Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-e5z7eagga2
Target 9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd
SHA256 9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd

Threat Level: Known bad

The file 9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Checks computer location settings

Drops desktop.ini file(s)

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 04:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 04:32

Reported

2022-02-20 04:53

Platform

win7-en-20211208

Max time kernel

166s

Max time network

144s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\taskhost.exe
PID 1724 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\Dwm.exe
PID 1724 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1300 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1300 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1300 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1252 wrote to memory of 764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1252 wrote to memory of 764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1252 wrote to memory of 764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1724 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1148 wrote to memory of 820 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1148 wrote to memory of 820 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1148 wrote to memory of 820 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1256 wrote to memory of 1696 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 1696 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 1696 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1696 wrote to memory of 2456 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1696 wrote to memory of 2456 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1696 wrote to memory of 2456 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1256 wrote to memory of 2524 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 2524 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 2524 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1464 wrote to memory of 2516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 2516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1464 wrote to memory of 2516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 2524 wrote to memory of 2856 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2524 wrote to memory of 2856 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2524 wrote to memory of 2856 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2780 wrote to memory of 3056 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2780 wrote to memory of 3056 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2780 wrote to memory of 3056 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1724 wrote to memory of 30584 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 30584 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 30584 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 30584 wrote to memory of 30608 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 30584 wrote to memory of 30608 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 30584 wrote to memory of 30608 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1256 wrote to memory of 30624 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 30624 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1256 wrote to memory of 30624 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 30624 wrote to memory of 30648 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 30624 wrote to memory of 30648 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 30624 wrote to memory of 30648 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1724 wrote to memory of 30660 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 30660 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 30660 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 30660 wrote to memory of 30684 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 30660 wrote to memory of 30684 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 30660 wrote to memory of 30684 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1724 wrote to memory of 30592 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 30592 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe

"C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/1256-54-0x000000013F9B0000-0x000000013FD46000-memory.dmp

memory/1724-55-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

memory/1256-56-0x000000013F9B0000-0x000000013FD46000-memory.dmp

memory/1332-58-0x000000013F9B0000-0x000000013FD46000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 29156094f85be8f29e3e012374a579bf
SHA1 9c63fa7475514c271b12da2687fb4b998883283a
SHA256 86113b44c86908ac39f1e40066bd52ac3a4fe85788993f1f1d3e6d68118236a9
SHA512 fea25beb267a9aa631f3a1d0b9ebc818893db312bcdd7fc53fc2c1fefb4bbdc242ae98f4cf8d37df1d676924df33df52f0f4b200fa5d18db87235c71723afa0a

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 e527fa5229fc226e9dc3e4337495c08c
SHA1 c344905bb5ef529f4abf7b9682e05e7a5f0960fb
SHA256 65f326e7f23a3a9967f7bbe30bb1f948096379ad7e9d2864397a1633b9e530c2
SHA512 7b4bc7827c59248fbe062ba22025adb1740d93e0485b84397274fb885712fcea517c111bc731f44ccdbc0f635c48b6694e5d26f9dd09a3d7c090818fcde505df

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 1dc2c6f06f3506ffef5dd68428a35153
SHA1 466433bc9b35214a06f4bc5e3f9ee0770ae7d7b1
SHA256 e2bf06d6e3296def325bbff4ecfb4b2f680d63733a16fc60fc0f8a70791661b7
SHA512 12603311300fe8c19e062079c48cba845d04c6898c155b5d06466845436bb61eeb15b083424221597df7621fbd88d86c6087d50353b42bf9e8769a5dbf99f2c0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5 8324c9afffcd13b147d37f1e350cd981
SHA1 da88f97a58dc923e3d84ae4a6f6e8db1421e4fe0
SHA256 3c4b0da4d8ebac27f57b70ba7213ae5cb070e3e842b8050db2da53d4a35e1995
SHA512 468f18138f8193f5272823a1e4b7cec4d226f0ab49836c074ca6b2f4a20f7394616a5234bf6ed9d4c16a8a39603b82e5b6240433db8d1ae4ba2969d7e49c2502

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 39e51bf5c93ad526d6ea3f68b1e07892
SHA1 85c4a6e331681f0d77f63e2e24831dd3e1bf61c8
SHA256 4f603dcfc65be716e7b858b605c9fdf757d3f90c55fa068f6ef3a8c20210e54e
SHA512 3356ce9e5e00b86c5ab0028fc96a89f0e77d7063e62a1ac4b3fe32ddd6a70c803d47a7b20ec868289376d1d3c0d6e7915db34924f4df442a5b1d2f53eb222933

