Analysis Overview
SHA256
826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec
Threat Level: Known bad
The file 826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec was found to be: Known bad.
Malicious Activity Summary
Ryuk
Suspicious use of NtCreateProcessExOtherParentProcess
Checks computer location settings
Drops desktop.ini file(s)
Program crash
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:10
Reported
2022-02-20 05:53
Platform
win7-en-20211208
Max time kernel
161s
Max time network
141s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Searches\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Saved Games\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
"C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe"
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
Files
memory/952-56-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp
memory/1108-55-0x000000013F6A0000-0x000000013FA37000-memory.dmp
memory/1108-57-0x000000013F6A0000-0x000000013FA37000-memory.dmp
memory/1164-59-0x000000013F6A0000-0x000000013FA37000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
| MD5 | 5dc1a9ef13d0a6406d1222756737dc92 |
| SHA1 | 43103c9bd78daeac12cfadc3a31a0b0e84b67dfd |
| SHA256 | cbba7156041f0286bc6d700381355075b1c6b734ffcbfc81642e1b3d95fd41cc |
| SHA512 | 92864027890bcef658eaab314ac2891c05724a6eac7af975a012ebd4285fc5ee4a1233dbc807ffdd0b60514921dcbae62bf7f5209216c5d656f14431fcf43169 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 1745fe02ab278f40a8f42aa17cfe1a05 |
| SHA1 | 9b7bba5a9f8ec71964a8ef16fd37e3d026e438ce |
| SHA256 | 0d87763de56b831e231f6e89769643755afbaeb896536df9f81dd86b2602cfc1 |
| SHA512 | f739b872cbce7a2e2e60f369722efbc3d8f10e2f4d76a7037c2fa005771b1d3a20e936e6822fd627ee8304f9859665e009a5fe43c45875c901ce21905a55eb17 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
| MD5 | 4febd6d0bda90bab7bf9c3b66619c6c8 |
| SHA1 | 147a3f3288c7e9edd585756b269a0ad07dcd59a7 |
| SHA256 | 4d1a74393bc6b2dc703ee9dd864c9dea9ac1e996890bef1f9c4124b2409c051f |
| SHA512 | 807d0013edb379dd8f00c7d897e1e6ead2b03e5628c49a5da3fd31c933f4f6a09f87d857f7834215259a611ce5f3344470a94bbf3e80bebe2e3b8f1d8f1dd55a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 1745fe02ab278f40a8f42aa17cfe1a05 |
| SHA1 | 9b7bba5a9f8ec71964a8ef16fd37e3d026e438ce |
| SHA256 | 0d87763de56b831e231f6e89769643755afbaeb896536df9f81dd86b2602cfc1 |
| SHA512 | f739b872cbce7a2e2e60f369722efbc3d8f10e2f4d76a7037c2fa005771b1d3a20e936e6822fd627ee8304f9859665e009a5fe43c45875c901ce21905a55eb17 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
| MD5 | 4febd6d0bda90bab7bf9c3b66619c6c8 |
| SHA1 | 147a3f3288c7e9edd585756b269a0ad07dcd59a7 |
| SHA256 | 4d1a74393bc6b2dc703ee9dd864c9dea9ac1e996890bef1f9c4124b2409c051f |
| SHA512 | 807d0013edb379dd8f00c7d897e1e6ead2b03e5628c49a5da3fd31c933f4f6a09f87d857f7834215259a611ce5f3344470a94bbf3e80bebe2e3b8f1d8f1dd55a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
