Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-fq8exaaabm
Target 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA256 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
Tags
ryuk discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

Threat Level: Known bad

The file 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3 was found to be: Known bad.

Malicious Activity Summary

ryuk discovery persistence ransomware

Ryuk

Deletes shadow copies

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:05

Reported

2022-02-20 05:46

Platform

win7-en-20211208

Max time kernel

160s

Max time network

141s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZNGJIOO.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
PID 1528 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
PID 1528 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
PID 1528 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
PID 1528 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\system32\taskhost.exe
PID 1528 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\system32\Dwm.exe
PID 1528 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 468 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 468 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 468 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 468 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 468 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 468 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 468 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 468 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1528 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 468 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\vssadmin.exe
PID 468 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\vssadmin.exe
PID 468 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\vssadmin.exe
PID 468 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1528 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1528 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1528 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1528 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1528 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\net.exe
PID 468 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\net.exe
PID 468 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\net.exe
PID 468 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 2024 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

"C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"

C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe

"C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" /f /reg:64

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1528-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe

MD5 21256f1e6fef12bb963fff955d5f4531
SHA1 45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe

MD5 21256f1e6fef12bb963fff955d5f4531
SHA1 45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe

MD5 21256f1e6fef12bb963fff955d5f4531
SHA1 45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

memory/1116-60-0x0000000030000000-0x0000000030170000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 732dcb1e802d76e40a1388fae11d2e4f
SHA1 17066592c389b5b20c7f587c78d71f0a9cb6edf5
SHA256 ec08a20e3b9cbdc5bce26aa163e225b0e94a0415e468fa092790685f4b516af5
SHA512 5aa8083d388b95b62fbb8075bf8305f733d795dd497c987c20c39ff64d804773b76405ec558a617631b9ee2176faf147cf5afee19e7600307381bf3608dbddd2

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 4ebfdeaa6c0cca37959cca483e3123d8
SHA1 2bcd5987b2edb56ff3a6ef860af6fb91e585443c
SHA256 3f0e907eb20a4501459b787c7fa5756d119c6529da9745c1f750b0361d572c97
SHA512 ed9815dcf93c0ca1e9ee7382919624b5a8a8cfa4eb9214876faf397c783e939d8d9a1b04e6ebf5df41095e4944e3877ff666dc4d23a4d9262714ce1c2492b364

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 7b3aae5602792542fd5c44490fac61db
SHA1 ef87ea71b8988597c2a4edb3bb484cdef62d5b09
SHA256 9b8aabb9393ac19706f42581332df27cc6573baad7c063564df058998d61c22f
SHA512 ef066fd56e7951f52c16adae502916620c81180a5d12930816b06de91b6ea43c219a88ace70b5421a34873c2fc9de967d571a14f83de973eec91dd5b6bd9dfdc

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 1cab0f8287dfda4eec296fd36d0bede7
SHA1 be767d9c6718ab1d0be24138e8aab100d0af4df7
SHA256 a74d00bb5371da3ecb991d01be2ce4017c1078be2eaacbb97fa246002c236fb9
SHA512 16500d637102d0de0d0278ad8ce0aa534b663976453fd2ce4c88182ae18f5f99be06500ff5eb876f919b8423838355f46db5eb0c738f5d18fe3413c80bd1d8ea

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5 8fcfb688caebd63840228ce98386386a
SHA1 e161ee79d1952c3f07f9c8122187996cf8e5bb5c
SHA256 9301ebff479c679e08d93101c33fd1947bec0ffa665adfe5d349fa3674817d64
SHA512 b8e0d82ddbc0629c6a3a109d4126535859ad752d4dc704a69b3451058955707487da48c2125bf6efe92476de16667b81e58d8fb12223a44bcb38a25e2a7f5ffa