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt

MD5 2054e50972686cbcd61d43531ec394be
SHA1 400ddea8064657971d4fb136a5bb642325fd0831
SHA256 58076f3a9630ebb58fb8b4000802cf583071fe775c33942e480757e049d4ba80
SHA512 7d2a018bf4fb855025f0ef0a0fb2bf5de640db95dc00e1a13cbf6320d934b5abd1ab2379655e426fa5442375bf9dca7914e39e3e5d417849fb527c9d573d5ba0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini

MD5 b27eee601e2eabe12a03486ff908adf8
SHA1 10f1d2ccbecdc81acab45a6b24686a2fa8949ae1
SHA256 0266022bd04cb2a3d0d78f545d17ca0578324be894c1105a0cc713b50945075e
SHA512 e73137a2e773b4bcd425d18dbc5f68cde254bbe198e9bf93f691deb987292f41f75a2e05b6cf5244ccd7940a70d998430d1a7f2eaeae15da387aaaf1d0ed32c6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms

MD5 2cf42bf7a5f9a969149dc7f32e5d19f8
SHA1 09e05110b89d77aaa4d375d78bd3b5cc140cb461
SHA256 f18fb235a9662ab8640b523777bde86eae80a7c31dfe1379615c404ba738caad
SHA512 4948c7fca5be17de2f5faceedfabb810025286d5c23cc3d7a41a5436a98532f375a8057759570b397481873d1a55fef2688a9ae668f032f842519bf5c059f65e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini

MD5 eab9b6a7f7236088235d76c40766e066
SHA1 763fc3437d21f01d10a139f4e26b14b003f2a1d1
SHA256 ae8f4a1cfd471d075239e800c2bf6db848d46768821afb2d6ffed7691fc82b59
SHA512 ecbfd0ebaaa5ed2b115019e6c2d432b9c5b033836508950d54ba1316cc3da716097730c65731f96b74b5597970ad1090e07c1bd9acc0afe0c5d3a335ffdc81cc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini

MD5 a526a058cd0a156161f3da2e0efc59b9
SHA1 2e8baead21c9bbc0c60276b4ba5fb75be9f1336e
SHA256 3b483db24e3b4c8b95f883774215b9b5a5bed9cd918cde2ba6d3726bd0bb2b9e
SHA512 30b15fff4da19f8433b9e7d8cf788fe51f4b460d9b013d334365474db3e4428afea659cbb2f6c408001e1ebb084f1f39775f73206e352daf2d47fcbba76edfc3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 56c0437e09ef79bfc957e190b5d41a9a
SHA1 1f31fbc80508dfaa6e756f2536a0d06745c896db
SHA256 0792e731080a84b38a644ef30a092c8fdbf71f2428e628c714f15107ac36cc59
SHA512 e54c04f68c5d61e912f57f2982cd3e1e9ac06606d24ddd5b9291841f4fe80943db1f94edfcb1a92badbcbd3a7aa35897d2ac10b179e5ba351b3ab19747eec068

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst

MD5 9de933d7466a488c3049c86c2fcd804c
SHA1 a3adf5fcb1167af00be9f8d2564bc0d6b6efa27d
SHA256 c120926ae917b708da11e3657829ae09da2e91c4de0cb31a3a6aa3d131d9026d
SHA512 c4d156841c646e465c0981cf499d74b8b25fee63d0f341ed22d2d065289797b82045949d9a78c270e176ee8b9a13d563e4bc12710cd42acaaeaa0ca1da785068

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK

MD5 3b14c9a52a38e60c14709d188495fc8e
SHA1 1e6ff593ada1df7734337cc70faef65d2b9e740b
SHA256 5bac855895c495ed5a324b480e5150a144d32cf41c1f036b36ed0c44699026c2
SHA512 d29f0b72e89df28e21adf4ed49edaca9c180874975febebde90be02bf148330fbb33a2ec8cb3fc27a8e4668226aae7df8ea045a4cd25ff81dbe91da534e9c7b4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 0eb1a6016d9ef2ad47b99cc55aee77f1
SHA1 d00820439d248d0a964860ff02b845048ff78121
SHA256 8fa088d0d3d10d9ba6eb6025db7c5eb988811747d68994add8abccd7313156df
SHA512 c0631b9442a1b6a2286eedf2e38249456626f374555eb35c5bd965b26b99e89665f55568bc898e42e7ddade1458470df950e07c019007765112b1ec9920dd2ba