| MD5 | 6cbb9128f0c02864f9269e2bb024144b |
| SHA1 | e54440e9a53d86e9bbb6a8f9ca164ad809ad29d0 |
| SHA256 | 16b3a8d8369d5de00a712f391e49dc355cf11aa5571bfbd2e72a7a756efb1a8e |
| SHA512 | 3e263f223b9f66a685d7aa5f762348fb9acdf7f5de82a244b54bcc4b9a866ec954e8d316e2490bc0d97070e8a30798fc2e42b148ebb6227fb69a1665f4187c4b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
| MD5 | e0230b05aa9790880f8ad2cdac842acd |
| SHA1 | 474348e0626f799481fd3358217ede0babe835de |
| SHA256 | 3dea015de97e7caf84e8d35d949e904dd878c88ad4c299718e3f722368ae4852 |
| SHA512 | 964f420c23d6ab5963dc9f7d8ce0861d408c4a5b926bd4e2679768e099580175e65ac238726de1c9e0a1ba3084d350f9cccca7bb9a7818366d80abf5f02f0a3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | 10ac538b1a01ffa98a49e5255d91a2ab |
| SHA1 | 2ddf71f2b19e8d059c3bfe5518d909ccc84529b7 |
| SHA256 | 313439267ac0fc66365e35aade4517705bef6fccc3a0b578868852aaf15d02ff |
| SHA512 | 398970f2545ba56c220f281357eca126674ce394f0353a1de0d4157e24b23cab5b100173912a5b0bcb053c85a7f0a10cab3e5cc2af4f879188ee3bc665ec0508 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
| MD5 | e2d87f81bb88f8c65345c90f3d831ead |
| SHA1 | 318b43ed04529c2488729fa8e0cd736c3bab9d91 |
| SHA256 | 12493d3d55d1aa9a5025387531bc03b09fade1196d441a0f2a724a7dc72224b8 |
| SHA512 | bd6b15a48c668aa502a1339bc60361c2d8221887306a85b7a71be00ff6d7f912b311362798966a067fb2ce6fc3b34592830b5ffa988c598ca8e6255af2cacce2 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | 27cc0e8b2c1a930981b21870d216f3f3 |
| SHA1 | 4d33632a8060bbb242bc52c26c10c39b11b14a46 |
| SHA256 | 46bb343100856f49c5a99585eecf917162d6741282b9316a27709a78db2f6ec1 |
| SHA512 | 83bbc1f91fc9d6ab0ed795248cd6a329a761d0d2e78f17bfe441bbc7235f1851366eea47cc248f634a6455e40ca892c2ef858f2052d50c80967eabc6ab6e9e01 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 37fb78ba892e3c221aaec3bc3cec21b2 |
| SHA1 | 12cb3249c2899d113548c34aa8486fb012e2840e |
| SHA256 | 50cb8c228673f7a17d67f8a76792f7f9b18ec3faabc37e7b6e1a7c1fd57d5ac7 |
| SHA512 | 157ddb0e40b078e1587663eaf93fce758988f82b023d4b45c201498f4c253e0797a81c7b3db97d9bae461638739eaca341f140455e66f7365755eedfabbd8cfe |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | 2faf4337bb8ce001665b27678efbbb02 |
| SHA1 | dc2ede457a1f871a5a17f1fda4fdfc8736178794 |
| SHA256 | ea16864faea2f78002c49da3b4d2ddef81423a82e84beff95177dbc5e4d6224a |
| SHA512 | 249b5c55d9e53956219321339b81c9b04248680f06c11e3a4d1d5d7de7a36934e19258c6145a5278b3b86f72bd3fceb77af6a36ea4c035eba898740dbffc492a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
| MD5 | f06cf5d430d930e6caaa03745a3d73e6 |
| SHA1 | 6efbae410ef3d4eacfa0e545fec50a053b6a222b |
| SHA256 | eb98b2ada687f120336c1d93ada4b98aaecc3e7615ca358719d10d54dcdc0cbd |
| SHA512 | e0d0cd91db5ba529ae591d879b66f86adfb31cbe0514095b550c5b41e4d6d245a316f7c851778159dfe2d6040ca066af144293d44b09b275312bfe2ef5654254 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
