA1 44a18a7d57d675f2d966fb316f6cc01c79f28da2
SHA256 19e85a5794ba47ebc475d399b58dc17a28df5fe877445faf84ebf67f4f5aaafa
SHA512 5bf40e5e4e4969aefd31c7245ca3bc7388353d6dd05fcea613ff0e8616fc1018880068c48e70fff9be3c8e309eea318ad7dbd756b2193c15ede37f0b0a05e872

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp

MD5 4c2e36eab6d18fea006dac4629fe89a7
SHA1 7b8cdc31f6232f0572600f2b2110aee83cb6ab98
SHA256 67ca2c2792d3bb9599a5b6d8c03c5ba50e2262ce4408d85098f5fccc77f4507e
SHA512 ab856e8fe4e76c63502f7d6a651aa31a796b0518811bfa6b3a0bcc467abdf9573212a78eddfa5dce11c56c32ed7230a6d721789e4e01a040384db9430d39018b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp

MD5 2a7ba2b3b117d8170faf97c70295c8f2
SHA1 80cce8909e01955bfcffeee4295336dd2adbc6b2
SHA256 42ee8edb79896f36c78f51d4283439c1b1e5fe17890196e9a064e11b5ac66ab2
SHA512 bda50f92fe8c2863f6a457d79518b685910bd930d94f4e381e85b121eeb57d820b046fee65cfd2b0c92820d86d094141ced4a1ac0bdee05e57bd586b21ad1b75

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 03:32

Reported

2022-02-20 03:48

Platform

win7-en-20211208

Max time kernel

167s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\taskhost.exe
PID 1548 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\system32\Dwm.exe
PID 1548 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 648 wrote to memory of 972 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 648 wrote to memory of 972 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 648 wrote to memory of 972 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 848 wrote to memory of 1676 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 848 wrote to memory of 1676 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 848 wrote to memory of 1676 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1172 wrote to memory of 716 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 716 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 716 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 716 wrote to memory of 960 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 716 wrote to memory of 960 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 716 wrote to memory of 960 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1172 wrote to memory of 1568 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 1568 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 1568 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1568 wrote to memory of 1540 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1568 wrote to memory of 1540 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1568 wrote to memory of 1540 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1548 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1480 wrote to memory of 1228 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 1228 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1480 wrote to memory of 1228 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1548 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 5012 wrote to memory of 5036 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5012 wrote to memory of 5036 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5012 wrote to memory of 5036 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1172 wrote to memory of 5232 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 5232 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 5232 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 5232 wrote to memory of 5260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5232 wrote to memory of 5260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5232 wrote to memory of 5260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1548 wrote to memory of 5268 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 5268 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 5268 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 5268 wrote to memory of 5296 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5268 wrote to memory of 5296 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5268 wrote to memory of 5296 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1548 wrote to memory of 16756 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 16756 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 16756 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 16756 wrote to memory of 16780 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16756 wrote to memory of 16780 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16756 wrote to memory of 16780 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1172 wrote to memory of 16796 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 16796 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 16796 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 16824 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 16824 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 1548 wrote to memory of 16824 N/A C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe C:\Windows\System32\net.exe
PID 16796 wrote to memory of 16840 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16796 wrote to memory of 16840 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

"C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/1548-55-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

memory/1172-56-0x000000013FA60000-0x000000013FD3C000-memory.dmp

memory/1172-57-0x000000013FA60000-0x000000013FD3C000-memory.dmp

memory/1308-59-0x000000013FA60000-0x000000013FD3C000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5 acaf19c16ad9fa478c8e90fe50227698
SHA1 6297a17c0f2738fd744c9214057f283579e730f3
SHA256 29bbc7e264ef6800d4167a12eab92f93cc444c008b010c0c5f2772d52dac3bb0
SHA512 adbf4f19925f7036c2e4431f65cb2681ec9e5ed84bf49cdf3a382d6d2e6cc8201913c3d9f4126455451b435520104f84de5be34642753407c61be5ad3ebb286e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5 acaf19c16ad9fa478c8e90fe50227698
SHA1 6297a17c0f2738fd744c9214057f283579e730f3
SHA256 29bbc7e264ef6800d4167a12eab92f93cc444c008b010c0c5f2772d52dac3bb0
SHA512 adbf4f19925f7036c2e4431f65cb2681ec9e5ed84bf49cdf3a382d6d2e6cc8201913c3d9f4126455451b435520104f84de5be34642753407c61be5ad3ebb286e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 73916559bb8dbee5fa9d3bde54a2ffb5
SHA1 4ad3f5109185b53c1406ea17c506e91e32b2c62b
SHA256 944358549ab79b297d8849827606431a5d2e7ab2edac0b451c338c1af26ed431
SHA512 be6e20085b45b76c6aec53df5dfd244e768ff493e1b43fec001d567b58f6ec97a3a6187ef073bef95435dc7d1e78eff718f49f0d8fa88fef6c4f631d2a324196

