Analysis Overview
SHA256
748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43
Threat Level: Known bad
The file 748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Checks computer location settings
Drops desktop.ini file(s)
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of UnmapMainImage
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:42
Reported
2022-02-20 06:10
Platform
win7-en-20211208
Max time kernel
158s
Max time network
146s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Downloads\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
"C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe"
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
Files
memory/1624-55-0x000007FEFC401000-0x000007FEFC403000-memory.dmp
memory/1224-56-0x000000013FD50000-0x00000001400E6000-memory.dmp
memory/1224-57-0x000000013FD50000-0x00000001400E6000-memory.dmp
memory/1348-59-0x000000013FD50000-0x00000001400E6000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 32053aced789212e60c7d73a2fba3a8e |
| SHA1 | cf6bf984632acfcf6b60317e142e1dc517c1bdf5 |
| SHA256 | 5f1bc2eddde86732376970078c3bf450680aead06e9b14449aa083975f50398d |
| SHA512 | 7849c2b6eb3ef4639e201d7e05031f20727fe9f3b372d74d967a255e0ea98114ce3e05ddf928fbd3f387ecbf90833029cb4a907f5c1ef2ffea1087f8cbcae692 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
| MD5 | 39d1fb2ce162b38b8a75a8c8c6e38d32 |
| SHA1 | b8ba911c0c71a00106f1a328cf41c567594bad33 |
| SHA256 | b4f928b4fc7e59999a970e0c10028a02af3420a7402640b20965c0681978e344 |
| SHA512 | d9858f1edea76df63e62d05f0055e1b309cbede2819207741d3a1cb1d01f81ae9538c1fbfc38fe2e83054a8598222d5acc7bc0741f098be9c1c6a599dfc117f3 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
| MD5 | e2403d8a71e63b3177e51f3019d53c7a |
| SHA1 | 755c3bf73b5186f3ee10a6eba41d924a60597847 |
| SHA256 | ecb7ca612c75d48c113d60e4e1641363fe228a59a795c82e6533ba11cd1710e9 |
| SHA512 | 181220e3f13606f7da40fa2a7b9916fb0d25408a2ca6af75c1f78b5f65faf782759b42ded5dcf5907b8501b44439e05550105e350cf397cb9e2208077aebbbef |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
| MD5 | 4d014e49d3ff498d0ee31f4697b9def8 |
| SHA1 | e1aa9876f2ce3f1ec5269510f2335f113e54b780 |
| SHA256 | 78b1b5895bd8ae9fc5c0d38c74490526c7df06fd521fef82cf52181b496e75f9 |
| SHA512 | 3cd04be3e170d07f5b09ef4cf2671763556d56fc594d753c4af61595cbdc1c0520aabf5f4026f8fbca5117716e16c3c83c14789aa642ab2438ec8e701d58a799 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
| MD5 | 6eb51fed22ed003209bb8fc4fe1c843a |
| SHA1 | de342353f0337b7bc5f2c8d5de990972461a4966 |
| SHA256 | afd3feba4817ab5a289ada776d7e7eff73018315bc1eef4d94c1913b956083fd |
| SHA512 | ee8b2caf65f29ad7a12022dde40941bf99d4fbdb1eab96b235b91d442426e96449aecf40361f3a4b56ef575132535d84f4b8c6994eb37f64e7c90d2e560c31e9 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | 25dcbf7befbd7cfdc523fa6c22629fce |
| SHA1 | 7b52428a8e13b62dd9483e09cacacf6b435e4545 |
| SHA256 | ca09597fcc482304730317c2afe7b0e02877256bd946f917c04d871ce3c8616c |
| SHA512 | 75a2c4dac0478ab726cc60cce7731eb9565757bfc4aa987d59a19b3d4415d36d50c85ec5fb3bac3efad3fabd02f59a2d447b15d9980d3d5480670209ef4ffa1e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
| MD5 | 411064fd1804975db153ba5b0cbc231f |
| SHA1 | 6bf5353eabb192ad41039adde7a738b729b59475 |
| SHA256 | 1b4f6552d842122281b1c2e879adfa771b803dbc12b832bccf61d0d46bb28de6 |