| MD5 | 6ad5356254bf9fd200c820a27174b14e |
| SHA1 | d8ed2165769d3938298110b519c50a781cafee86 |
| SHA256 | bbea436f01ab5f792fd198197c8cbe3367ca40832a6b9bdce5b89536dce78693 |
| SHA512 | 1c6ab0edf310bbbead2d735d5921c1d2b8a2a27e5f85b06aceb389f3aa2636a8a3e2673486c817eaae141fbb14277d56c97719b14bf030d06a1d8a2d4e11548e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | cc7baefe7415c5936b24e614f5a1202f |
| SHA1 | c3e2526555bc81a59c5343567d5b0906accc9607 |
| SHA256 | 97590fc7de7d21d7d349d3cf413d0aade66fdc3839292f5132718ae338a064ce |
| SHA512 | 1cb723b37ae82dbfb2e08bcb13d2c8bdbeb0bfe5deb5302ae8a1da9b46619fe08a444cab7c1a7288b7c98e7efa906ef61f8dc968e2b0d3fc3410b868f873d035 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
| MD5 | e489c3a5f0d17b9ae35676856c9fa7a0 |
| SHA1 | d55598f9567bf912c0e116f6a43bbcda318cccf5 |
| SHA256 | 9a7cef78475081d58c9f40b0a1d64f69a23e9abbc5f72762783f793b690ea355 |
| SHA512 | 3ab5d4a1a084d9543effd7149794174f3e2fe94016da860b0166259b048b98ce481376e210fea2d1c94eaa654796c7025b5baae65de523639bdcedefa69f2c23 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini
| MD5 | 9c026d7d502707acb7e6efe51f19f104 |
| SHA1 | fbd77fce2d5efd097b72b3ec00bb6c1c6060b30e |
| SHA256 | df7a5bd7ed07476f25db9e4e65b86e014e32c5138ce3803ba1807a9dd83b009b |
| SHA512 | 6dd904ab52658565a434b954bbf773fee70a26f6ba33cee50bcb36dbc625f3e43604f2d7aa00e2386330e0e715f7c6876a3ccdaf0abb1be12659c82978e84f4c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
| MD5 | a6ab9df3e71726be91f95ad9f8ca20ab |
| SHA1 | 60ce88be3719bc430186af227d6ef4568915bf22 |
| SHA256 | baf6ec8f8b52006b10873b65cb9d48a916acc3f7437151a2d17f01f2a1ffd980 |
| SHA512 | b1995d70d557f132aff2c8c7384610141c89828379b62bc81f4ae32a27b4d347b3abafa4d2f8c2feb5192fef222574ecde4f1384fdd4923ce9768068e4035acf |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
| MD5 | d5551eaf434e8e41d0d3f07a38b34a6e |
| SHA1 | eab16c6bfa412f4bec5fd776c4c05225332ab95f |
| SHA256 | 263cce4a06561a3caaccc4e4b1b3253453eb6fb4fec6168851cb1f193518d437 |
| SHA512 | 1a58e3ce6128731d6b9e50bd473e808a7bcade7169a26764ee66e600c11cfffb1d8561faf7db986ddbbc1f9c79e0c0a7759c62727285eb6381aa43d4fe5de766 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
| MD5 | 73e698852dbc216501b58c6b94b70932 |
| SHA1 | 9f4ede591e4fa20d6cab578d8ce43e5b7b88dac6 |
| SHA256 | 89d3eeb56d275dad974b8b34b18d0022f33e9561fd9bda9dcc03e7b7a8701e9f |
| SHA512 | 9e103b296eff1b0ef052a4e5617575609d38d0dc51230467f5155507ed6585974e797233947dfa0277623e8b2688371806117245455441b7163ec77c0be61a4a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
| MD5 | f4d52d4a4e4f4baa30bda84a2e6f7894 |
| SHA1 | b3c60fed393fa612471874c14def67e6e9f02403 |
| SHA256 | 836cd82b27467f40511fbdeca7174295b6838241ae7f919acf84c849d039daeb |
| SHA512 | 26b7f06fa875f8110142252431b85ca335deb4aa1155de270fc51057790f3446f7a2f4a0684138a200d37492922c194a2dac0ee0c34114a64ca8ada92924299a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
| MD5 | 06a6fb6c8669b4bae93da5f6e6b2f510 |
| SHA1 | 156a40b5be0671a716739a7968f7d4e76a59a170 |
| SHA256 | 4e9dfdbee940576dae538f03173ecf724053a53df394ae4c1c60d3453246c876 |
| SHA512 | 2f923aa93c10950b6c4d40168aa7230ffa68432657a53530f275e3cd907abd9d941fa4ce5c3a020554663fca580f853d2b86554a4727eba1681f001986de448a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 54d8b11f40d811e7cd350c75d45ae7d3 |
| SHA1 | c19f8b685ae88de55171bb881a6effae60ddb8f5 |
| SHA256 | 3cbf4102d5fca7d99e0d000651de077764041444bcb051581e9664d8022ecfda |
| SHA512 | 4943fd9daef6f804b2dfa9fb022d3243b4b07b3d0e999d311c44d2ee134cfe8ce587253e7481a988a1de0345f326252f7dab22c3d5fbfc5eed39502b58364166 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
| MD5 | 1b6aa1f0a8f59980a789bfd051dcdf3b |
| SHA1 | 8b572683e61b1cd79bced6283699e2246939dbc4 |
| SHA256 | bdf6ec3b1faf9ada775594479091a27bdda769efd374d7c6bad4014cc91dab83 |
| SHA512 | 20d4c4b6d4f1f7da14c83cb40cc851c8a75134b40a53d61a6164e342cab566fe32517b15764170da94f572b81cd897fe9d79543c8389882781f36dfd944b1f44 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
| MD5 | 9939ab72cd3a8bb01a812d9e8bf187f7 |
| SHA1 | 1a5e28062e27bc26323a8affb44b7f182408775f |
| SHA256 | 0dcf546bb9a03e9bec07aeeb6632beb163035f816aa55da361f1c69bb8e7c02a |
| SHA512 | d4f84455445f002a7ce36cd27052ff26a21dc7405ce890920a3cb5d9afede2ad31ebf019a73b249d0c4fb819b873bbf49fd056b81ce4ab333ade19abed961145 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif
| MD5 | 529d947df1021efac988d9ccdf326933 |
| SHA1 | d89288926c07c4fa3217bbca5fb8fe15fe6c7325 |
| SHA256 | 212d2a6cb3ed4c27671551728b2a70a421b0673e918a568471e3a051c5ad0f78 |
| SHA512 | 9e68bc523d3ee32614af92fcb15142e7152f19d29d60394099eec84fd83d7c104185c452ba16bea96aba345751de48b075730e6f63b8e611524d16433af59545 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
| MD5 | 4bdc46caaff5e81c5c6e3e7e61048bd6 |
| SHA1 | 8aaaa8ebc821d34821193ca5f8736f2939b225b7 |
| SHA256 | 05d7d059740a2cbb2fea610d6f11a6dab90bdf4c33a78eae66acd5951e6b0b9f |
| SHA512 | f397e20773597aeaf2ebf8abefa141f49446c327d7289fd654bede6cb104372980715b9c665c92229ec9d8862cbf8e28277c9f7e0f3d7b64152aeaf43c4181ac |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
| MD5 | ed933b04c12b450a190f9183d5ddda2c |
| SHA1 | ab08e4700a75dc080be7df0bdf7b891a8b0d05ad |
| SHA256 | 1d34be6f9b03bcb639a9c20240f963704c4ed43790ba8af8522a7f634245f7a8 |
| SHA512 | bc50349a15a3b5ec4e94cca2a560586b51cc12be7b2006c3fc3d11440817d8f4b98affb734c0c48cdc2e4ecd1786edc257cd173f90a88d337d4aa2b4c3d9a228 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
| MD5 | 36d05e801037e69a8f4a839b09f09251 |
| SHA1 | 58f0b14feae1b833d568c50d7f94277efa99fc60 |
| SHA256 | 2c906c4068e1e87a9996d355ef0dfa652ba1aa4bccaac273e0ac779842df5d4e |
| SHA512 | f9e4f24748f647d8d6d12ed6066c6c65b76e9d41ab0b1970878c8334236da2a38d60543b62fc9401e25ec3fb95bc3660326b30c287c433c58ad95db67e327552 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
| MD5 | 856e6d107f3670a93463faee20bdd8c1 |
| SHA1 | 3a0eadbfe20b351da77f3497c2de89dbf68fec02 |
| SHA256 | af77850e8cac43d1d396fff07ccb58bab29f7bc3e5ebe90b4e8b8dcfba9d1cbb |
| SHA512 | d00347fc99abf7c6ea4be6420145c98708460f869f061f0308a2585397981ca83b6eb481fdab0f0dc463e57df96cfd86f45b97b8e711cddb9810d0187a083a6e |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:10
Reported
2022-02-20 05:53
Platform
win10v2004-en-20220112
Max time kernel
188s
Max time network
195s
Command Line
Signatures
Ryuk
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5052 created 2740 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 4812 created 2916 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\3D Objects\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\sihost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
"C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 956
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2740 -ip 2740
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 2916 -ip 2916
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2740 -s 956
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2916 -s 2232
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 72.21.91.29:80 | tcp | |
| NL | 92.123.77.73:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 204.79.197.200:443 | tcp |
Files
memory/2224-130-0x00007FF6E2C40000-0x00007FF6E2FD7000-memory.dmp
memory/2244-131-0x00007FF6E2C40000-0x00007FF6E2FD7000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
| MD5 | 94cccd92f0169bbde5de1e39cae7c842 |
| SHA1 | eb5fa59f1b533b36161db74fd0a776619d2361b0 |
| SHA256 | d5fee40ccc72f3bf5a5ef4c919488c838fcd192a0fd9c44decabd5938fbcec20 |
| SHA512 | 6d1273e356f31cb765b3ef9254b0b3020bbc6690887d52ea99338690a068710598beffe5550760df7927c3520066fb0a4270945cc3a2aaea2e5b826f7fa56010 |
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | 3f3517a357ffde86c498407a35d50099 |
| SHA1 | 08a7bfc7bd25ca41c0ce8e50c56eaec6df2b5c41 |
| SHA256 | 2c61b19d36a31dfb9998bd3fbfdeccc9cf6b796025b2c4cce7f0c72b8f81ca69 |
| SHA512 | 7b275a3f5225401e146a24ddd6c7bddc6b0527aa21087f33be7893e6305673ccf41a7c6f474f13ad22bf8feb68b2dbdb4fac373980cef79029d5880c20b19053 |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
| MD5 | 8f3aeee68f22a443555dd637fa86dbb6 |
| SHA1 | d94ac14649e7e8cd82a2c74f931db403d8376c54 |
| SHA256 | 44449e1941dd096a53790dcb77420e9582b539270e6caf79e5d1adef0f0f5ab6 |
| SHA512 | 1b31c4434bbae7c3493b3bcf1e638f223e606684b30059b1568ecf003188f6b4df955dd107ef41a9caa30349464b65ad6ea0c8502c80fc309e1e52019428910a |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 5188bae5e2a45e1ccd7619eff7ee2704 |
| SHA1 | fd15b1f728ca97d81ada5795467fdafd121ff4cc |
| SHA256 | c32f85d974985e537b6519f826b63e3fd3995aaedf92a67d053793707152ef79 |
| SHA512 | c0c81a2c1ef7f5b2b809c95fe0e4847181153d4c719099b3ed6f12ec0d1c05492097d72e6ec7aad30481a5d246d20a097a0520b5aaf28c108247dc88aef61bf3 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 5e9966fbe1554faa2ebae56ddc83ea4d |
| SHA1 | d021d44b282e5a31644796db5c8c4ec552777d06 |
| SHA256 | abb49d3f89c9c9ddab4ec9cae1bcbe272a764cd1d61e874b8b91af5eafd12b59 |
| SHA512 | 4e7122ac2487035ed0a4322c8648efab9856c80c0c61525ee0b6386f9345a38e19da5658c802e1de43f8546ca025ba9284a21a82c8adbd10cc06148cca83ae12 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | 1ecebd7654e49633403c240c56af0897 |
| SHA1 | 20abf7540316ed5142e73b87c7da0e209968c402 |
| SHA256 | 5bf8b2a17a63866690f52fdd2b6bbd78d4f7335c5e44e8a9ca4a12feaa97330c |
| SHA512 | 87b656b1138a5dcdb4bb2d3e4f959543fb3f7a1ef59d4bad9fab7cd2c6e221f0af86cfc9036af57ee7570135ffd33b6104330b44d377052831a2db7e03dbe3d0 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | 0147032e3dd3b9455b0a93d8465b64c6 |
| SHA1 | c847455f7076e1544da1292cb23e0eb4fd923727 |
| SHA256 | a6b8c62baac925929905b89dde61314f88ef0c68999e1ead30c6cdf273b1c4a4 |
| SHA512 | e55a904d44e6f0755eaef6d924f35150431d643022b3da3aa6c2375f6dbdc9fe7c57a280ed052eb82c2c1c602334f7e265330d87faa65e516cdb42d70a69a3da |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
| MD5 | f675beaa19801ecb68bf051318b5f7fa |
| SHA1 | 16cd411269a81ec26afee928663a4a127812682b |
| SHA256 | 50d93a2aa98f2d22aff2acb45d35ad8888e9b4e73b25d580592cbb007827087e |
| SHA512 | 78a7b12c5ce8d7e55f037dfff8e78f2b5c2bce373088f9789fd85805f22374a7d48edae8a5c35e532a266b6e99bbdefa585179d1df1bf09a777175aef4ecff6d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
| MD5 | 1f6d355bb2b3b2c705327d0199389939 |
| SHA1 | 2ec60b1bade250071c70db6521d44eabeaa00eda |
| SHA256 | 88834b4be23d8bb9ae26d159aa1b049fe1e5f1eb73c49e9890ec3989732cae83 |
| SHA512 | 722e44ddff95c9837b82ac4f6a985fdfbcbc5f96817b025f01c646c90908dacd954cc93baaf6a03cf3b1b6fc99c1f3f7afc2495bf5bb4b5dc481b8dc921288e3 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
| MD5 | 1f6d355bb2b3b2c705327d0199389939 |
| SHA1 | 2ec60b1bade250071c70db6521d44eabeaa00eda |
| SHA256 | 88834b4be23d8bb9ae26d159aa1b049fe1e5f1eb73c49e9890ec3989732cae83 |
| SHA512 | 722e44ddff95c9837b82ac4f6a985fdfbcbc5f96817b025f01c646c90908dacd954cc93baaf6a03cf3b1b6fc99c1f3f7afc2495bf5bb4b5dc481b8dc921288e3 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
| MD5 | c82a56123569048923076dde033bbcc0 |
| SHA1 | 647753a559c245f9e7eee4228cd7d534fa72b3ff |
| SHA256 | bf309736c8c63bd6523d319eb0d18e29b313f6687d62fa7e364b5686c908d4b2 |
| SHA512 | 97b1df13bec289255d690e9cb5b86cf931e0abaacd773f69e5afb0c61f593d2ee714321ed0421ab4f04c5684cf225f6d9153cf27cd203cd08a6d144e70c154ac |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
| MD5 | c5394156f64e264c6ad117b9c8059fa1 |
| SHA1 | b12f91b3d1d422617a7e884c22ffcb368d148313 |
| SHA256 | 7a5774168433ed9723d36e044afbd5f4a5abe2409df4372a2d0b1b05ca0f2ba8 |
| SHA512 | 91ab7fcd12c25dfcf979a21f043e75bd896600e543b4abd6ef0be971acd646e40613c821dcc55ffa1ad18469be33d4df80f27be2b0e0b57f2048230e52fcf658 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
| MD5 | 8fb742b44bba9e543fb90b2dafc47a2e |
| SHA1 | 4b48f6bc6ef96d7b760f3e3d04f9d60dda9ec88d |
| SHA256 | c31777ea19deae32dad51bb24a8f847bef7434e39fc3760712938c0d35b82715 |
| SHA512 | 6245dea88d88e6bee14d3e0e0f8078cc4b3182f38947aef1eeb613ef3d098ad52dce371a0090e70ac9efb8baaeff86e4c0535a46f14321ab8610a4b6d0a471f5 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
| MD5 | 107e0cf59402e4c4831f5ca6f8ef79e0 |
| SHA1 | 5bc2eee34589024d5418539e2fcbb9867ed1ca89 |
| SHA256 | e017f373ba1fb4b06ea093911e310c9544ba7b5df2968f2562471a64e80e8462 |
| SHA512 | 58e97bb717c742f283302816686f373194d9cd9f47cb1afb602351850ac5fea977c769bb31b1e2fd754896991c200632d5743b343620adb1cc7c6785fe31720d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 8f1a51ea79c00599e4f6c5bf48219521 |
| SHA1 | 62c972c2d87f8fc0a7b79c59df68793d0f63b059 |
| SHA256 | deb114d7fc088f0e267171d4a5b8525c1da2947a5d21294ee84ef8b0af2de0a8 |
| SHA512 | e0a39498a1306a873630a7b6c4d26ad3f26524012480ab3932aaedefba216aaeae2d3d82afe4d6f19ac9eeb38cdc69bfc3f3984ac77895d44a94ade70fa3c15f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
| MD5 | 5852af7c5bc41108ed8b6534bda7e4d9 |
| SHA1 | b140e56400dd6912455a0a6318e9266485fdf55f |
| SHA256 | cd84d1075db719aea984703cf537ab696363650d073ed9e21b38113ba99c5ec0 |
| SHA512 | 7af481bdf0396ee85ae07f861f2d0c89ee653b293219cb0b2c9a01fed9bea4c392fab894bdd1a39fbac5ad307bc279489e26cf8c65351cf20a906cd6f7c41d67 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp
| MD5 | 9745e066c680a8f9f17ee33e869e336f |
| SHA1 | 8261e0ca7d7b2aaa57c0da13d6321ac7750b1901 |
| SHA256 | f567ae97e31b43cdcad9829c5127275fc8c4a16b4cd7cf872ee0cbaa04906308 |
| SHA512 | 63f244a7f274b44443142dd7f65dbe65cb90616b25f273f7792aeebf4d69ec920f559de04486cf112795d6e64a8c431987ee51914500a589194cf79e3512017a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp
| MD5 | 2912d123566710369457377704eafd25 |
| SHA1 | e77cad1e47f1c3c4e10946e2b1996028185aa1ad |
| SHA256 | 3f0058f4ef55b7599974e7460b87adff6adf077566bf60df2cac56ee5acc28e9 |
| SHA512 | 5e25fec254428ac1afbf242be666c0d6c7ea5ad50d00ef27a50e9b33a45e27a62023795f11fedf8a5af140047a3a3237577a381055936754340eeeee14c871bf |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
| MD5 | d1f5945eca4ca2a156ec92a72273b116 |
| SHA1 | 719a657080a93b849acf0154b97963f0722cc409 |
| SHA256 | 9a899d7a8fc8ff258b0dd51e75d8390df72b2cff6f8256039c86784117751ab9 |
| SHA512 | 26d08d8de5750a1e114ddb8b4fd53dfc7390fee02981c6697c2739db92e053c83133c27746c67eeafdbb5dbbc8dd3ebff41bc16e0fea1deeb214f204070f8655 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
| MD5 | 3ab179521f87a702ad92481945bfe1ba |
| SHA1 | aa5b517d0bddafb1d4994e6c094cac25e8c658db |
| SHA256 | 0e7fdd9a788533c3c9d944da46b848675d9b6776e7b4d9dffab66a2f53c35e60 |
| SHA512 | 4ec813e970fb16c5e5268c42e06b0b11fded39c8b853e4d7b8f6297173b521623c38c0ac4df2d6667075315fadd043fa9ab56b10680cde5f9fb108b13c5bb80c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
| MD5 | 59e83590df32ceccde4b341211d1698e |
| SHA1 | f8295b33993dfd8402cbcde72d163b75334082b2 |
| SHA256 | beaeea45a839ab0c0b6f19bcfe45e930fc405e4eb481aad849078e0d6ea2226e |
| SHA512 | 0a05a9145ce5cf462c35ee44624fd1124904b9874a3e19aa181f62851ac53c31bf13551504c6a66f856d9eb73d5b174be0987904338e8aa0b401d61c62aa57fb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64
| MD5 | c3f4dfca836b2165838aecc45f6b9525 |
| SHA1 | 55d78b960c87cd701b5e82eb28805da75225b612 |
| SHA256 | c3fd2be60d2b0cc82f3a355f2a04ee59c50c59aa8457272c5cdedf4b57acc967 |
| SHA512 | d879955524591aeb16946f9b58d0eb84561a9df539e627bcee0227355cf2fdc0e60a3706f56ba4ec8af36595124920c3faa9efc94a6f422d7fbbf9624baa40ff |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | 538079581aefa784ffa34021c1b0ef2f |
| SHA1 | 780372da8194c6dfc3f48b670eb4749751d5cbb5 |
| SHA256 | c13e85cfd3018a9c06ae58e2e867aff55ca5ae91ffcfa2349733b328f72a4b8b |
| SHA512 | 92eb16a334f6bb1526e148d6e89fa7f48fd1fd9960816da8b9d1f39650dbedff2a6a71f495c6820c389f6b42bafe2788c88fdf75c79894a00a344eaf56db16f2 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline
| MD5 | 6ef410cc9ebb63f76eb242183c7a27c0 |
| SHA1 | 10e74582af99be34d3ce817cff474d9543ada1c7 |
| SHA256 | e3717bbba6a0fc3d54ed3b416ebcbce0daad5becb1bf50d908e6e6d1dd50fe86 |
| SHA512 | 7bcf466560d48dca904a041cff16addfe21827756c966bc0e2f62d45b6b3ae04586129db064e21ed8f5485c82378f64ddc93d1e6bf9296e311fa2f3c4501e0ee |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | 0c00843540eda78e3d7102870606a71f |
| SHA1 | 98baceb03bd459786430a13e7f563071e63bdebd |
| SHA256 | 38bec57933a73ad63761958072a8c31d90a1c3abb566ad0fcf32c945f44bbfc6 |
| SHA512 | e52bcfca5d710548e5b97a26b7317bf1582bf0f0fde915f99a497d22c49e7dae621936e208c0688fab74f95e6018e2bc58ad8db7d0bd1bedc7812fbbab5de0ef |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp
| MD5 | 7cc4fc6f4b904f3271625b9d825761b9 |
| SHA1 | f3358e6fef0596757aa2b80a424d8a677aa23370 |
| SHA256 | e538a807cc1a6bdabe3efc401ea18aaf3a7459ff6e3902adf9ffec2253ba60d0 |
| SHA512 | c049aa89aa063e6b04f0ba7ba05e4d58fb7891fe30653e69730bad06f330755b4098ec6fdb3525271d1624a4d9f4923ae8a45b2003db081d434e493f9e30ce3e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp
| MD5 | d07cbd813ed53e94169f648524026432 |
| SHA1 | 8c0b7cda5b156dd4bd7b373ba35f214fb9001e80 |
| SHA256 | 8e2f372b04242d2e980e5bacfb89e1685189ff728d6d3618ac95046ba51bbda3 |
| SHA512 | de9d98398e73bead7ddcd2ff803d899e91859e2baa36c40cc5686b1fb2a31659f7d5b8b8f964287d6478f5beeba78bfae04abf847805ab8fa0169043599dc666 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
| MD5 | cb5d95f637eca2e4b1569e7bffb089b2 |
| SHA1 | bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a |
| SHA256 | dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb |
| SHA512 | a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831 |