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5 01c853ef362c9d5fc48dcfcf1fe4d12c
SHA1 909064cb5fe9153bf82a7c0a475002599694aefc
SHA256 5258676a30cd6d49f0af6434633e61c6a8e160e33a1cc8c6dc137dc674af61eb
SHA512 45aab57c8624e65f8e701f7c3acd20b5b1fc5c86324c8347fad298a7c5503db6b8a4c7e489547c0fe6cf14ec9cb795ec051b79081bff870b5ec44635f7b1f124

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5 d3124bd8d9c933bca5188634af87a3c0
SHA1 8448022a91efce83e75d49c2459f3b7b397e010a
SHA256 b5bea59ad4a81a9ff29b0952c820cea8ba6a7044b61021a088edba73fb43ecca
SHA512 551a7f596de9642d66904f6490fa9f199d5889a41676b69097b29f86bd5898a5fc96c9f7916018adfd397a64715df3dd75364333399e56fc13ae97ecc0d7fea1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 e90d0f7bcd7a3c41369331a1c3bf3d10
SHA1 89afa1b2f7322e2219f456ef0ba5ac0cdfe43cab
SHA256 5ebc6e4081b2e315a7d82bbe418090784aa5fbc04781ba1fc7033290b196c4b8
SHA512 101329d39694a80339d6621e95767d4e6887740a4dc586086386abed0cd431931d9201243598a3092f6039e19a520b0da71b714246ebcce8fcac1e0a2777e7ee

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 b5a6c0ceb55d79a2a94978bc3da2c0fc
SHA1 376b91bc1cff5b9a91f0d9af767d2f576aeb740b
SHA256 2c83bebbebc79ab5bd2b81607a1d5f2ed518de33d23b76be580a337a31ee924f
SHA512 3f9f77a26d6d352d43b0389b27671153d862bbc6d1e0e73b2e3ff4ace7272b25f3ec452ba48e0b2cc1ae99ed2dd6b2359651fb3d54173d8d1780fb14ea64961a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt

MD5 cb695a1514142b91728a1d5a4eb5ebe8
SHA1 333d9d4777c7e8f3ec83ca6f1e881a857f8ef040
SHA256 2b1d343b8b431b6b24ab113c8600d48759c8d85cfbb4f6011494689a125c8696
SHA512 571a5dfecbf3dede917fea17677ee78822d459627290232b929e7dcee131d93671a9397870d0ff02efe886b664dac42507c573a2190eba71d5f73fe685de34b8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 f6c7e7643f15d868318d5ac799003ae1
SHA1 bcf8019fc730c955878f49e267e5adb1c546b25c
SHA256 96c73ad8933687ef109d6992ebec164e23768e25aacacb7907b2d11e4b603393
SHA512 cf1c119a87b12b8a590e2e7ab51713f9bd06c9bd53e585434331f9d6e46fc1710d7b820a24a680985d813d35f7680683e8e579719960918e00b84c648ea8ebee

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 fee6c884e90819904f65a814304bab63
SHA1 a99a4844bc7c6b953d3f862c50b4d7c20b187389
SHA256 8f19d53bb35247f3e4798944d37f9e16594ab68c72779180669159580c44bb91
SHA512 85ca03bbc6fa55a887723c2d718ec0ce7c2a997026f4889bb249cb2f0d0bec9b44def19ebe7ccef88a8b65d2098e86490f145588abf2ba609d38bfea49204730