| SHA512 | 982522f4ccdf2b5e80a07caa6bf81cc8d92a014ce9cd55604fd0170a06810afaf7b8c6ec240fb0f05c8a29af6103d0e3973534aaa963125630e2b1bb3663e227 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
| MD5 | 6a55bf19bf45a2a6e9fd131897287106 |
| SHA1 | 616432943c3a1eb76b6b00fa12469248756f97ca |
| SHA256 | f7e13f12137758e08215040a502e599a03b681ed1a3a5f8d4aa080310fdd7e59 |
| SHA512 | bb37dcaee836e99cca5aa9b74ca04f2df4180d7645dfd462c2d60c6f9ee1118bd451a53910e16a75d79c7825fa4225d554cab11c8ff1607ce0506afe3356bcbd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | c11cac3c5c57ce49d8bd24886b67d096 |
| SHA1 | 0c293f0ed269a99c1fa66316470eb2f0f40d603a |
| SHA256 | 83482ce4468d3c32dd20362423c6788b3ecd1766f4899e5563d2abe77282bc82 |
| SHA512 | f64b507d8c823d277fa889b6d5beb38e087b02977ffddabdcdec8fae28e5891c64c0ff7f70130083e519bcc22c7dedfb118dea0f870bb90e5a285de41f707a00 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
| MD5 | 6015568417216c5640fb297503a8369b |
| SHA1 | 41b6e7603cf7c791b3831aaf7792c37ea218d1d2 |
| SHA256 | 72ec845174bbaf6835a08bd15fa56c7fe6def292d78ae308ddc3546209fc4b81 |
| SHA512 | 6deb909122647c7fd8c88e29106fb963f4e1a48fa78448a79054cf31a17172502c8cc67b5b24d52b4e93eb277b783347436dc638d0cb1065cbd2129dcbb99a2a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
| MD5 | 554c8ea709dc506a9f3ad6a899af4fbb |
| SHA1 | b952135bba60b108de4409d07f673acfbed8c259 |
| SHA256 | 88e99b9ad9bd546fec84f290c6237ef40e72bbaab227cc54a97c9372b523398b |
| SHA512 | 0e89184ab304229befc528db0b4d15553f8470f2438d39b3c4810321aecadc47815e77fc221781eaddfe7c8399c2bf99289e3fb2101be7761c83ce6dad63efa1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | 00fd75a331bd5c023da7bfbdbe306c30 |
| SHA1 | 93d5b2939bbe845c7a60c50b54b687924999d559 |
| SHA256 | a5b6c88471cb6112b42070d07f2da8e72cce558c991a568c33926262059a35fa |
| SHA512 | 2bf50e61ec3fa7f0709d1c71aa4e3aae6953ab0c3f9abaf3414aff72215b8f99524f67931835b8f5de9b5aae36123ad7c622a68743fdaf16e3810735b8a976b1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | fb0d87ceb8d2e4fd13feba583a2c4d9b |
| SHA1 | 6364e896b0f1977203eef36468f9660a3d52e02b |
| SHA256 | cd085485f43b5518df96ffc36cc3d3dcec0c5a1a20d59eb80a3e4fb95b5eecd2 |
| SHA512 | 0dbf5364ce089d4d767e3538704ba48558a2c7ef18836703c3d3cabb854c90f62a71f58e19a0c90a5f7f194940f2e89d5f9b42ad57f4db0500d69e4b7f971797 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp
| MD5 | f1b81d53723b770f6df0283acebb1743 |
| SHA1 | d3aa022791bbed8626666ad04a1a2f94436b2b8b |
| SHA256 | 6e4130535ea042afd7bfd120ea0d099e9367f7b19a6a434f89b92c42bb772cbd |
| SHA512 | 59a84a4ce6c8cd8f1d106afe3d359b1b3f006741b7d9e38fcd300c9516ce8b50b0d6063c6ff258c6486656a89f874cb3e2fe13dcac963ab26e786b4f907d580a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | cbbd31b1e21a291071ee2537930f0d3e |
| SHA1 | 02c841ad72175af6013c72936ddc76de68f80678 |
| SHA256 | 59de32e8f2cb01ff14194fba0e1a0ef83cf48df5e2ce0453743a8deab9a03027 |
| SHA512 | 93985d96bb1f52277c760610bac5e31d5b582f0df1e50c4bf391baa27e5e378acb3fc9576bd1d171b586627792507321c94454c909deeac9e3e114688d23cdb6 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
| MD5 | 7b4b480e49e92a7d884e072b6fb1172d |
| SHA1 | 15cc3f7698f7218785a4bd2da3da2ec0b9c5c240 |
| SHA256 | 70d3fd087eb03f15bc4c0489d191b4d5618bd8ef9c3fb2bfc20b57667a95b973 |