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif

MD5 03e605bd12babc181398e43c959d44f5
SHA1 a77fcdf7f9ae8f6c19d9cfec96127fcd133d90e8
SHA256 1d16e2e0594cbfdc6dfe026c00206ce1571fe6eff5bc021afac9d6abf77cf611
SHA512 f09aeb64419c5c3fe3cb1e3c62ee779e8d8bcd2b9009e23219cf50150dd2e1a70cef5558907f4ad248608a3c03be746f8e970abfb8aace792539c0077f2370be

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg

MD5 b537e833da182501caad57fb8b6e5db9
SHA1 654b93a778e562fb6248eb12e58b1f0b5f910f7b
SHA256 8630347af96ce57d73ad650fdb0deb410e60b6b482c7f98e7a176cebf94f25ca
SHA512 779005b5cc8bcbd88114cb1188a392f776cce3cb3c195c41bf2dc66583d6094cd42c65f9b07915955cdeaa31bb8feb39e2d170b8d1b36adf8bb9351fec1af803

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 b4ce76f0bbff96cdf2d7f0b7e2582a1e
SHA1 ee6a58e16ee0e35683e495d58f336df0c362646b
SHA256 2f76e1c2f2fbfbe8aac25867d4b090d3656d94f5886b1a4536ff3f8f84026868
SHA512 15ff3ec96ec2f64612a3ad8abb7ec8ec8b1752bb7ccc289ff41cd1db50b2133748809fe3cabcd273dbcd037842364d79eb94b284b23917558532f53b0c1d867d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg

MD5 b904627ca6b81a4025874183cf50c1f3
SHA1 64f517ac4763d4f6dc64e1a13d59e52f67831cdb
SHA256 99854d5fd50498cbccbcbc21d63a38dee4d7dfc4cbf6dcc17cb16fbeb80271e8
SHA512 51b37baad7816a5346c0d4c840bebb1879476d2b450c90c0f9dde9c6d5ace5b372d9d8d833592791f9e27998649682ca44d754388bb70c18a6d9c7481715025a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 db0f284a53af52397a5e19b7d031623c
SHA1 408285f0578b41531d1f31a4f83a90c390bb29df
SHA256 6cba0f54f7c29c7a649537c0e9798c5c9190d64ccb95ad93f1e05e88f7aec16c
SHA512 8afe55fa89d2cd7c516926ec9848affbbaeefac0af5b86297dfc01d5d6f4eff2d84ed74f46b4ad5b771f9e18bb034671c37326f3f3ec02e1d08ec5b3e052921b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Memo.emf

MD5 44701cf0be243cc3f2eaa72f2730a6d0
SHA1 b8c78a2b8484042f7dcd04a3661b477080b2ed61
SHA256 3af240955a8144980da71996f100cb9a5ddd3133d9a125c6a0704776759b666b
SHA512 e6403537ac068c35818771fbffa64c04150354f9c671b3bc7c6c79bfe8ba4ad5c0586dfcbadb6ecb64e4d02a6732790de24aa33923c8d462c00d98f16f3cfbee

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 d138fd89fe0697725d131b6acc32794e
SHA1 c58194774628573ed3cfdcda6fde6db4d76d4321
SHA256 663fc8b320cc4c7de25bb6efd5284b3ba08ad7d9af835bcd599fc2bfedf4eb3b
SHA512 b329fbbffb37d07d02cdb04e6616907fb399b06ef40bcec001762c85c9bb356aa3833b2e21ad69130ea3d99953891ea4cbcf1320b5afe42603b9c48ed1a11414

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini

MD5 6093b2fd19258f5b2c2eb47450068abd
SHA1 624bf3e275dbb923b972fe96fd675e935ec71c6b
SHA256 4335dfdd615e152a079e8433db5bb366d5daedaab59c7a37c43446148a7860f9
SHA512 e9068eb28c93d7b646abb5db901d8c92fba8b3a66cc78dc18c67d2ed1ca3ec52289517b8b5a5fbbb4cc02427b47325dee31159311696681b7002891adcae1805