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 5bc6812fd5866b9b063987aa4e8cb5cb
SHA1 761f8aac1d5eaa88b501a51d75235021c82fb2fe
SHA256 d87a2e2092c99342fc05ebe27707a3ecb75c7ff24a41dc95cb187b840ab5e06d
SHA512 20e695bdef6471b15008cdf6c90902ab72b695e0f25223273748662cb9d8091590c54e652caba520ac5a9256d9be8f582f401861cf84d0b842bd0877d745f232

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 57432725a840ea545febd5d67e1ae422
SHA1 5c9c0f3a3799b255b0126ee2e3c09efaeb85439d
SHA256 9d9eecd7c0671e3dd334d0d0724935210cf48deed4f53665d1a756be959a9ef5
SHA512 b4e9c2fa8023294090ffb108a420036ba1f65b4ae1201789073ebd08c53dfcbf911f7ede7332edcad9afc31bf409a88629c893173ca7f91f2af4638e7ac42677

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 a6fb9b332f0232ac79ea6e66676b7328
SHA1 8e46129ba1268097fcbd9e3b96a41db5ab7b8b50
SHA256 c196d5680f7836a08656aacf116758e094ab13d71038aeb4a52e9d8e8112c7de
SHA512 08a1002e8234f5188fe0eb849fe03b520299ce0fde0d7ef80f4c92e7cb2dc8fb5b838626f287b3d61a896007328526bb938852170111ab062850ebd410c4c85e

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5 34e2d3ade33e04fe97e1850f6d5bfa68
SHA1 6182aa1b67d4a8129891246bf63acbf051009669
SHA256 4654c55a1deb34e07d8c51bbf25487c9ec69f527b6e11b98d8ca3a59ceeec3f0
SHA512 3a900d7cabfd11ad12c3200a9b032b7dffda72675cbc4a2b7b20e3a04b621aeca3f30f9a169dd6f96dbf64d800df8f95005eaa97a72d7595914e8734405b75f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK

MD5 bb3504120de6ad0d964bc74aac422563
SHA1 8c91b7d57f6b6cb0e01cff54d7306bd74b9f10f2
SHA256 701c604195fd2f3eb4a353ca2723833a360d7c19a95d32c9696bc9e87388fcde
SHA512 f72508f8b925eaaa1b6f31a8c73258cbcb144322e83cc8154698fd1011018b9605b3940235f101c223428ace4284d0063fa807b11090514ac3cdf051d4813851

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log.RYK

MD5 3c8329c5a3d0a4ca37f95349b1dff086
SHA1 a8fa8697730cb8a3e02e11d09061a7a988d68207
SHA256 d4c66bccbb7bea38321b44a536e09fb092849ce82424babc959f973408013994
SHA512 e41abf6fdfd13398853f58d3d41b5f0d17156a5b7b597a738885c37286f43a2a52c01723811586446a87521e2938748a80868e391a436f56598f978b7d103064

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.RYK

MD5 a462a5c03840b7d96593d7c8b8b03573
SHA1 0ed2b4feb883732d3643d578737a60188a3a95dd
SHA256 6a9bc4f308223d57c96085a41a8aa7c66492e60e2b3c9b219f29fe192cf5d271
SHA512 3e2134239afc7f6a325baa766eba54ebe8809d1094766907e176b0709a3136c0601e3d546b0a45f684e7d92a2d5b08b8921c415abc53440baacb6dd4aeaafc08

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK

MD5 27f12e94741460bde0181cdcebbdf482
SHA1 1e818901c60298308052b1884af54850bff5cf0f
SHA256 25f116980abd5c336967a1d71a2c355c123a723f15213dd85e47411fed81a0a8
SHA512 d63b453871bdfad16e6da4b20ea48dd7be20c20b73c6af31b17ab37f8db0e7468bccf2e073228f3f9751fd746c42b98c30cc14654736a58b5995e890d9ef978e