| SHA512 | cf0a27728b2cbdf64ea77e67462b6318abc3081f7a0018aaec61d8c03332cc48553c9399339dca8fdf1b6b55feb8ca0e4ece9bffc79e0d182b718f78223cc979 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
| MD5 | 2695cbdb40198d09777bd05f35002687 |
| SHA1 | 29699439b36401b96e75b7818cbc33ee4e2479e3 |
| SHA256 | b197d186db5fd4f6d9b437a0a33ce0e395dd072d9d702759b5ec75d62d58fc60 |
| SHA512 | bd48ba4928c6fe6c4cb1075e92be3a991422410048f8d8c19894e448fa23698fd19e84a0e557a1b1b2ae2c8d55d5bf0562589374bd92bc6cf3598359d8821b2a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
| MD5 | 9ee81d8513b782ac647987f746bc3428 |
| SHA1 | 9d0522f38d0b6201a9e67b25c228f4aee66bda5e |
| SHA256 | 2a14bdc0a15f23d3b889d42346b4a132c469dc6294300d29dc236c2812673870 |
| SHA512 | 18c2ebc18e51a8f26c351c78f025672bb86cc23dc6880ddf054eda52562fa067521016ed5c6258ec1175c243882984c366b6a4774faea83433914560f330c91d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
| MD5 | 4cd925daef68366ea7aa9c1069901427 |
| SHA1 | 25e03e6a32ccf3a6f555ef7a7e06a261f974b7e6 |
| SHA256 | 9f1cb188ffe09863ecd86deb565db2a600ada3c26f6d0a7fd3e1a633e2e5701d |
| SHA512 | a8c7d7de942af6e19827670c6a79f8c6d4a37d1aa1def7359349e31f12921909384c3d74c77fedb184a8e0e2c001a54d3c03d558f3d29d6b3c75a4290a29d932 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
| MD5 | d7a078a5186c63e7992674c86919675f |
| SHA1 | 357d4d6b7c1e74e4fed51cac771b796109fcb822 |
| SHA256 | 7613188f9373b8150b7fad3af6d1a9d0343b9d042429ee35dc729bfda03281de |
| SHA512 | 77280f33b39c7fa2c8c24b71bd170a3f36241fe0a270ad567c5d02982196fc7aeb4c09e92d0db3292d92f375b606a0930a13f9f28e9f522631a5c649b7e6e3eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
| MD5 | 49b18a7abc22286165e3c7b3e1745c67 |
| SHA1 | 96cddeca9786edf07b33746c8c951ff58bee3b69 |
| SHA256 | ee515ddca44f4630748213142e359fad4d52c27899af7fdebfabe7365aac8e1f |
| SHA512 | 0d7679641f0aed10f840b0b37b5a6d71a0586a803c6bf4941c9e4fc5edc03b3c3fbf4b67256101a978b6c1d3c566c5880754cbf4e2039cd5f07994639c60607c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
| MD5 | ee7fdb1c8eb52b2cc74c372d3acc09c3 |
| SHA1 | 46c1f9d7916a1f4afba677544a82feb2f4010c72 |
| SHA256 | eedda966f6383d9557b190da3a77833a36e0b3a4054b8aa6bbc156d5532da648 |
| SHA512 | 0d195872cbdc980e2f6bf224d05bbfcd6ed0cb7ad609659c8bd2f58f998453716824e33c6fa89f12935547f6089812bd09c7730c0ebf8ceea7f01d389c95efcc |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | d16df2c4bbe0523fe4fcc4c7ff3e01c5 |
| SHA1 | 30730ca6b2deeafe80dd2c6b02670009ce1e034f |
| SHA256 | 24aa34d2b952e1e8feb5494f766a4949297426973da173e73c2bb128dafa466e |
| SHA512 | 67347cee66d5806b318402befad62ab2171be282b9e1fbc0c95f008cffeacc714f0efac5f4be83329f0e5b06f60d3c2bd111ecd4bfa1d3e4284581f97d13e3e0 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
| MD5 | df41331edcaa97e488bcf1854449158c |
| SHA1 | 8ce06bbcccdf282b0dfb2f4ac79419eb776e66d9 |
| SHA256 | b37869b40dc0e25ecc553057646463df99964d6c17d84fc573a9b9b876dce623 |
| SHA512 | ee3460df8e4befd176b7c37118fa8f58717f27ef16c6ecb0f28501698396308ae34def69eb39ba7adf0511f45c0391cab1128fbc22acaf65cfa700329b1d5896 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
| MD5 | ef422cfba0b704705340eea4607b8831 |
| SHA1 | f2ab5d7f15bcd52d182b24068e39fd7428d677d9 |
| SHA256 | 4dc1000524980835feb4a5dc8db43f14900a8e5abd761e23b7c1d1e0db9bd6c7 |