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf

MD5 055d8c184d50f1825c65a66b65df7930
SHA1 f8b00ec9f0bb91bc28de4483163d1c5664cea4fe
SHA256 3aeccd525aece3b66cfca04a22c2641d5c9b5c628f4f5312e03377aaa5537b0c
SHA512 5feab88ea5f563de7557ae4712d38067e2d1525fafdeb34ca72bd69894a5c30bbc7dd08fb11b0e882aecf0d55131742c8adda4f0d230a39a7e7d9dc8be4a0bca

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 abb3ad0bb65652677feb6e7ad1660a67
SHA1 78d29d8417c744a5e54d40f3b4e317d3eae1acda
SHA256 8949fc07b7ab97082570ff9b51ba1c155f9a51f96548dee9761e711ad8b9249c
SHA512 798f030ab097b2a02980090c5b0d1f2f8e3141f46f6d1e1fdf21add63fb89ab49c74409868d037ae1b1426e2d886a80727eca6dc1e53a705e40bc2563968e3a8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 a06dc95ecce2d17b0b9f0e07eae9265e
SHA1 93db986337cbcf90c3e58b5be8b0cf4b6fde83ad
SHA256 7c95e19ddab882fd0d1ea4efbeead7fab70a35b500d6a733c354777800726956
SHA512 078a85f1c1ddf8191b9545b61086a5845dc12f214159708f89541b8a399403bb55a64755cfd787d79558543ac28a73ab2d991d3ed8da58d5510951d549e65b4d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 6ecd7b0363210a82783e224beec2fb09
SHA1 64645dee21afc726f8fb25265ea6998b15a029e9
SHA256 d96d4217e7366148c93d6088b3f6ff1bfa713b9a13e7cdf0aa9850ebeba6bea8
SHA512 e4fdd4d09cb9938237452ca6b195dbbe4e5468206916819f0031244b5eccbc62d7e0c6c5e37aefb75e892036a4809540bd5e142ad2fff602961b58e137e67558

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 04:32

Reported

2022-02-20 04:53

Platform

win10v2004-en-20220112

Max time kernel

196s

Max time network

193s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Windows\system32\sihost.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\sihost.exe
PID 1760 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\svchost.exe
PID 1760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\taskhostw.exe
PID 1760 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\svchost.exe
PID 1760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\DllHost.exe
PID 1760 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1760 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\RuntimeBroker.exe
PID 1760 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1760 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\RuntimeBroker.exe
PID 1760 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\RuntimeBroker.exe
PID 1760 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\RuntimeBroker.exe
PID 1760 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1760 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 4972 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 4972 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 4996 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 4996 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 4284 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 4284 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 4956 wrote to memory of 5152 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4956 wrote to memory of 5152 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4948 wrote to memory of 5160 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4948 wrote to memory of 5160 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4972 wrote to memory of 5144 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4972 wrote to memory of 5144 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4392 wrote to memory of 5168 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4392 wrote to memory of 5168 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4996 wrote to memory of 5176 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4996 wrote to memory of 5176 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4284 wrote to memory of 5184 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4284 wrote to memory of 5184 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4664 wrote to memory of 5192 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4664 wrote to memory of 5192 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1760 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 5336 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 5336 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 5328 wrote to memory of 5492 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5328 wrote to memory of 5492 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5336 wrote to memory of 5500 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5336 wrote to memory of 5500 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2740 wrote to memory of 5544 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2740 wrote to memory of 5544 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2224 wrote to memory of 5696 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 5696 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 5696 wrote to memory of 5752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5696 wrote to memory of 5752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 5772 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 5772 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 5772 wrote to memory of 5824 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5772 wrote to memory of 5824 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2224 wrote to memory of 5848 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2224 wrote to memory of 5848 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 5848 wrote to memory of 5900 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5848 wrote to memory of 5900 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1760 wrote to memory of 5976 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe
PID 1760 wrote to memory of 5968 N/A C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe C:\Windows\System32\net.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe

"C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2740 -s 860

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 464 -p 3684 -ip 3684

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 512 -p 2916 -ip 2916

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 528 -p 2740 -ip 2740

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3684 -s 1876

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2916 -s 3020

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2740 -s 860

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

Network

Country Destination Domain Proto
US 72.21.91.29:80 tcp
NL 92.123.77.73:80 tcp
NL 104.110.191.140:80 tcp
US 93.184.221.240:80 tcp