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 51709b88ad45d36ea7e2e7027a964e6e
SHA1 700c46d6349969a0f6f6d66fd3d62fa8857fbb2a
SHA256 7dbd3869bb00e3c9fc387282a452e22767de03dd9cb3ea7f64f6783449f9182c
SHA512 80dc186a4ee21c1c21ef8facf42c7ed823f963c81df02314fd2b109ee5e3186e2bf139dedb26f75f4df44f4633092efdb0a17eed89ecaa7637556be84443b433

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp

MD5 784e30c80fa31b219a8f868219804efa
SHA1 207852c2bc03cc53674dfaa72644a50547afd356
SHA256 b3269486fb8698385f103c13c273c4873e3a9e1644b7cc3103dd06863b28fc0a
SHA512 2a1aba419ee1fed51a6090e900393b433be2dddb869b0799ac81beb1b5cb6bd757bdc6cf31c98a3cd24fd5d3a2f7e689d6ab24ae44db5a5b56046a961d5ce759

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK

MD5 a277a8efc5cca6e345786a7602ca841d
SHA1 902a267e64e92800035eb98c68931137f315eed5
SHA256 0adc42f62bb01a0de2ffbeb2720ecf375bfb2496aa9dfa80860bb78ea3f6068f
SHA512 a8cd6e96e0105eb06c86a6f02419bd04f477675a1b338c4b19d311369ab9f15637b00bdb938426713857374b4ceda9116c5a5e4dc6afac0756dfecd7e564969b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 520576b819e6815ac8a5925c3e266220
SHA1 90e1b21417e12868a31f833d3fe04f3f3cede515
SHA256 e382b4160223cef5760d82664fc8cef69fe339c6552b5bbb7ce50cb1b2699175
SHA512 7be1445068270eb2f41c455a4ad7e2ae3a89003ec95521b80c21a682aad6b20f326acfa5ac1b97dcfd90800727840e6497bbc6e328781ca3ad8ff89e6d7474d0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 b061343869d9f92a5882139f49c35a69
SHA1 e51255c020e5e823126300683ee77b6af4c64bcc
SHA256 b5930be2eb0c58c314a20c0ef2ddf3529e65ec03daeb019d6b81f844e8d78ec3
SHA512 7ed54bed13c9f4b0654d7e859caf9efc276948362fd6fde6844521fcdb16e71d4fbff26c32e112967527958f2a681ea09851b9cc80d48a6b8b0d08fb61223bdd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini

MD5 7d4fe55f1b6a369129a3c2f0b4d7790e
SHA1 6bc316c8e111f8e3ba70caca21db1207bd30bf2f
SHA256 e1c6dd7c0649a025ac2faf69de89e8e1e8769ca15ba3b0524245e083174928f6
SHA512 4c95427eb33850fe0f2ab6cb145a8b718a1417cb5f4c4cf35b24323942433f921fc58904dbdf988ea964ae05b563deb27ce99db3b9bd0ad34be30de5abe4eb1f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini

MD5 c654cdff7830003a76cedeeeb6888d59
SHA1 c2e8914e01915b74156e8dcf9ee82fc7a5f6b0dc
SHA256 fb946aa16d0ed892f201b508b2ff51c10b78523ce3ce458acbc57f875956bf06
SHA512 248983fc727fa5955f4a4fc8a30026adbce91f30f977f805bf2a520698b677d69cf6a325a3f4bc8b3d46cbcda3ebdc7ac95e328e8f0bfc2412abe4b3095bcee6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini

MD5 4b50ee25323a5219c498026b2e7ded41
SHA1 78b6e84285413123d12655afce1ee0be6905af33
SHA256 9a804096ebc5bcf18a4167725f3e9c14f23214c90a341c4d3bcb1bc4a3af6a24
SHA512 7da2885416024b6a9ec72d87bf2c37b2b269c3a0a6ac8d945df5324330afdcfdcf3041ff99b3956ebcf39a84fc50b48758399e084d59aa1ad9e4700ac54dee2b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini

MD5 ad8ebe2bf4dd3ccac9d56db9fd90f390
SHA1 accc23103f1aa26ac753b999c3c8a7faa8066234
SHA256 af9ddadf5803d16e5fb4e63c133181f6fc6a7b2cbf78494b07054b957fbdd24d
SHA512 2bb88dd794f441d7355c6e3ace2a421001a82d7fde7ba1b44398b8394514e810cc8dc87017af233519c7e70f5026ef65a8ffd028923adb61280a0ba85eaa5c80