| SHA512 | 1b38dba8c3c3b7c5b53d9d855402bd101107a5c74aa073c54fb6c82613b7aeb8354b465423c0aa48b1b5245985908cd45b1df2c033a55d09040b0fd994fd9cf9 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
| MD5 | 1d5aa1e3ebcf9158904bd9babdbd3ad2 |
| SHA1 | e8f48ca759873e09d284ca1b1b18493234406e35 |
| SHA256 | cfc2c640327e89411791d5e49c7817dfc30b176bcfca3c0e86602ac0f0b663ac |
| SHA512 | bb94e4b0e12338352702c02573a6c03e8331db67374bc8e641fdc2ded88a484d4dea4083a626ea9b2ef98639d07fb68b4891cc31499a01471c1fe754f84016a5 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
| MD5 | 3f8cb560f0bf6bab6db24bd0fabf232b |
| SHA1 | 82c4a3823530af30059736a5867a03fde8c349aa |
| SHA256 | 19f9d5564e58976abe423b07d7e86af6f0668a753b957ce9bb1ac46848c51d2b |
| SHA512 | eac5bce9298ee833d879ad130e5cc38120be5cfc6f9716a0a17f3dce752be0782be077fd50bd515bd1febb4fb11ddd0038bbef92707e56257a8f6a0060c58edd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf
| MD5 | cae562f1a44cd7245230dfc1adbe8451 |
| SHA1 | 13c751f367ccd06a71df8b9d1db9e8aab1685644 |
| SHA256 | 0729027a83d98d3d575e0f543a48b80be5c817424b5156ca74ab69225bbbed74 |
| SHA512 | b53548ef03f1ba19231cac4f2576d4f2fa6340714a0dac7e0a3ae0d1b7c1edef9bd9fb328b872c75ffc7d098f18c6b01171c83a39e38d1f760e9650a776b566e |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:42
Reported
2022-02-20 06:11
Platform
win10v2004-en-20220112
Max time kernel
214s
Max time network
234s
Command Line
Signatures
Ryuk
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\3D Objects\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\sihost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899874700148141" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.067898" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{73559BCE-0E00-46FF-8843-3961E82EC1A4} | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed | C:\Windows\System32\RuntimeBroker.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\sihost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
"C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 51.104.167.245:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
memory/2204-131-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp
memory/2224-132-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | 579e97af4d264ec84726bca91bab771f |
| SHA1 | 63ebe2a372add9f803ab796f2e1c53f14f259a9b |
| SHA256 | 24ec6a1ff80cc3f5a3769fc825ce9de3896ae3cfa7243f06be9a84e7eca89842 |
| SHA512 | 5374f1bc409e1604d916aab7f5f3c36e97e1efe0c6e48057299e014e80b59369b7a35384499db513d643327e43357b576ae908399ee8c0877c595bee3a02aa8d |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
| MD5 | e500f8d9f607fd99fd2eca1843695ffb |
| SHA1 | 29e9b23c2859225ad6159839f1209c9e6237635c |
| SHA256 | ed246f88900700873b2ab6a0689073c2c2b37579f81833e3d2211437b0fe95f2 |
| SHA512 | b618a946eb4b4464eb99e70ab4d8365746be176bcc248554e08301a05bbd8d0f7b1cc6f58407384b8e73cdc74da9336560d328f47c341ab59f19a6e977d22896 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst
| MD5 | 8a58e61e557c6e88b8cde008f4ddbc3a |
| SHA1 | c787fda51cd422cdc97bb18197dbcfdb474ca167 |
| SHA256 | 64612b322922bd80b16e8a6e2e6a4e5dd851b9dfacff8ce9e7cf9476e77cc099 |
| SHA512 | 6239de727d749d250476e45df24ac0c66ae872bf92c70d92ccb2d92cda168acda8a754169871af80b7d9e5fdad9ac6b73921de6980b1626ca8c8763851884f2e |
C:\Documents and Settings\Admin\3D Objects\desktop.ini
