Analysis Overview
SHA256
84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
Threat Level: Known bad
The file 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
Interacts with shadow copies
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:05
Reported
2022-02-20 05:46
Platform
win7-en-20211208
Max time kernel
160s
Max time network
141s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZNGJIOO.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
"C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"
C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
"C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1528-55-0x00000000769D1000-0x00000000769D3000-memory.dmp
\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
| MD5 | 21256f1e6fef12bb963fff955d5f4531 |
| SHA1 | 45f2ba25a028bb4756e37b810b96a32bb359b339 |
| SHA256 | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3 |
| SHA512 | 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587 |
\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
| MD5 | 21256f1e6fef12bb963fff955d5f4531 |
| SHA1 | 45f2ba25a028bb4756e37b810b96a32bb359b339 |
| SHA256 | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3 |
| SHA512 | 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587 |
C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
| MD5 | 21256f1e6fef12bb963fff955d5f4531 |
| SHA1 | 45f2ba25a028bb4756e37b810b96a32bb359b339 |
| SHA256 | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3 |
| SHA512 | 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587 |
memory/1116-60-0x0000000030000000-0x0000000030170000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 732dcb1e802d76e40a1388fae11d2e4f |
| SHA1 | 17066592c389b5b20c7f587c78d71f0a9cb6edf5 |
| SHA256 | ec08a20e3b9cbdc5bce26aa163e225b0e94a0415e468fa092790685f4b516af5 |
| SHA512 | 5aa8083d388b95b62fbb8075bf8305f733d795dd497c987c20c39ff64d804773b76405ec558a617631b9ee2176faf147cf5afee19e7600307381bf3608dbddd2 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 4ebfdeaa6c0cca37959cca483e3123d8 |
| SHA1 | 2bcd5987b2edb56ff3a6ef860af6fb91e585443c |
| SHA256 | 3f0e907eb20a4501459b787c7fa5756d119c6529da9745c1f750b0361d572c97 |
| SHA512 | ed9815dcf93c0ca1e9ee7382919624b5a8a8cfa4eb9214876faf397c783e939d8d9a1b04e6ebf5df41095e4944e3877ff666dc4d23a4d9262714ce1c2492b364 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 7b3aae5602792542fd5c44490fac61db |
| SHA1 | ef87ea71b8988597c2a4edb3bb484cdef62d5b09 |
| SHA256 | 9b8aabb9393ac19706f42581332df27cc6573baad7c063564df058998d61c22f |
| SHA512 | ef066fd56e7951f52c16adae502916620c81180a5d12930816b06de91b6ea43c219a88ace70b5421a34873c2fc9de967d571a14f83de973eec91dd5b6bd9dfdc |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | 1cab0f8287dfda4eec296fd36d0bede7 |
| SHA1 | be767d9c6718ab1d0be24138e8aab100d0af4df7 |
| SHA256 | a74d00bb5371da3ecb991d01be2ce4017c1078be2eaacbb97fa246002c236fb9 |
| SHA512 | 16500d637102d0de0d0278ad8ce0aa534b663976453fd2ce4c88182ae18f5f99be06500ff5eb876f919b8423838355f46db5eb0c738f5d18fe3413c80bd1d8ea |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 8fcfb688caebd63840228ce98386386a |