Files

memory/2224-130-0x00007FF6B3E70000-0x00007FF6B4206000-memory.dmp

memory/2244-131-0x00007FF6B3E70000-0x00007FF6B4206000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 7e850c7a71bb21815751c8376f73f2e7
SHA1 2c3fe097923d8290057ecc55505762d9d9c5aa37
SHA256 6b0bd533af3eae9cb4cff9468e486d36ae9a49001c35cfa98851d224c07e2033
SHA512 34afa7d1af4b9d69b72c055b3eedc10b74d72de8f347050132c079ae7ae1d80c1d916a9dd904b624c95f16ae8a73fa5f8002fe81e74ef2f6a1dc9b388ced5287

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 4febf9afd7cdb316f967ba2ab7f9f8b7
SHA1 f8b3a33e042b0f24768a2fd29dc32ad26667f47d
SHA256 ba28ffb4b42810c1b5f36e5c1d4c3835fcea10f899dc31f40b3ec3bf53cd8389
SHA512 6759eeff71e506ae160f431267d0903738ee1206d523d2ab59ae10cab987200f9ddf0120cee0b5c02de4172a9ac665ca9ec0a85d36a8735b7454d5fd67e877ac

C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5 42d4b51fa45b148303bc2e93274e3655
SHA1 3219b22157e834eb606e25484d8125b118ab4eac
SHA256 d0567cf143006f1e15f121c718c4055b2ef68e46f6e241253bdd7031121a4c12
SHA512 bfc420b8dabf6250276ec0dc6a0e34a5366328c16cdf3ef4a380dbf1194c7991269b98b09501e4f2a5ac0cd8a1b2f5998f67efb4c223d2b538df1af12dcc50c3

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 c89afd9824956915ac6c4507886c4ad6
SHA1 3d9243cc2a2ee69782450d535ddd7d59023d299b
SHA256 2120ebe4b231c331bf7e871efe50e8d43d5f4e7a71debdd476d241cdcac41c75
SHA512 43e795001f99d0ab2851a6538633d14e7780df7994c34b1fee53a1c8d964d394d82fc53c1d64b01d98cd81451fc9ac68af1f7845a4dffe03af72b3b12b49524d

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 9fca9a8f21ac2d7d41df80346b1c4aa8
SHA1 eb63c3c90a460c278f7a893bad1b3d0f44358c9a
SHA256 065d5d0ee2650f0dc24efb5e5d259293549b27d2fbc905abf6810c6510c977e8
SHA512 032c3ee7399b42882ffadd37bdeb1c0b5f2ddf7ae7166419e39593dcbbbe58551a7a80a209248171a488790069a128835c3004a46a33ab8f0880eac2c1aad353

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 6f707defba742496a3dc8ecd90e655de
SHA1 64ffda51b092d5d515582c1ea36821d678dc1900
SHA256 e2d229ce1854e6c68de85a5ad5cbc55374b2d537b8140b63e5f40c9b576eb9ee
SHA512 4b3c43526395275dbb7260e659c563888734b5059d3820531e2fda355ea03c2aef33ec1fe238f1e07cf67ce12de73ccaeb3bbfab1f2958b3687f66e77b0f7939

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\UserCache.bin

MD5 a0ef6df6b90db1ae8abe10e0423f396a
SHA1 e5aeb001d4c37e7cbd3d83bf5e4d43f6beca61ca
SHA256 908ab4b3bc6144ad113ebad45ed5982c4b2062236a87029aeba96e313d9d62a7
SHA512 c1a439109b5d939c75f4fc1ca3728ce0a1d8925a17e1affc665a3dcb1344d8e80dad50e1bfad3b40f533ad46a41b9efebfb5a1424b9354e7a62ae1ea7f1f40f4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 e55c5f4b08a927f401a22fb898757d24
SHA1 1bc46f775e6a0f3fb46eb57006a5a9551f58afc3
SHA256 45a12749e14dbecfb04bce0bbe079428650175e9cb4a347d154e9ab7c389f94c
SHA512 e10b8d922bd104d72e608572c5fc4711033255a024965f579b7c3bfced92ed95c2a44d1f89ae232febebc7367e9671a5f648f5c93a14492ce99c63da578321c5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 a7820608c60c73a968b1f7a8651c49c1
SHA1 a2bff5fcd3892710b204656855bdb316f7440fdc
SHA256 2c3eb5dd45b601574188fb14bb0a2bbf15693a2fe614e922498651b2d97d7783
SHA512 09b7b5522b4d0d9e13a137ff7c9c6b4797296a168baba1917ed8a5972320483f5f4a129e457c1f2fdab491c90ddeb9d36fec0ea021bbaf36db67e0aea9e0b0af