| MD5 | cf75a607a0b3167e029c91934cf4bbb8 |
| SHA1 | 518d70df32d2753c6653f697e93bebb9d0031e08 |
| SHA256 | 1c9f81e00b4c8b2fff7c076bc95af9668a12a138e20d3b6c43aecc1235718a6e |
| SHA512 | fb9e67064bc7e3327750ac207d6a563021a37c38b9e4e30d72446069b4e953d7f05a33dbacf5cff93beb6f9c13127b171b9cb77797f032ed9ae68353fc16b460 |
memory/2712-150-0x000001F617080000-0x000001F617088000-memory.dmp
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | abf7ed94c50614889278ef19c4e2d04b |
| SHA1 | d4267fdd8694772549f03e1caf517eefcd7523d3 |
| SHA256 | 566477efd583373f8bb2cf6f65138f14e96e6c821df366b063b61de5767458f0 |
| SHA512 | f648eb38ed296645e8532f7650722f8d2900070f21171f2c7a0912d90e15e42da42dba70052b2c7a57e8d41d24b3a8a5a831405522f891a9f0c98cd95600c4ae |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
memory/2712-152-0x000001F617070000-0x000001F617071000-memory.dmp
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 5e5f59b59830897faaf4e75ed01dd1a0 |
| SHA1 | 95514a849ee5c551d4650bf149bd9e2708c5793a |
| SHA256 | bf0812600758db2f8dd5c300ffc5f7926ef510a9087e5f5d80eabd3bbdd31c67 |
| SHA512 | a1f7bac10be8484c3613b2fc8ceac0a53c9f1f348c8c58994f0570682e2c4ed12dd3ca904db56f0bfa6e3987f77bf8f60d03f1b17cc5cb979a5da3f9478359d2 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
| MD5 | a707d73434030defc340698fd0b77d54 |
| SHA1 | 690a8f47ff6e5558e77eb74248574dd968c1688d |
| SHA256 | 439a75185439d523a5fc59200f78305f9a61ded2f63dc453e2276f014881a9ff |
| SHA512 | ac7509e6680704fe1903d4c1827cb33ae8810a76b65f8c4ee429b5cdda28075a419a99c6b272e7de133899890a4699442e5917abd19c1b930e4fc0e22aa8113d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
| MD5 | 2d4cf95a4fcb3add7f960bad23db77cb |
| SHA1 | 5a55b56e03ae7aa5a776d31921ebfff0bb0b0826 |
| SHA256 | 5c84ea7121d54f0e9f745d406fb8543d2d8f66803f0d76677d9127a080f0aa17 |
| SHA512 | 07b459cafba51d190f36cfc2b9beaab68be54193b5698a87824640c738e272d2f3f0adfe67c155d331c2ccf5b3ffd8bde35cecbeb6634b71709016569f2457f1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
| MD5 | 42d6ea12676d225683819e11d67213b4 |
| SHA1 | b6fc7c79f138c35cbdbcb8d8457f5a04e2e770ee |
| SHA256 | 18568b917f83c8db203bde17291a373c45c5bdc184856f44030251eaed3a652b |
| SHA512 | f914715fe876f51b431a2109e36deaadc98fc9a8795c41bfb0c6756882f6a5f6bf10256d49ea60ceb2f61f8deb0862532ad7803bf6689dd0be83e83662f92a45 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
| MD5 | 5c0a4f62ef1dca05f1467a7321fddfe7 |
| SHA1 | 15a787f5dc8ce41b6e6733d7b581ebccc560ec2b |
| SHA256 | 4af09cca3961d78cd480f0d5919836dc29808d1a9faf2ea0e6b521145624333b |
| SHA512 | 1af938a2ee813c88461f98a984992d262094e6491206de4b19bb685f635ab8238ac724fa6f7eab18dfca12e48463e14d8d9729dd7d91a947923c5bc97791f6a1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | 888950f03ead7a8602914b955ed9e176 |
| SHA1 | aadc0d6c45713f39c58c51dbac0ba580c7c45497 |
| SHA256 | c40528aef62fb3e7f303ecaf9065e6a7db49f4417e99dd4bdf159c5e77356f02 |
| SHA512 | d897676b114380e376dc764794038ff184890da01abaa4ded65aad0174d57ff73471033433ee3d89f572abcbf7654e5f93bc9cdf3aed391599de9cce2d8059a8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
| MD5 | c0202f002aaeb0372d38020e4bd4e3c7 |
| SHA1 | df99c80de6ff4e12d891f2f8405eed6834674edd |
| SHA256 | a68c9f62624503ddaa7e0c7377b7127c94b5957b5d8c9e54d2083bbb2a87d62c |