| SHA1 | e161ee79d1952c3f07f9c8122187996cf8e5bb5c |
| SHA256 | 9301ebff479c679e08d93101c33fd1947bec0ffa665adfe5d349fa3674817d64 |
| SHA512 | b8e0d82ddbc0629c6a3a109d4126535859ad752d4dc704a69b3451058955707487da48c2125bf6efe92476de16667b81e58d8fb12223a44bcb38a25e2a7f5ffa |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | 5bc6812fd5866b9b063987aa4e8cb5cb |
| SHA1 | 761f8aac1d5eaa88b501a51d75235021c82fb2fe |
| SHA256 | d87a2e2092c99342fc05ebe27707a3ecb75c7ff24a41dc95cb187b840ab5e06d |
| SHA512 | 20e695bdef6471b15008cdf6c90902ab72b695e0f25223273748662cb9d8091590c54e652caba520ac5a9256d9be8f582f401861cf84d0b842bd0877d745f232 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | 57432725a840ea545febd5d67e1ae422 |
| SHA1 | 5c9c0f3a3799b255b0126ee2e3c09efaeb85439d |
| SHA256 | 9d9eecd7c0671e3dd334d0d0724935210cf48deed4f53665d1a756be959a9ef5 |
| SHA512 | b4e9c2fa8023294090ffb108a420036ba1f65b4ae1201789073ebd08c53dfcbf911f7ede7332edcad9afc31bf409a88629c893173ca7f91f2af4638e7ac42677 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | a6fb9b332f0232ac79ea6e66676b7328 |
| SHA1 | 8e46129ba1268097fcbd9e3b96a41db5ab7b8b50 |
| SHA256 | c196d5680f7836a08656aacf116758e094ab13d71038aeb4a52e9d8e8112c7de |
| SHA512 | 08a1002e8234f5188fe0eb849fe03b520299ce0fde0d7ef80f4c92e7cb2dc8fb5b838626f287b3d61a896007328526bb938852170111ab062850ebd410c4c85e |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | 34e2d3ade33e04fe97e1850f6d5bfa68 |
| SHA1 | 6182aa1b67d4a8129891246bf63acbf051009669 |
| SHA256 | 4654c55a1deb34e07d8c51bbf25487c9ec69f527b6e11b98d8ca3a59ceeec3f0 |
| SHA512 | 3a900d7cabfd11ad12c3200a9b032b7dffda72675cbc4a2b7b20e3a04b621aeca3f30f9a169dd6f96dbf64d800df8f95005eaa97a72d7595914e8734405b75f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK
| MD5 | bb3504120de6ad0d964bc74aac422563 |
| SHA1 | 8c91b7d57f6b6cb0e01cff54d7306bd74b9f10f2 |
| SHA256 | 701c604195fd2f3eb4a353ca2723833a360d7c19a95d32c9696bc9e87388fcde |
| SHA512 | f72508f8b925eaaa1b6f31a8c73258cbcb144322e83cc8154698fd1011018b9605b3940235f101c223428ace4284d0063fa807b11090514ac3cdf051d4813851 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log.RYK
| MD5 | 3c8329c5a3d0a4ca37f95349b1dff086 |
| SHA1 | a8fa8697730cb8a3e02e11d09061a7a988d68207 |
| SHA256 | d4c66bccbb7bea38321b44a536e09fb092849ce82424babc959f973408013994 |
| SHA512 | e41abf6fdfd13398853f58d3d41b5f0d17156a5b7b597a738885c37286f43a2a52c01723811586446a87521e2938748a80868e391a436f56598f978b7d103064 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.RYK
| MD5 | a462a5c03840b7d96593d7c8b8b03573 |
| SHA1 | 0ed2b4feb883732d3643d578737a60188a3a95dd |
| SHA256 | 6a9bc4f308223d57c96085a41a8aa7c66492e60e2b3c9b219f29fe192cf5d271 |
| SHA512 | 3e2134239afc7f6a325baa766eba54ebe8809d1094766907e176b0709a3136c0601e3d546b0a45f684e7d92a2d5b08b8921c415abc53440baacb6dd4aeaafc08 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK
| MD5 | 27f12e94741460bde0181cdcebbdf482 |