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5 326314cab5b6df4004c7604dbfb761cd
SHA1 aadafd653445931f0d1dec75de8c6c511297a401
SHA256 7c2c5071a9c9bfa1ffd26c09e7ac1f702c73448663467484e2dbfc6985de0dfc
SHA512 1066fd46cd18322a70337a0e0524b5141d3d9cca29d716984a409e46ec384980bd33eb92becd052d2ef76cd84d840105055c2bb982cd33e968384b36d5abe0ae

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5 2791851bdfa0f6b7a0d9b556d02f1157
SHA1 6026e5bf2f170a0560b4e4ffb73125a689920ed1
SHA256 b2dfda676a05fc962229a8c35c9003efdf92146d5d3dcb0bf7e67f1be080dfc7
SHA512 4cecac64c6cb744f211ead7c5877b36f0f41c0587811595b398a8781344b0d8122e5af1d9b7108a7ec14a1f1f3cd1f48a851c111c010b0fa1310386fb69e95c2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5 953efcf1fd39f986ef3b76b16594f002
SHA1 82c42799bd2a004ff51105a5c040351e658b5929
SHA256 8d7c9da10d2345ef6a681734b8ddd3061126159f450aeee8e8cfd5680f64a251
SHA512 4ac6635d4be0fb5c1390ca4d86d8883062a69c2673851d9a9f7d72dd4dd88bd0e44f729884de2a1e34bb79d8928cc8c712f570a2cc2da715f86297080bbabc2f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 eb7ec654818317e0bc8e9ba61d665e41
SHA1 6326b4d2be7ea963ecf52c7cf36f74e0ce3d936a
SHA256 dcd57597b3795bcc6bd4b946f556bd3d1527e85770b56ca6e2731761e0acbc82
SHA512 c6d1f92b8961d93404c2ac2f4fee42211fac64227828b09c2927a79f3301e0b55afe6806444cbe22fd0ca9c34221761e30926563cbf0ceb7b34c867d6ce62f49

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp

MD5 ee20e5c356bfcccd822596332ece3a2a
SHA1 40f6e619d27e9be557961bd7f6c1934267e770e1
SHA256 2aa220008309688543286d287aac763b10f238cca5ccbc8b9a866edfefc2a95e
SHA512 4ba6e9708a405016c17730dac9776809e7d1a242d5381ca8c8c6ad7b7fc5f92dc4eaf67d1bf1e5f69909aad78f3e8b803991c2ad9ddc0ce39a6d1086cc0b1f2e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5 1083974ea68035c2716e4816a9376c89
SHA1 7614e1ef713b03583f1361e158458662c7177bae
SHA256 23a95a95c09e40fea98952f3ee0b486cce5ab8b2e737cfc4e30b4231f5a241da
SHA512 32da0ac2807dd07bd528430a578dc3c5497922c678c71a7e745f611763786fa1a4096b8df9d18b1b01bc8a6de326d4d7d8c3154c150cbb2555bece3638c67cfd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 9b4cc66c7a1cde53715657ab55c7ec3d
SHA1 086b5e135c5af5f437208e605ddbfc20de4c85e4
SHA256 d63f959a6c0ed8e865df7e5c5aea9c2993ed6486e71cb9cf743471e9faa8ca21
SHA512 a4fab6ede7c5f97e53c8287429bcc659ff657126787ccf9f7b3482564b7bd936e975cde89d9d30a24ab7c787fa79187025b30e79dbc0366b3b31c750ab5b5dbf

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 f13b1a56dd4f6f59f01bc6034fce9b31
SHA1 7ab007921d5e3c77f3ee6ea84098b058f96d84de
SHA256 37cd9c96287782ee36ed6ba84451e99f402d10a3bf409abc3ddd0903719e3a53
SHA512 adad3d0060cb1b33cba4d6ff36a6eed6eeb033e15efc62e70fa174d167f6d51d8e7c1a1bfc4cd4fb14224c4a407a5888ed62ee6e1bb9e896135e824ff1530155