| SHA512 | 7cda715fb2c7e4b64a0c4b2481fd7c097d048e01d623a179f083caa6a98c20106969f98c9a69828c00770ede41661b25c6a70b31e665373e1ee1c54c65d2c008 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
| MD5 | 273709337e5a172b700f16c493b112e1 |
| SHA1 | eccb7ca5e699e29ae0bacf8dc1218e1f7f446cbf |
| SHA256 | a90ec694afdf5ec11a44fd32f29dc210b635394f75ba09026a8ef5d08de0c607 |
| SHA512 | f34ad961fd7a693f8445ce2e97b2ece636c040dc3cc26adb7456807f5fc8414263d2221c9ec8e4938cacb33c1d9ec549072e20b0faff49a0cc38404838e9aa72 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
| MD5 | 01006f4b1f6caadb532329e1e1cc38d6 |
| SHA1 | fae889b38c13c3c868e76dd982efc54bd972801f |
| SHA256 | b0c0a1e5d8982b9415ba4ed11edbb127481f01611ad168d082d7dab7bdc91d09 |
| SHA512 | 1f35da3c018bd00dd11232779d1365d33fd523ec64515415770445b1d45c4705242be12c5605bd758c71a95664d970a307d73d144aac23bff6337e0614bcb049 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | 908cea27ffd6a4af2f92c9866de1b64d |
| SHA1 | 62856a21799480c22f61a175b9e58708441ae1a7 |
| SHA256 | d66aa8b46b3a5d80999b4f4b4dcf9ee2f384744414f203111ef7a066d5dd808c |
| SHA512 | a33c7ae7c089ecbdf4c45a354af17559887d8e46eb19962cd273804803affa5c71f0ce739149940f8583d26cd0aae329cfe4c74704a578a179c178fb1faf5e38 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 4da0ef0ba82c8bb455616bf17cd82031 |
| SHA1 | 3c1901595f2aa0eb96ab8b77a51fb589835f323e |
| SHA256 | d1b6095cfef336bff58948b375b5a295fa290fbc4823ec87f753d88afc1d4946 |
| SHA512 | cf807dcc4be769c383e26224df396af852d9ba071435967998088bb957fc97a6b40f63c2e9d45016a2abd4fe693bd06a7130e89b2a2cc48bad9697309c677cb8 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
| MD5 | 41c522e764594dc05c08a788f4420275 |
| SHA1 | 922dacade1eb5c042a631438b202ac439b4a45ea |
| SHA256 | 9053d75832af344e14d89c4f233cad8e6c84fcb04c04948f561170f6d526d871 |
| SHA512 | 105222a9a730604007a118df6ab49a85d47bed4acde2c721c04023138933c853223073980038f4a2cc7b339bd138614a118a1a5d8bb4717f4c3c3685a34edb1d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
| MD5 | 6f4e54964412daec1fbf03646c54338e |
| SHA1 | 2a5612f5e3e2a16649d87cb8d16c476eda6b1813 |
| SHA256 | 5fd24c087aa3e4931f21c7ee8cd48adb0b0c76a199859db59088c9c93cdfcf99 |
| SHA512 | 75c974900bda933eb9060a7728c9e407e056607bbf17ac51f8d186289c2ff7b2afcaa25fc662a3e9754437638175c74b168df3e8f72c17d68813f8f2219abeac |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | 64e6a4f71b4028588b2b31f238a9a96a |
| SHA1 | 5d2b209075110597a6d58ea30419be0da48f7eb5 |
| SHA256 | f47adff1675292e2a77a51eb0fcb3353296b5d1a435566c945e90864b2474e82 |
| SHA512 | 1ae29ec94fd30224a36fb0c1018667bf6587f4566bdbed304e02664d2ac44ec835b64b78ad46d8c3ab7af29790c279b474c16d97ecf9a182b40de5d62d5abe52 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
| MD5 | 455d2a5bee71c8ddc86b3fcdb73d50d6 |
| SHA1 | 6cc53cd79ab6dd066e4f8781559ae0c4d200b8e6 |
| SHA256 | 61b2aeb6051c812c97615a1c35f19b1417cfa2e8b4a1a96f2b54a77c478a9a59 |
| SHA512 | 3b0597637006951efca3e82fd845c3ebe8de73a84c362355126a24bbc71ee138041d200daf3856c4173b541c846ba73946a28fffc26eb89816b13c4819b9ebcf |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txt
| MD5 | ebe9f99a3623fbdeeddc9e62cec32cb4 |
| SHA1 | 5f69d348bf4d7abf187e9db73111ba87e94b6c40 |
| SHA256 | ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50 |
| SHA512 | a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa |