Malware Analysis Report

2024-10-23 18:35

Sample ID 220220-g6z9xaheh4
Target 66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe
SHA256 66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe

Threat Level: Known bad

The file 66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Suspicious use of NtCreateProcessExOtherParentProcess

Ryuk

Checks computer location settings

Drops desktop.ini file(s)

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 06:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 06:25

Reported

2022-02-20 07:00

Platform

win7-en-20211208

Max time kernel

171s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\Searches\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\taskhost.exe
PID 1304 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\Dwm.exe
PID 1304 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 572 wrote to memory of 556 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 572 wrote to memory of 556 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 572 wrote to memory of 556 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 324 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 324 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 324 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1924 wrote to memory of 1804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1924 wrote to memory of 1804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1924 wrote to memory of 1804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1108 wrote to memory of 1100 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 1100 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 1100 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1100 wrote to memory of 732 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1100 wrote to memory of 732 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1100 wrote to memory of 732 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1680 wrote to memory of 1336 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1680 wrote to memory of 1336 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1680 wrote to memory of 1336 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1108 wrote to memory of 1640 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 1640 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 1640 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1640 wrote to memory of 1752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 1752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 1752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 5780 wrote to memory of 5804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5780 wrote to memory of 5804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5780 wrote to memory of 5804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 6220 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 6220 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 6220 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 6248 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 6248 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 6248 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 6220 wrote to memory of 6256 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6220 wrote to memory of 6256 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6220 wrote to memory of 6256 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6248 wrote to memory of 6280 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6248 wrote to memory of 6280 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 6248 wrote to memory of 6280 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 17048 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 17048 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 17048 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 17048 wrote to memory of 17072 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 17048 wrote to memory of 17072 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 17048 wrote to memory of 17072 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 17108 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1304 wrote to memory of 17108 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe

"C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/1304-56-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

memory/1108-55-0x000000013FAE0000-0x000000013FDBA000-memory.dmp

memory/1108-57-0x000000013FAE0000-0x000000013FDBA000-memory.dmp

memory/1172-59-0x000000013FAE0000-0x000000013FDBA000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5 24c14182c155b7a82c25465f44940281
SHA1 a5571cd1e1109dec9cd98a6519dca783e0d187a1
SHA256 2b52cec942b3f254efd1109c553e4583bbfe030403857a021eda774260b29ecf
SHA512 c61fb8d0c02e868e3d0e2b298441f8b6208020343176757dd4e628502cea94ed08bbb4dde7599cbf81426a891ae944b89dca6904198352a3205d4e8e8895dfe2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 3c44f72bc9ee69b113994bae0a5f47fc
SHA1 95385cbf515600975cce6b218f89e82ef21a67e5
SHA256 df2df8820a7b3cd08b6c6c1bc5413ed169825b98328f35adf379747f17068734
SHA512 14ec49e31562345242f0504299a4baa8a2b378a0849e6c3ed0dcab4f2767aed6f4ab476a47c835abb69316a1da100e0b6c22f7ba70de72a51983dd00cfa6171e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 aaefcb4150d6e300a40a0c034bb0f322
SHA1 e27698013726a2bbf4879e224f16733601e154e6
SHA256 dffc197b49be9935b334f5b9b89a67b3865490d931e3544d5ee0de1bbdbde140
SHA512 33c9ba07a2732743985fcf5de7290ca796b5718e5f082ce651ca46a9dc6b69d08f41a0dd15a718e79e047c366fa1edb6a269884e492f0406c16d9909f805376a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5 6cef34225e7d15a24d8e1c638aae8f1e
SHA1 1d5d05b6d3fe4bef2bc4693afea4e36c96e153a1
SHA256 be9f192b3bed85e29a308f25e9a3c0cc577e596ecd2f5121e213dda544ae6b1d
SHA512 383a65707515ff936ca4842bffb04743a2cc35421e9618119948d45d586f912d106cb5bfec83c95032bf72e667412052da466f8aec03066db865bf83c6376c16

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 dda620fd9bc72ef4c7088cf0ffb51bea
SHA1 ff48de449a0809a304aaf7c917bcef073d21f61a
SHA256 b25c526553950779af45bb956b1a563c3c9c69fd0d9f79a2a5b556b874decdc1
SHA512 8a82359501d355220a161a6d55eef040f20af5a69d462db4876dcff223d5040dbeb27e05a864a62c586bbf4d581bb3fd297f5f6c3ff0af73b2547736354a559b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp

MD5 d805e8ce6031c9d758b400f3e3fbc3d4
SHA1 fadac0008538f1c227d4ab08cd8d803c7ee433a6
SHA256 18ef17489043dddb38f85df89a39233746fafc88860723170102f066b05914b4
SHA512 43b637406505490e47000297a04bc23dbd143b6c00f4557efb0219a7cc407df1fab6efb5b586f4b54c6231c484738175d3ccb319dfdf1b67df52c7053a31d28f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 a4a8661112cfdb39f9be6a3f0b326fc1
SHA1 eaba7612221b1348ef500e9c4a3ad2c45c5b01bf
SHA256 bd22cea166d0069a7ac6596c9250bb0dd6ede1bc9d348d60fda9c92019c0d1e6
SHA512 fe38ff29e32d87f898332cabd2caab1b844e11fe418835aa630edc2eaca03f6010898fb5efdb7a97697b64fa7ae28e7ca65659d5fc22b82d7f1ed1fbbe3aa410

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 46db4e9edc6281ff8f88b90d0b2c24f3
SHA1 7db535137070b541a64d0e1f8b968f73b1cefbab
SHA256 3b28d3dc35808bcede96c1b72f9f76cc519cc355351f992fb7f12dadbb6a6157
SHA512 83ede88fa296b1567e3c6aefe2dd6c0129f65c4d9e3224d8f52142bd1bcbab3e73a066988087849bf4c88cd925572d09ff459a489197ee24c6c472d58ec4095e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 82a1c0aecb6cd278deb298af5d8541ee
SHA1 e1b5c77d9ea3e9273e60b78b1eba074f15737376
SHA256 a04dae234764d62c5356ccde1de5d7cf388f95978fee43426af2c5933fe94ea5
SHA512 50c1424a3162ac63f52a2abc76e5e1f1fa95ca17ffdab63ecb1e203e56b57c140d0289405245ac0f2ee345d2670c31ac04b087c307cffdfa85d98613792bfebb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 4ecd1bb9acc9fef847767aba15985e3c
SHA1 aaa5cf702ae27f5ea3e15d1c78943bb78930bc9f
SHA256 dca2a0924d7ed9c57b1816576624db3443a0fbcf1b564846dc934dde11568d6d
SHA512 686ccdd14db70c7500dae6613482ddf800ee0c42e891ff849f912173225211b46dd57d6bd699851e0dbe5e4eb63fcd4d0644415d1ecca0829030b1644cfadde0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp

MD5 ca8ed7b7d4c36e9144e78ecb04b49759
SHA1 ea9ca6c9f635e3f1814310c66847237c4adee71f
SHA256 43eb7f20631b9af08d05761d87b639dc6e26a4dfe9b686a1a87883c6674a20d1
SHA512 badc6c402c23c5a4968dee01483a69df7139d037c6ae05ecb5c0e8bca96768d8a8198cf804b519a65775280ead01539c359aa7090128db378bd2ff1abbc230ce

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 b7db5c5149a77b9a2c8a6dde70165b4b
SHA1 16b99f4f20fed19f05570eab4e6f1ed42104ea4d
SHA256 1ad7719189a65b5c2d114ac1eca2f143a783706cb71b088a8ec800d6a1bc6002
SHA512 63644a284abd55707fff84448633d5423339b89290c7e54f9d78992454d1b2a2c6fa03e753b1c3d123a0706b2106ce844d9b8d372f3988828b71d259ec812e2f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 ea5ab990ccfba5ad20b1c3a40ee46890
SHA1 9b0478b490eb9382a13ee350e72b303ccd9afe77
SHA256 decfdb2f3898660c3f962546e720bc5af7ae8d7d62f5683880fedf61716f02fe
SHA512 e1baa8229f97fd78a9ad2666ee4790fe0a2c8251d6b777e04961ce9edd49a978923c894b8e534643b211f19c8f2e963eb24ed37ab1dee0b56350f114418609e5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 2a157840683cdd4797bdfb453bea279f
SHA1 fc07a57426ca71f9c1536d2063979f481feea36a
SHA256 5a34d26a1838425bda2afe684761a807d568e222743fba51550559ef9798c54c
SHA512 644606dcc2ac0f75c11461a479e36d6f89e3a3af9564e2b7cadfe16ae101bff7b239457199c9e88d5e63503ae27ef1c682f13f38ec15454b32dead09437f65d4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 e04c36c719b6524b1b30abd2d1059a61
SHA1 1ae3f75517f77cc7528e7aa9e494f04caf6aa905
SHA256 baed7a10b0cd6d8e668b5cc58df7a83d6af196b7a40755ed12660186dda6a0a9
SHA512 08508a2359037e69cb1499ef02a11434b7524fa420e319c2fb736a7eede4554d598763caa1397d12c289df7877293d157b7f8946d25caf95c4f69ecd9c5c33b3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 386703329df7d48967fc82cf0c6bc848
SHA1 788b98f668f03d161ef4cb547b36f941c3ce7b90
SHA256 66ce7c56b9b790bea6861c7fb7fe4ee4e9bca64c3539de398ee6a620ec84178a
SHA512 09e35386e3a40addff7a594e7892e3a10f75a41866bf2e2a252d1e2bc61bd0e6f80018e8ecde8282c512f347b528bf36c376b42dc6a7721fc0f9175282f7d39c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini

MD5 085d55e06cce51e33d2cee3a17e85423
SHA1 7d36d33a20deb5d04b09becb94860067c6fe6785
SHA256 30b4feef4d11823c0ebc215065b9afc58923e0870ed6294a0a926c64b7816c8d
SHA512 f7753164b1222d1ff59c5cf38a95d66e5cb8bb1ccbd8ca872d936ba224675a214b847fb01641e66337b9f82ba8437a19099e4e0e1edc7b179092f8ffa955d500

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini

MD5 b4e7ae0d23253560e51245a6e28aba47
SHA1 9cc660eb5d4b4e84d83602979bcd8044306ccd45
SHA256 1f01b779f19228d90d4079444f888943d222d3cbb48738f2177b759fee0c19c3
SHA512 c17d458bfb5ce0d30b4707b06e1471f9e4edb331cd0e2df5d59a2535a11bedf051d3c7410215127647d1e25da83302a7cf0763c7359547647fbeac224ef47fbd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini

MD5 2058abcec9883e9e87cde2c7dc7b55a4
SHA1 c3facf9540fccf502f3420ab2ac6a4102a2944f0
SHA256 4df401e5b944f04cc5e741c6208edf73f0e8de6f454c179aec306208c163e9ce
SHA512 34e78d745fd0fe3129a2d91fb428d0ee647b08ab17674f47da473ef45d5d0b5706afb5999889692a9bf4ba91dcd8e8a048de722cfc69e4fc5cc361e9852a0db6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK

MD5 2bc39f0f3a9881a9ed41b6b55ff28b11
SHA1 589177798b2276bfffc0d929633d4650e98281e9
SHA256 6364d6d1deec9b5d46ca45695f7723de0b4b4dc0ecfabb5465169f6c23376302
SHA512 c41f73ee6ac12b035ef17e0ed4dab27187541071f0466cc9d77671e2c17e9538a8d1c6fb4c66a4d896011cd0bb157468facd88f81061640bd62c1b2b4592e3a1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 2d94daa288de134d8fc90d904ebc327f
SHA1 d4eed2d527e9ec3e96046009e09b83c179abf58e
SHA256 5ad7478fa2a615ad902176a30b09e60907c3c470402cdd0fb5281f7135a46dfb
SHA512 39fd79408626791f61e135207dd271e329fb7be7d48bb9bbcc31b60ce1f65fbb12a45f1e58c129f9481cd9cce8078bfc86c75ba52bb1cf27f34705c3de0647f7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini

MD5 159ef8d7a821f8cceb1c33c91bc9babc
SHA1 1a53312dc2b7b3af2733f1d70762d54e727655d4
SHA256 665ebeae8e42e76084705f00c5958e1a4e0684bc5019ecd8c9229715505c9c75
SHA512 60f8e9bfbed8bb2be8449caced3a4e8bd453ba4a007d3729b8d4ecd87e88f9453ca43ccdccf42556756bdb8598e97579caa28d9049844b9dbb5b2de3603c0874

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 4350179eab92657a1eb7f5e2926a3006
SHA1 be61ec54bf9d823766e2c1444269cc99f7c68bdb
SHA256 566786c8f869c90ef0f36caf06a788a9bfe3579b259dd1f012f3434779773789
SHA512 f62cf3a0289920d31648967343d4d50270be4221ae1c667ad6fd8f02caaf34a9089790e1082c07ada6381ea940a87a63f60b13cde65d2b55dea7b025760781d7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt

MD5 8be8b4c2809e89fa165591e26f993b4c
SHA1 20d712e659dbc5a303b83c2f19174282bc10bdb0
SHA256 c31d0eac73efcdace7724c651194d6d3ea23d99cb41b5d6c9462e09bc5f9b727
SHA512 54900f34b81dacaec1b7e1b151c693b357473f04ffea1581a46bcdf8fe2cf85be510a949ff16c53a53442c9a998cd06e656fb1199c74429f692dbf9f90f54e4f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 729eb05b9249a4db0e17cc0832ad7b8f
SHA1 0be3250b8203d9e93f917f3de0b990c99b298e0a
SHA256 60c27cc92871fbb83ed19d4bde1b1dc2746bcf0143dfae9f0e1ae948cab73d60
SHA512 1b16b7d8c7e067e03ac81455eff2c015e1977922aaefe1f193842cc3b684c71900b5f75f8c1d299f6a449ec487fcc3477e51646f0d297e694409a58bb4dccba4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 8e7d2b05c870611c601a07a62d34e506
SHA1 5f1706cfc6f21c1a28cf91dde66220a017306867
SHA256 876e37bc96ed649ee90937cd3c5851d6040e7c6cf0bcda792d116adab9718f85
SHA512 5b255edc96cd0810baec8f75c00a7e99c4193bc9debda54e0d49fb305c4b3cfa6eb754ac2c0bc572766469875190e5771965926cf5e4676ca4fac32f7fdab1c9

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 36f46b41edfaa45eead96884be454197
SHA1 6ae5b59dde24dbcca634ad11a7a9436d41e047d5
SHA256 e73f59b18b2d1012778bf0e9e294fd1485846ea697c3851a5d8fd696dc37a0b4
SHA512 02b1ce89f8ae336fd503d16f8def8b01c7e1afb965d78e1df403aea5c6bbd4d85008e03b0b44bcac02394748a5b2cd6df4cb3cc61c16a1f305559067f2f6a748

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 2eca01bde348ea7fda7db9eb49b7b308
SHA1 44408d25252427cce2ab1035b0c99af950c4d1d9
SHA256 0f9230260d4be7d8619186fc67319c1db5f2ebe8468e24d394cdc4a49a81475e
SHA512 4a7b3ad399ec78ea007efe2878295f7e83bbe1813e6ffa7891d835a5cba9ccc6708eaf50d38f99bc8e396663502157df9f4265b05aa453cf49226927da59d30c

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 06:25

Reported

2022-02-20 07:00

Platform

win10v2004-en-20220112

Max time kernel

175s

Max time network

189s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\sihost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\sihost.exe
PID 1316 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\svchost.exe
PID 1316 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\taskhostw.exe
PID 1316 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\svchost.exe
PID 1316 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\DllHost.exe
PID 1316 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1316 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\RuntimeBroker.exe
PID 1316 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1316 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\RuntimeBroker.exe
PID 1316 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\RuntimeBroker.exe
PID 1316 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\RuntimeBroker.exe
PID 1316 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1316 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1316 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 2476 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 2476 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 2640 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 2640 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2476 wrote to memory of 1248 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2476 wrote to memory of 1248 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3204 wrote to memory of 496 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3204 wrote to memory of 496 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 660 wrote to memory of 2168 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 660 wrote to memory of 2168 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2640 wrote to memory of 3400 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2640 wrote to memory of 3400 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1316 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 5060 wrote to memory of 1232 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5060 wrote to memory of 1232 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5080 wrote to memory of 4472 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5080 wrote to memory of 4472 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2720 wrote to memory of 5088 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2720 wrote to memory of 5088 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 1316 wrote to memory of 5800 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 5800 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 5828 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 5828 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 5840 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2216 wrote to memory of 5840 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 4412 wrote to memory of 3448 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4412 wrote to memory of 3448 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3148 wrote to memory of 2908 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3148 wrote to memory of 2908 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3524 wrote to memory of 2720 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe
PID 3524 wrote to memory of 2720 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe
PID 5828 wrote to memory of 6020 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5828 wrote to memory of 6020 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5840 wrote to memory of 6084 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5840 wrote to memory of 6084 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5812 wrote to memory of 6100 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5812 wrote to memory of 6100 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5800 wrote to memory of 6108 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5800 wrote to memory of 6108 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1316 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 1316 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe C:\Windows\System32\net.exe
PID 5360 wrote to memory of 5416 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe

"C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 368 -p 2720 -ip 2720

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 484 -p 2908 -ip 2908

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 520 -p 3448 -ip 3448

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2720 -s 1008

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3448 -s 2428

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2908 -s 1388

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2720 -s 1008

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
NL 92.123.77.56:80 tcp
NL 92.123.77.56:80 tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
US 72.21.91.29:80 tcp
US 72.21.91.29:80 tcp

Files

memory/2216-130-0x00007FF6C1B00000-0x00007FF6C1DDA000-memory.dmp

memory/2236-131-0x00007FF6C1B00000-0x00007FF6C1DDA000-memory.dmp

memory/3448-132-0x00007FF6C1B00000-0x00007FF6C1DDA000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 cccca091135fb9d254c1f219516820cc
SHA1 6ce7accf9d967ae2779d0bf059cacae9d8d06215
SHA256 26099f5ee175dc32b4b15a487a448513e05decb6d4c84add62c2ae5e4f9c6d72
SHA512 86f1e412e1698ab08b1fd1f3b443f8e5155df2b73e36372a9ac0c42266260c2039f0f719917844c55da79510a0903cf31607c69039f338fcc28aa765fcd83abc

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 2b1efa692f0b95b2f56cdb37b34a4faf
SHA1 147b714fa301c9160582b1d2ed29665fd41c6a2e
SHA256 4510c1934f9b88130df0c619221e353928aacfd1364ff1ab75fcd73e4f33146c
SHA512 515eac51c97f6ba634d9436095d9fe485840cbb74152001f68f262513352ec6cbd152afed86752d3ae2f705f8ec3f3e0023c07d67fa0e7c1424ca5e1a2d85572

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 33b8055b761dedbea9185240956baaa5
SHA1 71c4bfcf5a2edb1bb2f909c076f090666a68fd48
SHA256 0465d0d94a30b0225c7a9853f0c26bfde50d63bac7413b21810c596555614518
SHA512 3cddefb2bb2d9cd7608dc765fa4fb6258c236319124346b54f6a2d616eac304142589453112e4126c2a2ae45264df851b8da487fcaf85c53e052ac6516be6b05

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 c5378255b653c667c7fa0817d9bc1b4d
SHA1 075f161f7b72efff8f6abbdd6e6b2b263a1b592c
SHA256 0892deb9052bb28ed12610d3263be15b57605331463c07b8c05d06aca4de04d4
SHA512 227d581b26e2bf2f3025a7cb95d3781618d8de1a310de539a9991eb131ba45a30bbdd36ac33f171f1e22235b66bfc83aa71ff8fa7bbfb0910334d5e38a9bc0c7

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 f161e2eb50c37c88db9e43c8ed4c2a7d
SHA1 c490b3bef75e96bae0849033ae594c9b9ece165c
SHA256 a69110248329183b4039e6af14bb53c26e209b546125cfd16c2cd56606a814a7
SHA512 9d46188cfad1d2d8d8837c294e135b94a6a1ff43e9980276e0cc1f791ebfcb30fe95a27017cb9ad4fa737eb81beff1f80e5702479467738962c4ab6cb978a781

C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5 dec16631fff1165ed8e6e13532c0f595
SHA1 e22173ccc5f3414e40af7a274d680e16512bee0b
SHA256 ce6873d7e990ad914797a689107c6d50d10cb3459e52e3e24cae81cc1f54046d
SHA512 144c0a54e08e522af78405f1e1005bb37f662ff2aa06060a0e1790f93b3777eae299c04c80054f6475a65db21c9e604f7345e97fee627726033129edd497c450

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 dadf65d67d0e1a2b773a11e3db3ea606
SHA1 cd80a96bb5b1c631928ccd157083d66ad696cf5a
SHA256 68dbf7c7e7cd05c91d0fd19c4c6bd4a8475c4a22f42171d65651591662ba90ce
SHA512 00675f1330e3a17a3aae11c5642d4eb5d6ba0663fa3790521e8e4d97cd0ee8d955d0e6e3704fdc24d5fc331c42adef729e884965d3a0676cb6639c53f409726e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 910297070288ed37498639fb03da890d
SHA1 44ae3fea30ff3a410c26f78700f360039c885084
SHA256 a3f94699e8f39766d7b199e07f27c7cd5c52ff0d96fc327cb1f3596adadf5673
SHA512 3b60b7067d3055df430f509aa7dfd1b8f287de2b1241eee5537503b795c9d46097c4fed742c8ef5395544e0a4db514bcb7b220312daa0a953fd781ca457d7d23

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 593b3fd30645c85a2d886dafa20e99a5
SHA1 e6bbe13e94b19d2356c7cf342d5452ef7e9d681a
SHA256 4f372a12322cc8624587b62f16acc144af94478489ac8901b6617cb6f9e6b3d7
SHA512 a610b0923354ef426f081ad391b545a90601be9b78d699ecbc991bbdf9f396ef1ee5fc2a718a0cf0eb4ada9016cfcee89f8deda5ff0a57a07ed5719c0add1335

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 c2a30d2a1b41d6310e964e606441a426
SHA1 0435e73a6ccb779845251ff76e50c721e35ebc31
SHA256 87f74f755ec6e6683db0dce988926f18e211be1b1f2ef6d3fb9e0853fb8230f8
SHA512 9697db9963ddbd57712b652192e3e9b971895c27f95e603148c14da442d4813925a709e539a49fad88dc5cf914f9c1acc0b5053c612ea43c0bfcc821d48fc20d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5 86758fdb4d8fdeb3ff00c6b8155eb1f1
SHA1 cf2762327f925c0064b33ebe63fd311c4eebe4cb
SHA256 51e8c05e3253315fa1ed87f0b3af61f22f563eb6438f12a9a21b35c6892c29c5
SHA512 3198c6a68ca32ca6d05ee222c6bca9a2514be7b19aaa477d7152a96ad9d30ad3437a696dae705baf6e06c73835b781eab0351a5aee1f9f41389e31bb4ed15d09

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log.RYK

MD5 6003e93bed1185af075fa28e11b931a3
SHA1 cc7362e2ee39bb5df796d9d1951d9edf78367aa9
SHA256 68dc7b16e8e2d2fa577a51a3db863511cfe6afa352aeb2a3d1c833692d842bd1
SHA512 8682249c0f5a279691463990e63d045d29d38faa0b59fd0cc615b7bf01b2ed41f0fddc63e3a63283ed9bba633efa88ec80acea601f66747dcd3c9eb51e4971d3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5 87ff0a8569ed3acdd61358da3b6b1296
SHA1 c235a18b8968f705742c2a4ec020aa3653e14351
SHA256 13cbbdf487b46d5a9affdf84205653f0457486da2400d2f952942b6eeee60bbc
SHA512 6168265565f44549b7f964a08f388f79f30a4c975dbae3c906284e0795b6a2a833c28710e9cf152598868883d5e34a138409754ce7b443671fe3e8bebe73026a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp.RYK

MD5 b21fe886b71b903416391e8391c5ea8e
SHA1 5a87514fac9a6455a5aca50a085cc5d672eb51d0
SHA256 196b3fbe6b670f8eca3d41453e977db36947b000b83da9497749aae01f5fdb87
SHA512 bb2ab34d3e56602eccde47439c470226fc622283ad58624ac343a4f8d425091cd28de2bf68540f780aea1dfd3daca32d4e07f738edfc2d4df8238fed73cdee4e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5 c381fb4aa96b2000609ad167c62d6660
SHA1 76746963cc5dd5eec362264387b81b534c989947
SHA256 6e4d1b6aa4a9b6b5bb0a5333415c7b31e65504800e19e223218ef8f0d824af0f
SHA512 67d7faf90a7ab232555033bb5fc57b8b7bf5bc61168a90e59fba4bb54ae01db091cfd7cbe7dd2169bb2836601cc6c017ea56c759d6cc11fb8da36a36302e337c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp.RYK

MD5 380caaeea370ca45f26e139a0627ed65
SHA1 c6b854bc30d6fe37cf1ed5f6b3a16cf2964d41fe
SHA256 bd68a2294130627d11a23dc65c14a4305e25a6bcc345a9eb8cfe865f69fe0aa2
SHA512 29c9b9a8d4e4d907f1de7fb7d855f0c5981949919c86071bdc7ae9c79cfeb40b92fcf907e6695a6346b4c0d996c0bd3a4fadbf59f0fb9c97cf0ca0be946543db

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx.RYK

MD5 188e02ed39b8d60c167c13ba75859d14
SHA1 11054b79cb37351f09f20669086a48e301fd0d47
SHA256 8001850d14b150c298718be6ec23545a40dabca42963453c0bda4dbe66913d9b
SHA512 fa7a4063d839c9a193976fe7861b5f499197339afb56e669c4a11d574dc722e0a982dcab0d9676a75ed9f424156e6da83e8bc393acdd70299ed4a39479685f6b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs.RYK

MD5 c62df17d9e0c83e9f70651e7d8188fa6
SHA1 95a65223be1b37cb2925c003a021887eec445132
SHA256 4195e515c8fa58ba70d9b99eefa07504c0541cd6c0c3e75d35326f650cabcde9
SHA512 1b079c8c7690c513e3184ced580bef4fcfaee991529bb40ba35336f31f6b8c74437fa0ef998426ff23d23497eb595435a139ec00f5d3d19046556afde2bf8782

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.RYK

MD5 63a962ca77887ed5cca65381244b7064
SHA1 d20d7ae007d15315b0141798bf37a0a97824f9e1
SHA256 d9b9014f80e9ec106fbdf9f0aae82abdbab72f391e85f014e89fddb52c95ecf5
SHA512 1f458ca3e29ebac41f684af198bc6ece1f192c4da39420eaa979798d6635f86d410950107c1e69c9f72c2fea2cd925667e6c9a90452c2d4588f5d80890836650

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtxhe.db.RYK.RYK

MD5 2d61c53e264c9207c1681bde6dcd2be2
SHA1 4c46ef9c6f7c4eab79ac64f26cf134d6e7b95e88
SHA256 beb0fc790f813cf74b24a250d632e9818259abd747b424b8f65205bf6e6a80e0
SHA512 4f561c03c4c014632dc8a4f439ef89f5ce1253b6d9d94c8560225d6613a580f5a4eab13026d6486136d0c2549f49d3b068f23b8c971317f08e2e681b8bf1c4e2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol.RYK

MD5 9b36a4eace62ded2605701cbce7bba33
SHA1 50095b8b4f02bba62cb81a086b96b4714eb374e5
SHA256 4a47f1bc99f90f49c70b0c46fdad4be00c5b729431dbfe1c74fa507e307457a7
SHA512 8324490da60dc58053ce47c501a995a014dddaafd980a6ccabc671099ac0f2a82dbcd4f83b928691a056e1eabdacf5acbd9fae712aa6f04e699607b879cc6c14

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK

MD5 50861a66ac478812ac0185149f557e90
SHA1 504de48a2b5ff5b30870b87c758a7eb97bdb2093
SHA256 250bb381f8a27fd3293f4c3f1ee24c9399b80a613e5227aea232156c1778408e
SHA512 c091ace22deb1f7ef4d55b716c05122d1a960b64deae7f42df8cd6c917bb14d8ddaf285433f13b641de50090d9795ceaf4cff0869a32abf109dba8416238e8f5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp.RYK

MD5 6bca6fd6588f9dc95d9e7f7a5b622abb
SHA1 7fafc6e61e58f33ebaaead554e654c5778b16f0c
SHA256 3c313b36492df0a102124698f6fb965dd3dc63e4b459f7c831a12c39f4726675
SHA512 0dc287e8980f30028f1f3f40d9847fd00a280836f97c50bd7862ee3a0a766232ac85db4af9e25b5f7e380d61145acaa75f602734c66f0390f025774a9a84465b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp.RYK

MD5 182d0d6566830c0364bbdc9ee7b9020b
SHA1 b341175ba6298717af3bb3f014fae6be43556e74
SHA256 56cdc3471029921514355d349f98048ae4f4bd820bf6ce73aec4c51c35e5083f
SHA512 aacc8b8469aa33db43d5d52e369e47ad5547633b038541a72d5bf81af79fabc5e4decef4a2b080e2dc52184d9c33b84c109cb0576047e0656b028ac081472ea8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp.RYK

MD5 ac03e9d6ddaf48f84a4cd10b55c0a39d
SHA1 1c4183af38e653e247961272ae0d8a3b02f8d391
SHA256 806e204be30e043c9c8a1c43bfad9b3d3f9e7d79906ac93d91cf27d52f63d952
SHA512 e3e03cc5348750073e42ec1971cef361b321857f7e702f7f3ed2fb2449ba7a8a6aac2de583d3a8fa93cd107aee214e9dc1965f59e0cd0c500e3f5eb683464d0b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp.RYK

MD5 8e6c0fffe5edaf78343df8d0a007a927
SHA1 171e9b432da46d2c8146662bcbb023281cd84adb
SHA256 aad10f2a1473c2c4772980f4bed4f5cbe0f112a9689a35833c30e0e4b7ed1c25
SHA512 d43ae9bc1ffc823931edcc139ad7e698ae81bcbcc3811ef8538db54101cde581c8456a06585c6d67f9588ed03df10addb9acb93d47a11de4060790f227c79998

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp.RYK

MD5 b594fb27baef6c6386bb9bb5d21d59e4
SHA1 e2ac8cd288646c9188b3e79f521626bf53eecf4c
SHA256 57381889cb51ff7c17c57646eaaa98845ba32a2848118454d0f095e7c5e8f0e9
SHA512 e156b11cf66a1dfd994628f9defe160570d3fece6b373ec6237468d049f4d87093af5da4257182d3f6c3471d961117864a03fb417313751ff81e4178370371e3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp.RYK

MD5 6dfa57593927e4d22b85e1599070f42b
SHA1 5445ffa4a05258f59bd9943a706738b6ae94d998
SHA256 a9cf343a301264ae1e1838f76f5ac57376c604c6c1761a799c5d380524c4e341
SHA512 591e4143a53b797433cc47f6fce64887f1efe673bec2c13b87cce5a85250d4017b5b5c0132152e2ebd23f7b5bf57f1b56d4f017f3653b6fb442ce37e1640a462

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html

MD5 d9fe6793afc43f7c749d83875e83016a
SHA1 30f5fc315a83b5045215745e05055edb07652a8f
SHA256 8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f
SHA512 7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 8acd6610dcc819d4b779075fa8aed11e
SHA1 aa1283c1edbf5f28934af012e0bbbcd619a18f74
SHA256 f7a9d1d97dbc34e243b5feb3e2cf08ea22997077c0ad5327d15af650c5dd0ccf
SHA512 f1ee1b9f96d5a009daea1dddc570ec71f37bf935174c3b254fd62ee115b77ecf32e210a95ff69d8fd32e48968cab00dc6c20c0c13a373cb4b8043a52f288b28b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.RYK

MD5 7d14dc339f6ae5c8ee55fcd8f1df64cb
SHA1 1bde775963728fdf807fc0ae9a6a1dc95092bd0f
SHA256 885ba3b88ecc555f92e34c0eabbda7d177da7ce00c46d9c500525343c8130d3c
SHA512 0dd1bd904e3187109702b2867cb769c7737b7f6da2c65a895eb86ff908c5c9b12ce3c994a166c1a8ee94af65d1b96c32568b835548fa6a0a30415fa91cfb3457

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64.RYK

MD5 72c93eafa5b45f72e15402b64430e59e
SHA1 e8c70a88a19d02a8089f5701933b2276f119fa3b
SHA256 d44a8b3a0de3f8d10cf3a86915e63924e8027f023e871782c84f63884a7b6805
SHA512 0974626c29fab962c844b7c2dae0083e1b538ea7df077ffd68032db7fc1e5ab6e12a63f2e49a17ff1baf0e3d86706c3bdc3eac8c067489ef5de0e1d815ba3191

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp

MD5 773a111efa1d9c3d5752c60d495d65f3
SHA1 66bdb1a00365c1a4199db544b49efda051e9661e
SHA256 62203ac9ef86bfd41150e29f7f636718e13846b93d548af171d58c3c059f5698
SHA512 430ef61237d24e339f1431a730d09d07549c8f4c70c0d1ad0ece62011abe1b3ec505895bbd6943335f0a7cf555fc86feb5d3488fbe772ba1dcc1032da0ae30c9

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

MD5 82b7d97a956a660ddf7255a830028309
SHA1 e11b01aafcaa3b82709fbaa8bab10eea81c7573a
SHA256 37de429ac0bc781707350616172cccd6470468ad4578c5aec88f64bc7b8ae7dd
SHA512 82df9ce16d25bc505f06a626b97e776de1149f28c8ce64dbd0f1db6c8c68a860606bec62e4da816b31fe09e54c0e9939970c8acf32f91749abc241fefa942a9f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

MD5 9f761fb989a4edae189ffacf5db6839c
SHA1 4094c140c977855a162fbb5ffe87dadb8b6edeaf
SHA256 920095c8cfd41db744a8053997465f5b01a49cc99cdc778c974cd5f7b83ec513
SHA512 fe075c7a6e0c5266849b946c2dd40e5e9cbcdfc42ef6843bebed4386afe9957ce4df675c37ae9ee3d344d236959d1f847b47b66017abcb854bc606bfc0b5fbbb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp.RYK

MD5 12a140c2e0b2bdb98afcb735a7955a79
SHA1 9ac217fe2bd16aa389f5472ba67d41b56ba23976
SHA256 e35cb815ad7ae291b6be7455d5c734592c4756086499a1e2d89dbc83559aa328
SHA512 2eeed8f6d5183d6624c5b973bf26c9f8064f34126cf9a93694763d9e95d17e7e5449a20b60c16ab0e30f3c392e177db9d4f2ccdc5abbc8e4e3c16aa90baa0436

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 dcf3f79c826eccb89c1b04f297b88703
SHA1 f859ebec7e8b0d09c395b1f4c58a17e9663e575d
SHA256 ed07b17901db8b252f30b07d52c5ebcec5659181073f12a411d9ee658e807abd
SHA512 bf7dba1b285465dff1cdd66916be0327459665a13ec411efb9bf14904ebaf398b3521a9234214a3efcfff57eeda6caac9004d45d41fe45480e477f242ceb7b66