| SHA1 | 1e818901c60298308052b1884af54850bff5cf0f |
| SHA256 | 25f116980abd5c336967a1d71a2c355c123a723f15213dd85e47411fed81a0a8 |
| SHA512 | d63b453871bdfad16e6da4b20ea48dd7be20c20b73c6af31b17ab37f8db0e7468bccf2e073228f3f9751fd746c42b98c30cc14654736a58b5995e890d9ef978e |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK
| MD5 | 3ff77355a5afc38bef8554b20238322d |
| SHA1 | 076cc0cfbb31db6a747acdc816d5151ddbeeee54 |
| SHA256 | 12da6c33d9fff7fc33ad953bc70b48d912432d5ccf70e2aef56dead1f8a00163 |
| SHA512 | 742c4d80f9ed96a9d3e4e2306c715e0bdf973fa7e5a2fcd1d96ec84e5cbf31ab5ba841cf145062f6e9732742b89ea629c120d7abbf69c567e5da512842fc907f |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK
| MD5 | 90b93ea902c95432036087da3bef216f |
| SHA1 | 93aba524ae987d3788839f5ff024de91ebe361c6 |
| SHA256 | 11d10da318711153ecccfbb542f08af4a99941479327a1471251ba62f03ee55d |
| SHA512 | 89df01cf94708e3e9e073702efde6c36cf55094a7c9dde746f1c10448b79a1772d72ae31ecad15193461a77136b98d037461d1b316f37fd968e970098fd54207 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK
| MD5 | 95b12ae3118f58e4b0978b3491360229 |
| SHA1 | a3f201a3d9847ad3a4f93f0eb90b0b718c13b84d |
| SHA256 | ccb1a390166851a55f254b87f884c50a636ca5f9c735c62c72b5a785bee77de8 |
| SHA512 | ac5b731801bdbabfe817538cda85bd46e6174a8d04a3056005a441b76e91e28c7f23dbbd47e92d84eaa0a096d44ef461044017750cdef772ab91c0105ccb7a0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK
| MD5 | c631ab1ebb02209abe42d2957c021113 |
| SHA1 | 5650ead80157763847bc2ad86fe0d90919e14bdd |
| SHA256 | c7a4ba8bffb87b1240db5c963ab96daf3de672ddce7a39dae23e3027b244e70d |
| SHA512 | f37159520000be9fd8984a45bab5072f670f23a77cb02da0d6a70690c4a79fa0525d6d350ffc376cace0cd38996257d03700a1ddb0f5c1b1c0e2815b7f39abfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK
| MD5 | 1b6ba687fe69f3d8ca083fd0ba5a8b62 |
| SHA1 | 6bbd06af7443dc79689074ad9c0fdb82bb851866 |
| SHA256 | 72db96d3f9e07d0c6bceab4ae5422b1532e6ceea1d662fbad83db536433751cf |
| SHA512 | 9d33d94960b109f9dab153ad049851f985ec9b038cfd8e082d2751c7ed3f895ca8da687ecc0577c11661d0b4f5c38aeb392e3b3055fed33eaf62e5812729c865 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore
| MD5 | 59888cde8927e0c3b3d44af2333887fb |
| SHA1 | da3ae66ec6b161ad6a9298a2446d8854cb85e17e |
| SHA256 | 4b5e0d2b400d70656ed53116d5a6c59181fedeebd4146dcae21359aa33a4ac47 |
| SHA512 | 9eb833dbba1711aac45b60de937fde711bea47cdfe6f43dcc37f52422b3bc02690773ffa5f799d9b6dcb8322e2abd4186cffe7f60c197f9037a0eefdb36bc2a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.RYK
| MD5 | 51241e9e090e3579962709a406a7b499 |
| SHA1 | 5312612a199f8e78088b4efed2208c38a59fa92c |
| SHA256 | fee5dfc69dbef8712467f0ae20509c53af1eac2738734d5d86fa9231f5c83bbd |
| SHA512 | 7321f6eb030d4766dc1c0b77b18295efbc46a4c7d44ee9f3eaa53e36ab40b400ac8f305656da8bbcfcd17c313b602db71190b7e1b1fd45cf974ddcf77459722f |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.RYK
| MD5 | 9877c39093a36de24e75db223a5d842c |
| SHA1 | 1ab4483ccffc94b740db88e5f9758e8867b1f13b |
| SHA256 | 3319aebe728737b88dcd0c35595022b9821d995e11dca1c12c0fa40bc08698b1 |
| SHA512 | 8aafd79722fdd65bcb39cd2a1641af68fdc77a2382245c49b51daa5beaddf3babd95b8ff9b32cc74efdd9481c03d1428bed9c2debd4c6ed74e00277ff555f3a7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.RYK
| MD5 | 17edb49a780dcf16ce14626766b6303a |
| SHA1 | 06260c37877c7b134cf23a70b72afd6a28e592f8 |
| SHA256 | c6a7e981c35c995da51b16324de271e314ae3c310df5ce186785c5e5c64019fa |
| SHA512 | 54a9380d3e78f6c9c04915b06105c72ca3f826aee566fe61f370a13d0678fbb56e4f563d57855f1d324ea405461026bbd52e48155510e75c730f6ef9f1ba84d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.RYK
| MD5 | f5d1eb411436d7e3b2e2c5c162488642 |
| SHA1 | d5e6fb0c247ac2246e7ec02946ce40c15fc1b70e |
| SHA256 | 068193cb99240e33983ce1d02f878f8b02ba22d089e9b3422e31141fc8caeced |
| SHA512 | 92055aed571ade11da8ce7abe08d691b870d98c0dc811fc66ce910c1a6d53060d7fbb035d7c988199f8b30a33449b3130fe4e06bae5cbe08ba64a7eb8123ad4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.RYK
| MD5 | 78c5d431a9ceec3c710c7acb7a982e87 |
| SHA1 | f90e0b942aafa288c4cd2f25a0acad6ff7ab9a74 |
| SHA256 | 930a513e9e0ca6c62b5dc881c91619fbaba42c25c9ec204dc82fdd4c60231d8b |
| SHA512 | dc2a861033676ee7758b5accd9cf39d182d68a3a636df87cc3a7db225d1b718c29879c046feab3e430ec97978c00a2e08deb33e3148b00846348f40c262d61e1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.RYK
| MD5 | a8c06dda54aba674523e38aa390ac651 |
| SHA1 | a14a8ac06ec5b69c1edb1cf466dfe861b6a3c4a9 |
| SHA256 | f60c42204a592a43c79465ec62722bf4591b47522ae62a6ea0e86adae87bddc7 |
| SHA512 | 7202d795b8b108b39fb739be0707267eb9997c4ee1bd4e168a23dd6284fb16f0fdbd326d42bd8bc184b4e3bdfca79c5143d34ce6d439d50a84116d628372db16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.RYK
| MD5 | dd287e60771fd1ddffed371264e74fb9 |
| SHA1 | 887d761c4c6491bc6fea11560e00130f5fbc7e96 |
| SHA256 | a621a47acd3e338ae472d524f694f238222494764acf962380993bb1897ab4d7 |
| SHA512 | 324c17ff17cbb209dd7d159a24a33a4b363ef1dbe7f520ae92d277a620d5b3c86a33b86c2c1c35ba5e3baa7831a37aca75bdc4f5ece912b27a906c1e045d6ffe |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.RYK
| MD5 | 0176d2a536ce7c4aff105e4e96021147 |
| SHA1 | c02b8bcb91bce404c9c7996cb0b9ebbbcc0cc1f0 |
| SHA256 | a748df34eac153ac804c7d1370f17c339df09b1d4592ff945742bfbbbaa50186 |
| SHA512 | d73f811d5223e920e393b6e54f1955ffb0e84b24614d50e0692aab45d92ad15e8fed54d0b974bb76160b5f2f2ba5b1287333ee35706c7b21481069812eda8f46 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:05
Reported
2022-02-20 05:47
Platform
win10v2004-en-20220112
Max time kernel
204s
Max time network
207s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.211715" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4240" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899859291863226" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250255" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.432897" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
"C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