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 99065eb0c3dabc9af340686a9ef1ec2c
SHA1 126a0381874b292b7c64e6a9775522d18bc00ce0
SHA256 d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb
SHA512 589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5 e6c9c2f9fa55430d972d076aba19380d
SHA1 3be7841c71d616b349cde9b22dceacd54aaea931
SHA256 b14748dd79441e96974d0c84e10f7bdd36a8525158ec8737911eecebb8075b92
SHA512 c9c286689065944fdaf94a928e2964994300de4211e48ac1ad2d0aa850a59166caf2369364bfab1c25f2dc5021b23e6f683abcc9d4d6e03e7cf93cf594312add

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log

MD5 79774e4a971bda80f142bb79cc69bbc1
SHA1 7d83d36b23d06badd9676e004c7cbefd469422c7
SHA256 63079188633d88c7a4d232ad917dcd10c3ae110b59cbd986ae453b964b9457f5
SHA512 06e0e7550a7d36982fc3fec2e7920cd215fc44f90e760c9931c2d890ac28e86f067d4f5b7aa15c288547df3adb21697b90e11e78a92af8479968b2332ec35fb4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs

MD5 ee5d0c8e1a7e15dbe5b7c77822c1af56
SHA1 4943d9b20cda2a8d521077ba9090440e741c6b0b
SHA256 185879f3abb2822fbb72c5c3db966b4c0069ded26186b55774a4af4a0c0fbfd6
SHA512 e1c7a849ce3bcf3139793b94e0afc29aa0b0bec96802b19414faabc6ef7b0ab3f401f4f3b81168a2ac9924aeffc3dda6b09345c578b6583a8b6367af529dc1bb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg

MD5 126cbb81bf4034052eac10e6bdf29e3c
SHA1 c4ca6574611092f18ef1e2c17c7bd80936a6b195
SHA256 e1b1572d6abd09958cd2aa63ad894eecfea7f5fe73894332aa850bbce7af350f
SHA512 567081e2b63942e647c3f4021cffb9d5511ab13b2d12f82103c5655512d086f9664e45cd594d0c16fb0655162507f2f1358a00936f8fe49c44e8eb183a578bff

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 d43bcad08acb83f9beca747adc3e0e9c
SHA1 4c0dbec64de95bcc76c0044da2c110a442dd1c99
SHA256 ef477065d261cd39b6568a8394c9cdadea402df20540ae31d56c8a5694e0ba5d
SHA512 459236a341ed76adea1a381c3bf982fbac72544f36401780aac314fd75e82a52a8d297981c8aee3f177ce18c891f54b4389b2705e91d5fb2afd9cb4791603a58

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf

MD5 143f009777ca7a62e75c87bdf761c24f
SHA1 736b2de7861ad8605eab306a89c7d640d965af01
SHA256 e3fe4aeb8f05b8bac335000c6fcb47b15d15b7e4df96328ceba49a0d5fa25ee7
SHA512 4e4d9bf2e3403988fcd464b971d8786d513b5fa3842c6f8f11851bb692cb3d5b36c2de19e544bcf152885629ae5543f68839a23c1f231c9c2f14a1f7b29c3dee

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log

MD5 c68c953ae9d004abe99ee9e33a7b3bc0
SHA1 6dd0bf56551d314317d71d84b863711ee214694c
SHA256 4db0257584b65c86181797ead963af6bae4b19e872c3646915de34c10a287b74
SHA512 887bfca68303f587a331c76f3b47d7588696298a89bb0e64dd18531c3e294ec323410c3d248ab988b1c36060cd777b59a8249a27d7222850828306b69635445d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 ffeeca3b7d7f5c96245b3b2964140acd
SHA1 6cfece00fd90635067f62e3d1a9e673f6a929e6c
SHA256 8dc93b5b87260d35f9877a8813b9ed5568a17f55654a3c40f7a0bb9fdb22f0b4
SHA512 d7c773f88f7e594ccdb3c737ac2f18577a06ff256994ac7a5ccf68d7b6dc74e8bd3c316c69ca1d26ba705e4d2dbaa8964cbeec977f91ccd7b84b838bd0c71025