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5 3ff77355a5afc38bef8554b20238322d
SHA1 076cc0cfbb31db6a747acdc816d5151ddbeeee54
SHA256 12da6c33d9fff7fc33ad953bc70b48d912432d5ccf70e2aef56dead1f8a00163
SHA512 742c4d80f9ed96a9d3e4e2306c715e0bdf973fa7e5a2fcd1d96ec84e5cbf31ab5ba841cf145062f6e9732742b89ea629c120d7abbf69c567e5da512842fc907f

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK

MD5 90b93ea902c95432036087da3bef216f
SHA1 93aba524ae987d3788839f5ff024de91ebe361c6
SHA256 11d10da318711153ecccfbb542f08af4a99941479327a1471251ba62f03ee55d
SHA512 89df01cf94708e3e9e073702efde6c36cf55094a7c9dde746f1c10448b79a1772d72ae31ecad15193461a77136b98d037461d1b316f37fd968e970098fd54207

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK

MD5 95b12ae3118f58e4b0978b3491360229
SHA1 a3f201a3d9847ad3a4f93f0eb90b0b718c13b84d
SHA256 ccb1a390166851a55f254b87f884c50a636ca5f9c735c62c72b5a785bee77de8
SHA512 ac5b731801bdbabfe817538cda85bd46e6174a8d04a3056005a441b76e91e28c7f23dbbd47e92d84eaa0a096d44ef461044017750cdef772ab91c0105ccb7a0c

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK

MD5 c631ab1ebb02209abe42d2957c021113
SHA1 5650ead80157763847bc2ad86fe0d90919e14bdd
SHA256 c7a4ba8bffb87b1240db5c963ab96daf3de672ddce7a39dae23e3027b244e70d
SHA512 f37159520000be9fd8984a45bab5072f670f23a77cb02da0d6a70690c4a79fa0525d6d350ffc376cace0cd38996257d03700a1ddb0f5c1b1c0e2815b7f39abfd

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK

MD5 1b6ba687fe69f3d8ca083fd0ba5a8b62
SHA1 6bbd06af7443dc79689074ad9c0fdb82bb851866
SHA256 72db96d3f9e07d0c6bceab4ae5422b1532e6ceea1d662fbad83db536433751cf
SHA512 9d33d94960b109f9dab153ad049851f985ec9b038cfd8e082d2751c7ed3f895ca8da687ecc0577c11661d0b4f5c38aeb392e3b3055fed33eaf62e5812729c865

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore

MD5 59888cde8927e0c3b3d44af2333887fb
SHA1 da3ae66ec6b161ad6a9298a2446d8854cb85e17e
SHA256 4b5e0d2b400d70656ed53116d5a6c59181fedeebd4146dcae21359aa33a4ac47
SHA512 9eb833dbba1711aac45b60de937fde711bea47cdfe6f43dcc37f52422b3bc02690773ffa5f799d9b6dcb8322e2abd4186cffe7f60c197f9037a0eefdb36bc2a6

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.RYK

MD5 51241e9e090e3579962709a406a7b499
SHA1 5312612a199f8e78088b4efed2208c38a59fa92c
SHA256 fee5dfc69dbef8712467f0ae20509c53af1eac2738734d5d86fa9231f5c83bbd
SHA512 7321f6eb030d4766dc1c0b77b18295efbc46a4c7d44ee9f3eaa53e36ab40b400ac8f305656da8bbcfcd17c313b602db71190b7e1b1fd45cf974ddcf77459722f

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.RYK

MD5 9877c39093a36de24e75db223a5d842c
SHA1 1ab4483ccffc94b740db88e5f9758e8867b1f13b
SHA256 3319aebe728737b88dcd0c35595022b9821d995e11dca1c12c0fa40bc08698b1
SHA512 8aafd79722fdd65bcb39cd2a1641af68fdc77a2382245c49b51daa5beaddf3babd95b8ff9b32cc74efdd9481c03d1428bed9c2debd4c6ed74e00277ff555f3a7