"C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.184.217.20:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
| MD5 | 21256f1e6fef12bb963fff955d5f4531 |
| SHA1 | 45f2ba25a028bb4756e37b810b96a32bb359b339 |
| SHA256 | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3 |
| SHA512 | 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587 |
C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
| MD5 | 21256f1e6fef12bb963fff955d5f4531 |
| SHA1 | 45f2ba25a028bb4756e37b810b96a32bb359b339 |
| SHA256 | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3 |
| SHA512 | 835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587 |
C:\ProgramData\USOShared\Logs\User\NotifyIcon.6a3e1b01-1d47-413e-bced-6904454828e3.1.etl
| MD5 | 07b53b0b91437b8f4ee31fb4c875c751 |
| SHA1 | 4e37041fcfeeaee0bc2e81a6a0a72a231d3ae5a9 |
| SHA256 | 6456c5ea7db0392c123962826d2bb4de0cbfaa2fb748d5a245798b0146987754 |
| SHA512 | 001d4d1522a4c8d1906b858ebbc6391b0d12a1368597df82f2b2731da66f0dd9e7db5899416eac069001ea906196eb102ef368e65094ec284151c5983d8c4d6f |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp.RYK
| MD5 | 282e965e50c0b7c42aceca9f4e7bbfa9 |
| SHA1 | 73ee08c53e889a3094442e13b8b74ec68c7f3857 |
| SHA256 | 03b028ca841cafa3619dcba663a024cbed79d9d5ba72a7d25aac7569a24d3a16 |
| SHA512 | e05fdc47c91d895e7b2fe5670f1410012105bc68c61d62ca39940c99f67903075bb2ba333246f8bddd3650dc407f43545f674c3c9ce2c091e67596a4f65e9576 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx.RYK
| MD5 | 501142f3d50b33e90eb41970aa669542 |
| SHA1 | d76500886ba12d30db19c46d1311d290c3a0c2d4 |
| SHA256 | f0b75f5b763eaa4376191d0e4e0020b49972556d0d4885e7acb15e065c49e4f7 |
| SHA512 | 2a7f024d60d5ad1611a3332771ef7fc7655df8b823a9c38284f52d1f2477b9427d60dac455aeefbb4b32959a5f3d8f00a2d8d438eb20c6321d5613e17f69dcff |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.RYK
| MD5 | 50365d291e266c35d90efce26af3a830 |
| SHA1 | e5124f39c797365cc87f29e3881e19c94dec1c93 |
| SHA256 | 3dad868176f0d705706bca9ad65772f61b018d650c028b8e791c816d370499af |
| SHA512 | 0566eb98e328e69a51e5b32bee62dd018e4b570a2a26c06e7af42243c4e9d5c7b86c4e0198850c1ffec094ed26cabd18d80e572b9cd4ca8a88e664ac615f2c98 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.RYK
| MD5 | 8787e73fc71957ca6da2b967057d1b1e |
| SHA1 | b17b5baa57389a3fe0c981c54a08b33211c4225f |
| SHA256 | ae6424ef057d199c47162736f9d62366b9f83ec29d2e6b7f7c83bc5695505ed4 |
| SHA512 | cd97815691ecfa0c7da19459e6717d9af44de33d39fab2e05af2dc1ec3660c1756f70d8f95f468bb74346921caf5e632c3a714f27161571deaa9a291e24c4e17 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx.RYK
| MD5 | a6874daed050c35eb4036abfa137d395 |
| SHA1 | d3f0a09b201dd0f9b5fe8a99ff76b1bb3ec788b3 |
| SHA256 | 1ddbf1623854541a9e88fe087f30b886458b573a49851d0061eeb2bff1eb6e66 |
| SHA512 | d6f10b6918210c86e7f55065eab8a6d197b6008263916e976eee469f8a03abc30f84cc6f0a906f76975fcb7ed6bb23914ab8140d0b69d7c4d9b9ba3bb14122ed |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK
| MD5 | 63cb8d04f285576497b71b0f5471f999 |
| SHA1 | e479f714bd171811fe39a5089034581dfb9f9c10 |
| SHA256 | 7430aeb4a694def52d37518af04b2b04fb8437d654ac998bd6d4fb7162d4dde8 |
| SHA512 | 1178186a301ffcdb62e3b02914bd6bd4929ae7b7c7ba8eb713e28b7a76a9eef48d8ada99d5ec18a4f4fd5a2c9f64873653b1496fb71fe6ce44a37d099e4bf767 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol
| MD5 | f5f4b4052de128530fec13ea7bdd710c |
| SHA1 | 365e0ab308e9e7be6d8271f4e93c691582f2b242 |
| SHA256 | 929a18f013b0de56ddc3563b577626f3ffb1cb122b5a17a3388c80e78071316e |
| SHA512 | b01ef88d7180086ecd7936598e43731f5d9f5541b9da0bd02d827d9655547a158a15922f5998f8d2ffb41884025ba317e2ef7dd7c439dec0fd8aa4da968e93fe |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK
| MD5 | 14fd16ae52c8ee02a9bd220304e968bf |
| SHA1 | 158a5bdbca3e4b34c434c5fc5951cc3b020305a2 |
| SHA256 | ce7eb2fd52412c41cf558bb282159c9b5cbc622dfdfc36405b067e64c21423a8 |
| SHA512 | e846e63fde343b4abcddc6c253c174acf0fc41ab10d19a356a6282a0ba7bfbdb0f92d56e86bfe1dd2efce02e9f1aeb98db864eb6542e96851a01a2bcb8d521cb |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | bc8234f034521e8a4817c9d4704d5c9d |
| SHA1 | 08af97e1db654002b313884963605b8d12f7a677 |
| SHA256 | e09919b0136b2899d0b71e20350946d417b631f1785c6c8a327bc70fefb085fb |
| SHA512 | be1af3a67fc69b59bd55bfb2dc81da8572fb6d6b173c82eb4a336d2eb384f91e8789063e130cb2aa5f82da2c7969da775eb7c29728fcd14b8a135e6e12e28d10 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | b45a38c7f13821c9379f25548c4b6488 |
| SHA1 | 50ad4caa5839f41bc150679956dbc8999a58e019 |
| SHA256 | 812490532c6f11825d96c935f2ca06e4a4c1901701bcfc972e6773b73544eb11 |
| SHA512 | 3112a61c1144cd987c45f3f19df04674929a6bc0ef3b559f5d79766976d419420df4043ab7f24f8fc81ab32411431c91fa2b616af121a8978ba4abda8d67be11 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | 682469eaa051fccbb6906592b1bdd2e2 |
| SHA1 | 29b9d5e5712a7e1f014ceb9b01d2ac38278ac718 |
| SHA256 | c5b8db655eba3fcddb4da0c260fef7956e413717925839c45a6262258b5228f8 |
| SHA512 | 58765537e1c1b08270dda3cd02f391a732402b278a7529297a81bf93b17927a868ac82ad7ca59483174815dd68cae54c6488055dde9302ed041d82c1c48a9f02 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
| MD5 | 2689218f8a25d44a88d6ad6682eea762 |
| SHA1 | 6044c1f5cab9f1deab735110d11cfdab518267a4 |
| SHA256 | 689b87cb075cfab6747c0f93f4d671d621b9307aed730d432149f08d01e9ea01 |
| SHA512 | 380f899549284b768ede4570b834f4766c18cabf5bed17ee2404855eac02ecad8fc9219b102780cdf67693deb64a5087fe4a732ce40abe7f1d132f4809ed41b3 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | 3b9b430ac942dbdbd1f9f92c4026b98b |
| SHA1 | 942e82ea0220378071f3fa44e1b1cb462f34a119 |
| SHA256 | 893c903455ec58826dc863988bd1fb2cf2fe293da334ead5a002521bf3742d9a |
| SHA512 | 28a262a2e94441e001477e1165ad44032b6565bc3a4fa7cad3af10666e881bed041fef5069b7071957f6353a850da056a1d7246592ea58fdd904d031aea313c8 |
C:\Users\Admin\3D Objects\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | 2088fd252365eb712195f803940888fc |
| SHA1 | 3394d864aead4dcb79f5aa047712a14e6371a1b9 |
| SHA256 | e021b3ee42f5ec90258ae1d12b6609ddf6e7e173b344d87e0c9fe31026ac325c |
| SHA512 | 8678312f2d57d808315889e3cd5e3d77cdeeeda0d7dffbe24127ef389524254abbbca938da6d5b02d322d5688c4182f7f89bad7c32e424467c69e5b542f959ba |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK
| MD5 | 6d4db47132624b42f9bf9efc81a0e673 |
| SHA1 | d7b5a7da352a8bc52b28e444fed1a733b4851d6f |
| SHA256 | de7526db3da33b40c8de79616213eb4daedf1f8f5463b10dfc110ac9899b8b90 |
| SHA512 | f58ffc25c15b78188dd4eaf5bdb27e80e50e555ea022ceb6f9ee32b6e5cd3827c127826f4fb5da6a85aad13dbe79faffe0c0c2076200450f9de07d43203d1d75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
| MD5 | b50cb12810627f3f8d7c3c2b058e5851 |
| SHA1 | ecf169145da5c456bbebcce7bbbd70be67f2972d |
| SHA256 | 455a1bf20c7ebea551cba02de87dd9205f08cfe68bca280c0e472b420c3c5c5f |
| SHA512 | c6f9cfb89ce5f61892ef710326c110ea337e2cc38c446ecbfbc902e76d1a1fad97f0851588427360a91c330860b173c25126572f780c634822fab9e7eac2a1b9 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\GameDVR\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State.RYK
| MD5 | 8ba8c003d34d1ae78dc04445f96fa090 |
| SHA1 | 69ec8929c6b2795b6aaf567d994710aaf0a2bdba |
| SHA256 | 85b6a90d771498988f23579a23a583e27b1e4be332fb9efb16e1e9d5bea29466 |
| SHA512 | ccd4c84af31e5f88fcc6a55a88d0e459200e78569ee0082e4e6cf932e722c8cba4d55d31388c56d5013a911c7fa088833b17881590e495d41626b5d6359a4768 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
| MD5 | 61f5ce864c427d353712eaa37baacfbf |
| SHA1 | 0311720285d08ce1915a7cbeb892e0a12401a9fe |
| SHA256 | a3110c64f894ad51963a465be90700490a49109c2d5112c22673885577340b3a |
| SHA512 | ff4b55cc2f5950c508870b44606c2c1ffa5b9eb82e9a627b88f2c4e867db982c6157de26c6f6a7cd1d874885715e5e1a33418de5fa19889bb768513ad75e6aab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | ed1518762497f11da0b40a60222abf1f |
| SHA1 | 8675dbb72c02c18b874526c3934b74b0c114124d |
| SHA256 | 2168633ea9f9a8f77dcb85080b6845f43b6dba0f14816ece7a9d802657b9b721 |
| SHA512 | 7f934f32091d497677e94ac9f0e4f09eb9a969c9063c9843abb651b7d8886a9224d91e0bd74283f808f9274ceeb0e9b03e896d1da0af28103650d038239e1668 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
| MD5 | 44fe0e3bed28a88779367fa67d1878b9 |
| SHA1 | d352c614d928bd7f289c76f81d5ebd776442aa9f |
| SHA256 | 6e9e35e622207f4b1be228d380440ed63710015a5ba75b29b4115edeef2e41dc |
| SHA512 | 29552f6a04e79a7828405123b1cb51e0d024f3fc3d2720f8544fba821ec8a2d9fe9de1cba26851f4e15e5227ce4d000544ea00301a53822928bc225ff6ace4b5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html
| MD5 | b3b2c5565ef72eb13c047661d64689cd |
| SHA1 | 5a6e9dd4ab19865b39fc4690b5294998dc61d853 |
| SHA256 | 61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283 |
| SHA512 | 25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 741131f72f8b8bcb5d9257646e578582 |
| SHA1 | b8a066e84103dfc56dd22d5f91a40fc1fc9553ea |
| SHA256 | 8fa1fa85b143f0cab7d925080a0118316c3e9058fa9689ecfdab52c26f1a29bd |
| SHA512 | acdbfa4e61cb1a5994b4516b84ade652055d813f1166f54d5eccdcf203800c8f736b4828a85652732b52717989fb1ce292dc7712d03f7e450c461284e5dac6a6 |