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log

MD5 9cad7c7800d5bea8f46a83d062aeb8e0
SHA1 de4c126e9486a2b00d1a354cacd531520d3f5406
SHA256 b3b457eae4ef6a68118073bd7acf5217f53622321544f840763062150542cec0
SHA512 060e6e676d68761fff0e5edeb67bdd24e1cb9224e353a64af08c90ed4877aa6698199e791d6ab85ce20786b83bcdc5fcf8e4c13d881836f4af88baf3b087b598

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs

MD5 c9e17baca0abdd10f5d8c88f96b25974
SHA1 0e6dd2c5eff260f235b737781301068c9ba712f8
SHA256 cb80ff9aac8493bf101e9856fadf7deb35d95e145332cf9900703e84eb0025f9
SHA512 61fdf0eaf91cf875a3e7db8416c1b7310151aad6049451c664ec8cbd6d7808d9b8221d62f6fb9eef99e287e72ed5ed37b98ea0a1d74945be719f245933ff5515

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5 d42087f74b4c66b7e6ebd3d4863aca67
SHA1 6ea0b89f2138b967b2679b2261c05477c94306a5
SHA256 daad6d06e5718672caf2f9625d982f9bda84c339b987373d0fd2b0bbf73e2dbd
SHA512 ebdf6053151f45abce2877083709f1e98bb174a21e17c44bed16a4047d016bc014aa665b00f580d626908d6aa59f6f988466e88ff8619305bb9d4499483c8bbb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5 0bf549b9efed1591cd302b97f9675c9b
SHA1 76bf3f6a83ced4d9b1fedd7bc1865b77292a750d
SHA256 24a50a649994e8a6eb2a38e160199f44781f7b5edccfc1c29d287f7ce6ba8500
SHA512 0186bd9c66554fe865931c605a8f2e3fcb50d05cb924e6a3e99d7e3273e28d114401499bc46038c4cc5da7b406e1750ba181a2f2fe44290365daae8b4262f5a1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 6d97fd040f689240e2bb4504fea11420
SHA1 5bc58fcbf78cb4d1e15189c892e12b54c4a29b2e
SHA256 f81ae750125117ac660aa18713d3b5ea1e41b772942ff6368abe68a4d57ed126
SHA512 460fe3a78d07591810ef7791bb5916c14a2eba8e5ed9223154a7a803babba4333977b5cfb0fd110c9e774d8e514657e5faf81253526ab3465603948475cbd941

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 83c33df9e61b2595302bdbb09776cc9b
SHA1 0cbfba391d2cce84ebbda89fda1fca3a6e40c2cb
SHA256 dfb2fe5cef735000d2d4fc3cf6236f81dc5c0b8c5407610e5847c81c92355928
SHA512 c67f5e9d543fec72294cb06cd1d1794b8c47b2980376d72929eeaa2cc3ddbee14fa4559ee879ad2135bbba4f86698edfc0a6286c037c891891526ef97eb886b0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs

MD5 503851682a65b77c236f7e889e88151a
SHA1 3d7c71b3f601438e2deadc394859db1191b0e119
SHA256 75101b185474d0dc6a64cebda5512c656d3b245e3c12f031da8bd9a5830843e6
SHA512 6c56c4e7aded5167870e6b01693da616bd57c56590314d9eeb6427fcc568076e34ea7ea2903e711b37ff500ed5dda619cb5dc291d5cc1a5925c50e6fef2808e6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx

MD5 7320f1721023b05729bef23d1be3a29f
SHA1 394de0fd9720baf7d28e9e7e61612c2bc8eac812
SHA256 7eca20c523c7654f9cdab687f61bd3189af8674417c6932be6686e14f25c6ef8
SHA512 d1b3d760a51412b5e695f9f9015c75f95cd56424a4b0f1b00d1aa4442bb0f79b5d8ee42902d28b0c978ac5aa88fe315af94cece5acad2301b08fcbe1c1b48b64

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt

MD5 ce8ea65435944d002b38721d593435fc
SHA1 005ca1257ae15a487effd424968cc89817bd458f
SHA256 ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d
SHA512 6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855