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.RYK

MD5 17edb49a780dcf16ce14626766b6303a
SHA1 06260c37877c7b134cf23a70b72afd6a28e592f8
SHA256 c6a7e981c35c995da51b16324de271e314ae3c310df5ce186785c5e5c64019fa
SHA512 54a9380d3e78f6c9c04915b06105c72ca3f826aee566fe61f370a13d0678fbb56e4f563d57855f1d324ea405461026bbd52e48155510e75c730f6ef9f1ba84d6

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.RYK

MD5 f5d1eb411436d7e3b2e2c5c162488642
SHA1 d5e6fb0c247ac2246e7ec02946ce40c15fc1b70e
SHA256 068193cb99240e33983ce1d02f878f8b02ba22d089e9b3422e31141fc8caeced
SHA512 92055aed571ade11da8ce7abe08d691b870d98c0dc811fc66ce910c1a6d53060d7fbb035d7c988199f8b30a33449b3130fe4e06bae5cbe08ba64a7eb8123ad4a

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.RYK

MD5 78c5d431a9ceec3c710c7acb7a982e87
SHA1 f90e0b942aafa288c4cd2f25a0acad6ff7ab9a74
SHA256 930a513e9e0ca6c62b5dc881c91619fbaba42c25c9ec204dc82fdd4c60231d8b
SHA512 dc2a861033676ee7758b5accd9cf39d182d68a3a636df87cc3a7db225d1b718c29879c046feab3e430ec97978c00a2e08deb33e3148b00846348f40c262d61e1

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.RYK

MD5 a8c06dda54aba674523e38aa390ac651
SHA1 a14a8ac06ec5b69c1edb1cf466dfe861b6a3c4a9
SHA256 f60c42204a592a43c79465ec62722bf4591b47522ae62a6ea0e86adae87bddc7
SHA512 7202d795b8b108b39fb739be0707267eb9997c4ee1bd4e168a23dd6284fb16f0fdbd326d42bd8bc184b4e3bdfca79c5143d34ce6d439d50a84116d628372db16

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.RYK

MD5 dd287e60771fd1ddffed371264e74fb9
SHA1 887d761c4c6491bc6fea11560e00130f5fbc7e96
SHA256 a621a47acd3e338ae472d524f694f238222494764acf962380993bb1897ab4d7
SHA512 324c17ff17cbb209dd7d159a24a33a4b363ef1dbe7f520ae92d277a620d5b3c86a33b86c2c1c35ba5e3baa7831a37aca75bdc4f5ece912b27a906c1e045d6ffe

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.RYK

MD5 0176d2a536ce7c4aff105e4e96021147
SHA1 c02b8bcb91bce404c9c7996cb0b9ebbbcc0cc1f0
SHA256 a748df34eac153ac804c7d1370f17c339df09b1d4592ff945742bfbbbaa50186
SHA512 d73f811d5223e920e393b6e54f1955ffb0e84b24614d50e0692aab45d92ad15e8fed54d0b974bb76160b5f2f2ba5b1287333ee35706c7b21481069812eda8f46

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:05

Reported

2022-02-20 05:47

Platform

win10v2004-en-20220112

Max time kernel

204s

Max time network

207s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.211715" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4240" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899859291863226" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250255" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.432897" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
PID 1852 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
PID 1852 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
PID 1852 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\system32\sihost.exe
PID 1852 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\system32\svchost.exe
PID 1852 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\system32\taskhostw.exe
PID 1852 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\system32\svchost.exe
PID 4068 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4068 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4068 wrote to memory of 3872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1432 wrote to memory of 1712 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1432 wrote to memory of 1712 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1432 wrote to memory of 1712 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1852 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\system32\DllHost.exe
PID 1852 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1852 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1852 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\System32\RuntimeBroker.exe
PID 996 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\icacls.exe
PID 996 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\icacls.exe
PID 996 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\icacls.exe
PID 996 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\icacls.exe
PID 996 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\icacls.exe
PID 996 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\icacls.exe
PID 996 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\net.exe
PID 996 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\net.exe
PID 996 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\net.exe
PID 3128 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3128 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3128 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3816 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3816 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3816 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\net.exe
PID 996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\net.exe
PID 996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe C:\Windows\SysWOW64\net.exe
PID 2176 wrote to memory of 2164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2176 wrote to memory of 2164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2176 wrote to memory of 2164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1852 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1852 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1852 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1852 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1852 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1852 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\icacls.exe
PID 1852 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\net.exe
PID 1852 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

"C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe

"C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.184.217.20:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
N/A 10.127.0.1:7 udp
NL 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe

MD5 21256f1e6fef12bb963fff955d5f4531
SHA1 45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe

MD5 21256f1e6fef12bb963fff955d5f4531
SHA1 45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

C:\ProgramData\USOShared\Logs\User\NotifyIcon.6a3e1b01-1d47-413e-bced-6904454828e3.1.etl

MD5 07b53b0b91437b8f4ee31fb4c875c751
SHA1 4e37041fcfeeaee0bc2e81a6a0a72a231d3ae5a9
SHA256 6456c5ea7db0392c123962826d2bb4de0cbfaa2fb748d5a245798b0146987754
SHA512 001d4d1522a4c8d1906b858ebbc6391b0d12a1368597df82f2b2731da66f0dd9e7db5899416eac069001ea906196eb102ef368e65094ec284151c5983d8c4d6f

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp.RYK

MD5 282e965e50c0b7c42aceca9f4e7bbfa9
SHA1 73ee08c53e889a3094442e13b8b74ec68c7f3857
SHA256 03b028ca841cafa3619dcba663a024cbed79d9d5ba72a7d25aac7569a24d3a16
SHA512 e05fdc47c91d895e7b2fe5670f1410012105bc68c61d62ca39940c99f67903075bb2ba333246f8bddd3650dc407f43545f674c3c9ce2c091e67596a4f65e9576

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx.RYK

MD5 501142f3d50b33e90eb41970aa669542
SHA1 d76500886ba12d30db19c46d1311d290c3a0c2d4
SHA256 f0b75f5b763eaa4376191d0e4e0020b49972556d0d4885e7acb15e065c49e4f7
SHA512 2a7f024d60d5ad1611a3332771ef7fc7655df8b823a9c38284f52d1f2477b9427d60dac455aeefbb4b32959a5f3d8f00a2d8d438eb20c6321d5613e17f69dcff

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.RYK

MD5 50365d291e266c35d90efce26af3a830
SHA1 e5124f39c797365cc87f29e3881e19c94dec1c93
SHA256 3dad868176f0d705706bca9ad65772f61b018d650c028b8e791c816d370499af
SHA512 0566eb98e328e69a51e5b32bee62dd018e4b570a2a26c06e7af42243c4e9d5c7b86c4e0198850c1ffec094ed26cabd18d80e572b9cd4ca8a88e664ac615f2c98

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.RYK

MD5 8787e73fc71957ca6da2b967057d1b1e
SHA1 b17b5baa57389a3fe0c981c54a08b33211c4225f
SHA256 ae6424ef057d199c47162736f9d62366b9f83ec29d2e6b7f7c83bc5695505ed4
SHA512 cd97815691ecfa0c7da19459e6717d9af44de33d39fab2e05af2dc1ec3660c1756f70d8f95f468bb74346921caf5e632c3a714f27161571deaa9a291e24c4e17

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx.RYK

MD5 a6874daed050c35eb4036abfa137d395
SHA1 d3f0a09b201dd0f9b5fe8a99ff76b1bb3ec788b3
SHA256 1ddbf1623854541a9e88fe087f30b886458b573a49851d0061eeb2bff1eb6e66
SHA512 d6f10b6918210c86e7f55065eab8a6d197b6008263916e976eee469f8a03abc30f84cc6f0a906f76975fcb7ed6bb23914ab8140d0b69d7c4d9b9ba3bb14122ed

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK

MD5 63cb8d04f285576497b71b0f5471f999
SHA1 e479f714bd171811fe39a5089034581dfb9f9c10
SHA256 7430aeb4a694def52d37518af04b2b04fb8437d654ac998bd6d4fb7162d4dde8
SHA512 1178186a301ffcdb62e3b02914bd6bd4929ae7b7c7ba8eb713e28b7a76a9eef48d8ada99d5ec18a4f4fd5a2c9f64873653b1496fb71fe6ce44a37d099e4bf767

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol

MD5 f5f4b4052de128530fec13ea7bdd710c
SHA1 365e0ab308e9e7be6d8271f4e93c691582f2b242
SHA256 929a18f013b0de56ddc3563b577626f3ffb1cb122b5a17a3388c80e78071316e
SHA512 b01ef88d7180086ecd7936598e43731f5d9f5541b9da0bd02d827d9655547a158a15922f5998f8d2ffb41884025ba317e2ef7dd7c439dec0fd8aa4da968e93fe

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK

MD5 14fd16ae52c8ee02a9bd220304e968bf
SHA1 158a5bdbca3e4b34c434c5fc5951cc3b020305a2
SHA256 ce7eb2fd52412c41cf558bb282159c9b5cbc622dfdfc36405b067e64c21423a8
SHA512 e846e63fde343b4abcddc6c253c174acf0fc41ab10d19a356a6282a0ba7bfbdb0f92d56e86bfe1dd2efce02e9f1aeb98db864eb6542e96851a01a2bcb8d521cb

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 bc8234f034521e8a4817c9d4704d5c9d
SHA1 08af97e1db654002b313884963605b8d12f7a677
SHA256 e09919b0136b2899d0b71e20350946d417b631f1785c6c8a327bc70fefb085fb
SHA512 be1af3a67fc69b59bd55bfb2dc81da8572fb6d6b173c82eb4a336d2eb384f91e8789063e130cb2aa5f82da2c7969da775eb7c29728fcd14b8a135e6e12e28d10

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 b45a38c7f13821c9379f25548c4b6488
SHA1 50ad4caa5839f41bc150679956dbc8999a58e019
SHA256 812490532c6f11825d96c935f2ca06e4a4c1901701bcfc972e6773b73544eb11
SHA512 3112a61c1144cd987c45f3f19df04674929a6bc0ef3b559f5d79766976d419420df4043ab7f24f8fc81ab32411431c91fa2b616af121a8978ba4abda8d67be11

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 682469eaa051fccbb6906592b1bdd2e2
SHA1 29b9d5e5712a7e1f014ceb9b01d2ac38278ac718
SHA256 c5b8db655eba3fcddb4da0c260fef7956e413717925839c45a6262258b5228f8
SHA512 58765537e1c1b08270dda3cd02f391a732402b278a7529297a81bf93b17927a868ac82ad7ca59483174815dd68cae54c6488055dde9302ed041d82c1c48a9f02

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 2689218f8a25d44a88d6ad6682eea762
SHA1 6044c1f5cab9f1deab735110d11cfdab518267a4
SHA256 689b87cb075cfab6747c0f93f4d671d621b9307aed730d432149f08d01e9ea01
SHA512 380f899549284b768ede4570b834f4766c18cabf5bed17ee2404855eac02ecad8fc9219b102780cdf67693deb64a5087fe4a732ce40abe7f1d132f4809ed41b3

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 3b9b430ac942dbdbd1f9f92c4026b98b
SHA1 942e82ea0220378071f3fa44e1b1cb462f34a119
SHA256 893c903455ec58826dc863988bd1fb2cf2fe293da334ead5a002521bf3742d9a
SHA512 28a262a2e94441e001477e1165ad44032b6565bc3a4fa7cad3af10666e881bed041fef5069b7071957f6353a850da056a1d7246592ea58fdd904d031aea313c8

C:\Users\Admin\3D Objects\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 2088fd252365eb712195f803940888fc
SHA1 3394d864aead4dcb79f5aa047712a14e6371a1b9
SHA256 e021b3ee42f5ec90258ae1d12b6609ddf6e7e173b344d87e0c9fe31026ac325c
SHA512 8678312f2d57d808315889e3cd5e3d77cdeeeda0d7dffbe24127ef389524254abbbca938da6d5b02d322d5688c4182f7f89bad7c32e424467c69e5b542f959ba

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK

MD5 6d4db47132624b42f9bf9efc81a0e673
SHA1 d7b5a7da352a8bc52b28e444fed1a733b4851d6f
SHA256 de7526db3da33b40c8de79616213eb4daedf1f8f5463b10dfc110ac9899b8b90
SHA512 f58ffc25c15b78188dd4eaf5bdb27e80e50e555ea022ceb6f9ee32b6e5cd3827c127826f4fb5da6a85aad13dbe79faffe0c0c2076200450f9de07d43203d1d75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

MD5 b50cb12810627f3f8d7c3c2b058e5851
SHA1 ecf169145da5c456bbebcce7bbbd70be67f2972d
SHA256 455a1bf20c7ebea551cba02de87dd9205f08cfe68bca280c0e472b420c3c5c5f
SHA512 c6f9cfb89ce5f61892ef710326c110ea337e2cc38c446ecbfbc902e76d1a1fad97f0851588427360a91c330860b173c25126572f780c634822fab9e7eac2a1b9

C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\GameDVR\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State.RYK

MD5 8ba8c003d34d1ae78dc04445f96fa090
SHA1 69ec8929c6b2795b6aaf567d994710aaf0a2bdba
SHA256 85b6a90d771498988f23579a23a583e27b1e4be332fb9efb16e1e9d5bea29466
SHA512 ccd4c84af31e5f88fcc6a55a88d0e459200e78569ee0082e4e6cf932e722c8cba4d55d31388c56d5013a911c7fa088833b17881590e495d41626b5d6359a4768

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

MD5 61f5ce864c427d353712eaa37baacfbf
SHA1 0311720285d08ce1915a7cbeb892e0a12401a9fe
SHA256 a3110c64f894ad51963a465be90700490a49109c2d5112c22673885577340b3a
SHA512 ff4b55cc2f5950c508870b44606c2c1ffa5b9eb82e9a627b88f2c4e867db982c6157de26c6f6a7cd1d874885715e5e1a33418de5fa19889bb768513ad75e6aab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 ed1518762497f11da0b40a60222abf1f
SHA1 8675dbb72c02c18b874526c3934b74b0c114124d
SHA256 2168633ea9f9a8f77dcb85080b6845f43b6dba0f14816ece7a9d802657b9b721
SHA512 7f934f32091d497677e94ac9f0e4f09eb9a969c9063c9843abb651b7d8886a9224d91e0bd74283f808f9274ceeb0e9b03e896d1da0af28103650d038239e1668

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 44fe0e3bed28a88779367fa67d1878b9
SHA1 d352c614d928bd7f289c76f81d5ebd776442aa9f
SHA256 6e9e35e622207f4b1be228d380440ed63710015a5ba75b29b4115edeef2e41dc
SHA512 29552f6a04e79a7828405123b1cb51e0d024f3fc3d2720f8544fba821ec8a2d9fe9de1cba26851f4e15e5227ce4d000544ea00301a53822928bc225ff6ace4b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html

MD5 b3b2c5565ef72eb13c047661d64689cd
SHA1 5a6e9dd4ab19865b39fc4690b5294998dc61d853
SHA256 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283
SHA512 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5 741131f72f8b8bcb5d9257646e578582
SHA1 b8a066e84103dfc56dd22d5f91a40fc1fc9553ea
SHA256 8fa1fa85b143f0cab7d925080a0118316c3e9058fa9689ecfdab52c26f1a29bd
SHA512 acdbfa4e61cb1a5994b4516b84ade652055d813f1166f54d5eccdcf203800c8f736b4828a85652732b52717989fb1ce292dc7712d03f7e450c461284e5dac6a6