Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-gedxlahcc5
Target 748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43
SHA256 748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43

Threat Level: Known bad

The file 748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:42

Reported

2022-02-20 06:10

Platform

win7-en-20211208

Max time kernel

158s

Max time network

146s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\taskhost.exe
PID 1624 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\Dwm.exe
PID 1624 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 460 wrote to memory of 1196 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 460 wrote to memory of 1196 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 460 wrote to memory of 1196 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 964 wrote to memory of 1156 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 964 wrote to memory of 1156 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 964 wrote to memory of 1156 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 636 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 636 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 636 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1624 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1224 wrote to memory of 1128 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1224 wrote to memory of 1128 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1224 wrote to memory of 1128 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1128 wrote to memory of 1164 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1128 wrote to memory of 1164 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1128 wrote to memory of 1164 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 1616 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 1616 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 1616 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1624 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1088 wrote to memory of 1904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 1904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1088 wrote to memory of 1904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1224 wrote to memory of 1928 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1224 wrote to memory of 1928 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1224 wrote to memory of 1928 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1928 wrote to memory of 1728 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 1728 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1928 wrote to memory of 1728 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1624 wrote to memory of 5216 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 5216 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 5216 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 5216 wrote to memory of 5240 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5216 wrote to memory of 5240 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5216 wrote to memory of 5240 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1224 wrote to memory of 12476 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1224 wrote to memory of 12476 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1224 wrote to memory of 12476 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 12648 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 12648 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 12648 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 12476 wrote to memory of 12888 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 12476 wrote to memory of 12888 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 12476 wrote to memory of 12888 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 12648 wrote to memory of 16412 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 12648 wrote to memory of 16412 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 12648 wrote to memory of 16412 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1624 wrote to memory of 16996 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1624 wrote to memory of 16996 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

"C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/1624-55-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

memory/1224-56-0x000000013FD50000-0x00000001400E6000-memory.dmp

memory/1224-57-0x000000013FD50000-0x00000001400E6000-memory.dmp

memory/1348-59-0x000000013FD50000-0x00000001400E6000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 32053aced789212e60c7d73a2fba3a8e
SHA1 cf6bf984632acfcf6b60317e142e1dc517c1bdf5
SHA256 5f1bc2eddde86732376970078c3bf450680aead06e9b14449aa083975f50398d
SHA512 7849c2b6eb3ef4639e201d7e05031f20727fe9f3b372d74d967a255e0ea98114ce3e05ddf928fbd3f387ecbf90833029cb4a907f5c1ef2ffea1087f8cbcae692

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 39d1fb2ce162b38b8a75a8c8c6e38d32
SHA1 b8ba911c0c71a00106f1a328cf41c567594bad33
SHA256 b4f928b4fc7e59999a970e0c10028a02af3420a7402640b20965c0681978e344
SHA512 d9858f1edea76df63e62d05f0055e1b309cbede2819207741d3a1cb1d01f81ae9538c1fbfc38fe2e83054a8598222d5acc7bc0741f098be9c1c6a599dfc117f3

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5 e2403d8a71e63b3177e51f3019d53c7a
SHA1 755c3bf73b5186f3ee10a6eba41d924a60597847
SHA256 ecb7ca612c75d48c113d60e4e1641363fe228a59a795c82e6533ba11cd1710e9
SHA512 181220e3f13606f7da40fa2a7b9916fb0d25408a2ca6af75c1f78b5f65faf782759b42ded5dcf5907b8501b44439e05550105e350cf397cb9e2208077aebbbef

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5 4d014e49d3ff498d0ee31f4697b9def8
SHA1 e1aa9876f2ce3f1ec5269510f2335f113e54b780
SHA256 78b1b5895bd8ae9fc5c0d38c74490526c7df06fd521fef82cf52181b496e75f9
SHA512 3cd04be3e170d07f5b09ef4cf2671763556d56fc594d753c4af61595cbdc1c0520aabf5f4026f8fbca5117716e16c3c83c14789aa642ab2438ec8e701d58a799

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5 6eb51fed22ed003209bb8fc4fe1c843a
SHA1 de342353f0337b7bc5f2c8d5de990972461a4966
SHA256 afd3feba4817ab5a289ada776d7e7eff73018315bc1eef4d94c1913b956083fd
SHA512 ee8b2caf65f29ad7a12022dde40941bf99d4fbdb1eab96b235b91d442426e96449aecf40361f3a4b56ef575132535d84f4b8c6994eb37f64e7c90d2e560c31e9

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 25dcbf7befbd7cfdc523fa6c22629fce
SHA1 7b52428a8e13b62dd9483e09cacacf6b435e4545
SHA256 ca09597fcc482304730317c2afe7b0e02877256bd946f917c04d871ce3c8616c
SHA512 75a2c4dac0478ab726cc60cce7731eb9565757bfc4aa987d59a19b3d4415d36d50c85ec5fb3bac3efad3fabd02f59a2d447b15d9980d3d5480670209ef4ffa1e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp

MD5 411064fd1804975db153ba5b0cbc231f
SHA1 6bf5353eabb192ad41039adde7a738b729b59475
SHA256 1b4f6552d842122281b1c2e879adfa771b803dbc12b832bccf61d0d46bb28de6
SHA512 982522f4ccdf2b5e80a07caa6bf81cc8d92a014ce9cd55604fd0170a06810afaf7b8c6ec240fb0f05c8a29af6103d0e3973534aaa963125630e2b1bb3663e227

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt

MD5 6a55bf19bf45a2a6e9fd131897287106
SHA1 616432943c3a1eb76b6b00fa12469248756f97ca
SHA256 f7e13f12137758e08215040a502e599a03b681ed1a3a5f8d4aa080310fdd7e59
SHA512 bb37dcaee836e99cca5aa9b74ca04f2df4180d7645dfd462c2d60c6f9ee1118bd451a53910e16a75d79c7825fa4225d554cab11c8ff1607ce0506afe3356bcbd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 c11cac3c5c57ce49d8bd24886b67d096
SHA1 0c293f0ed269a99c1fa66316470eb2f0f40d603a
SHA256 83482ce4468d3c32dd20362423c6788b3ecd1766f4899e5563d2abe77282bc82
SHA512 f64b507d8c823d277fa889b6d5beb38e087b02977ffddabdcdec8fae28e5891c64c0ff7f70130083e519bcc22c7dedfb118dea0f870bb90e5a285de41f707a00

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 6015568417216c5640fb297503a8369b
SHA1 41b6e7603cf7c791b3831aaf7792c37ea218d1d2
SHA256 72ec845174bbaf6835a08bd15fa56c7fe6def292d78ae308ddc3546209fc4b81
SHA512 6deb909122647c7fd8c88e29106fb963f4e1a48fa78448a79054cf31a17172502c8cc67b5b24d52b4e93eb277b783347436dc638d0cb1065cbd2129dcbb99a2a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 554c8ea709dc506a9f3ad6a899af4fbb
SHA1 b952135bba60b108de4409d07f673acfbed8c259
SHA256 88e99b9ad9bd546fec84f290c6237ef40e72bbaab227cc54a97c9372b523398b
SHA512 0e89184ab304229befc528db0b4d15553f8470f2438d39b3c4810321aecadc47815e77fc221781eaddfe7c8399c2bf99289e3fb2101be7761c83ce6dad63efa1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 00fd75a331bd5c023da7bfbdbe306c30
SHA1 93d5b2939bbe845c7a60c50b54b687924999d559
SHA256 a5b6c88471cb6112b42070d07f2da8e72cce558c991a568c33926262059a35fa
SHA512 2bf50e61ec3fa7f0709d1c71aa4e3aae6953ab0c3f9abaf3414aff72215b8f99524f67931835b8f5de9b5aae36123ad7c622a68743fdaf16e3810735b8a976b1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5 fb0d87ceb8d2e4fd13feba583a2c4d9b
SHA1 6364e896b0f1977203eef36468f9660a3d52e02b
SHA256 cd085485f43b5518df96ffc36cc3d3dcec0c5a1a20d59eb80a3e4fb95b5eecd2
SHA512 0dbf5364ce089d4d767e3538704ba48558a2c7ef18836703c3d3cabb854c90f62a71f58e19a0c90a5f7f194940f2e89d5f9b42ad57f4db0500d69e4b7f971797

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp

MD5 f1b81d53723b770f6df0283acebb1743
SHA1 d3aa022791bbed8626666ad04a1a2f94436b2b8b
SHA256 6e4130535ea042afd7bfd120ea0d099e9367f7b19a6a434f89b92c42bb772cbd
SHA512 59a84a4ce6c8cd8f1d106afe3d359b1b3f006741b7d9e38fcd300c9516ce8b50b0d6063c6ff258c6486656a89f874cb3e2fe13dcac963ab26e786b4f907d580a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 cbbd31b1e21a291071ee2537930f0d3e
SHA1 02c841ad72175af6013c72936ddc76de68f80678
SHA256 59de32e8f2cb01ff14194fba0e1a0ef83cf48df5e2ce0453743a8deab9a03027
SHA512 93985d96bb1f52277c760610bac5e31d5b582f0df1e50c4bf391baa27e5e378acb3fc9576bd1d171b586627792507321c94454c909deeac9e3e114688d23cdb6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 7b4b480e49e92a7d884e072b6fb1172d
SHA1 15cc3f7698f7218785a4bd2da3da2ec0b9c5c240
SHA256 70d3fd087eb03f15bc4c0489d191b4d5618bd8ef9c3fb2bfc20b57667a95b973
SHA512 cf0a27728b2cbdf64ea77e67462b6318abc3081f7a0018aaec61d8c03332cc48553c9399339dca8fdf1b6b55feb8ca0e4ece9bffc79e0d182b718f78223cc979

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini

MD5 2695cbdb40198d09777bd05f35002687
SHA1 29699439b36401b96e75b7818cbc33ee4e2479e3
SHA256 b197d186db5fd4f6d9b437a0a33ce0e395dd072d9d702759b5ec75d62d58fc60
SHA512 bd48ba4928c6fe6c4cb1075e92be3a991422410048f8d8c19894e448fa23698fd19e84a0e557a1b1b2ae2c8d55d5bf0562589374bd92bc6cf3598359d8821b2a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini

MD5 9ee81d8513b782ac647987f746bc3428
SHA1 9d0522f38d0b6201a9e67b25c228f4aee66bda5e
SHA256 2a14bdc0a15f23d3b889d42346b4a132c469dc6294300d29dc236c2812673870
SHA512 18c2ebc18e51a8f26c351c78f025672bb86cc23dc6880ddf054eda52562fa067521016ed5c6258ec1175c243882984c366b6a4774faea83433914560f330c91d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini

MD5 4cd925daef68366ea7aa9c1069901427
SHA1 25e03e6a32ccf3a6f555ef7a7e06a261f974b7e6
SHA256 9f1cb188ffe09863ecd86deb565db2a600ada3c26f6d0a7fd3e1a633e2e5701d
SHA512 a8c7d7de942af6e19827670c6a79f8c6d4a37d1aa1def7359349e31f12921909384c3d74c77fedb184a8e0e2c001a54d3c03d558f3d29d6b3c75a4290a29d932

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini

MD5 d7a078a5186c63e7992674c86919675f
SHA1 357d4d6b7c1e74e4fed51cac771b796109fcb822
SHA256 7613188f9373b8150b7fad3af6d1a9d0343b9d042429ee35dc729bfda03281de
SHA512 77280f33b39c7fa2c8c24b71bd170a3f36241fe0a270ad567c5d02982196fc7aeb4c09e92d0db3292d92f375b606a0930a13f9f28e9f522631a5c649b7e6e3eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 49b18a7abc22286165e3c7b3e1745c67
SHA1 96cddeca9786edf07b33746c8c951ff58bee3b69
SHA256 ee515ddca44f4630748213142e359fad4d52c27899af7fdebfabe7365aac8e1f
SHA512 0d7679641f0aed10f840b0b37b5a6d71a0586a803c6bf4941c9e4fc5edc03b3c3fbf4b67256101a978b6c1d3c566c5880754cbf4e2039cd5f07994639c60607c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt

MD5 ee7fdb1c8eb52b2cc74c372d3acc09c3
SHA1 46c1f9d7916a1f4afba677544a82feb2f4010c72
SHA256 eedda966f6383d9557b190da3a77833a36e0b3a4054b8aa6bbc156d5532da648
SHA512 0d195872cbdc980e2f6bf224d05bbfcd6ed0cb7ad609659c8bd2f58f998453716824e33c6fa89f12935547f6089812bd09c7730c0ebf8ceea7f01d389c95efcc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 d16df2c4bbe0523fe4fcc4c7ff3e01c5
SHA1 30730ca6b2deeafe80dd2c6b02670009ce1e034f
SHA256 24aa34d2b952e1e8feb5494f766a4949297426973da173e73c2bb128dafa466e
SHA512 67347cee66d5806b318402befad62ab2171be282b9e1fbc0c95f008cffeacc714f0efac5f4be83329f0e5b06f60d3c2bd111ecd4bfa1d3e4284581f97d13e3e0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 df41331edcaa97e488bcf1854449158c
SHA1 8ce06bbcccdf282b0dfb2f4ac79419eb776e66d9
SHA256 b37869b40dc0e25ecc553057646463df99964d6c17d84fc573a9b9b876dce623
SHA512 ee3460df8e4befd176b7c37118fa8f58717f27ef16c6ecb0f28501698396308ae34def69eb39ba7adf0511f45c0391cab1128fbc22acaf65cfa700329b1d5896

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 ef422cfba0b704705340eea4607b8831
SHA1 f2ab5d7f15bcd52d182b24068e39fd7428d677d9
SHA256 4dc1000524980835feb4a5dc8db43f14900a8e5abd761e23b7c1d1e0db9bd6c7
SHA512 1b38dba8c3c3b7c5b53d9d855402bd101107a5c74aa073c54fb6c82613b7aeb8354b465423c0aa48b1b5245985908cd45b1df2c033a55d09040b0fd994fd9cf9

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf

MD5 1d5aa1e3ebcf9158904bd9babdbd3ad2
SHA1 e8f48ca759873e09d284ca1b1b18493234406e35
SHA256 cfc2c640327e89411791d5e49c7817dfc30b176bcfca3c0e86602ac0f0b663ac
SHA512 bb94e4b0e12338352702c02573a6c03e8331db67374bc8e641fdc2ded88a484d4dea4083a626ea9b2ef98639d07fb68b4891cc31499a01471c1fe754f84016a5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg

MD5 3f8cb560f0bf6bab6db24bd0fabf232b
SHA1 82c4a3823530af30059736a5867a03fde8c349aa
SHA256 19f9d5564e58976abe423b07d7e86af6f0668a753b957ce9bb1ac46848c51d2b
SHA512 eac5bce9298ee833d879ad130e5cc38120be5cfc6f9716a0a17f3dce752be0782be077fd50bd515bd1febb4fb11ddd0038bbef92707e56257a8f6a0060c58edd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf

MD5 cae562f1a44cd7245230dfc1adbe8451
SHA1 13c751f367ccd06a71df8b9d1db9e8aab1685644
SHA256 0729027a83d98d3d575e0f543a48b80be5c817424b5156ca74ab69225bbbed74
SHA512 b53548ef03f1ba19231cac4f2576d4f2fa6340714a0dac7e0a3ae0d1b7c1edef9bd9fb328b872c75ffc7d098f18c6b01171c83a39e38d1f760e9650a776b566e

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:42

Reported

2022-02-20 06:11

Platform

win10v2004-en-20220112

Max time kernel

214s

Max time network

234s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899874700148141" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.067898" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{73559BCE-0E00-46FF-8843-3961E82EC1A4} C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\sihost.exe
PID 1540 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\svchost.exe
PID 1540 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\taskhostw.exe
PID 1540 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\svchost.exe
PID 1540 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\DllHost.exe
PID 1540 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1540 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\RuntimeBroker.exe
PID 1540 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1540 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\RuntimeBroker.exe
PID 1540 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\RuntimeBroker.exe
PID 1540 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\RuntimeBroker.exe
PID 1540 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2712 wrote to memory of 4316 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2712 wrote to memory of 4316 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 1540 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 4236 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 4236 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 3052 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 3052 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 5180 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 5180 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 5488 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 5488 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 5736 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3148 wrote to memory of 5736 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5488 wrote to memory of 5744 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5488 wrote to memory of 5744 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4532 wrote to memory of 5768 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4532 wrote to memory of 5768 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3052 wrote to memory of 5776 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3052 wrote to memory of 5776 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4236 wrote to memory of 5784 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4236 wrote to memory of 5784 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5180 wrote to memory of 5792 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5180 wrote to memory of 5792 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5496 wrote to memory of 5824 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5496 wrote to memory of 5824 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 5920 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 5920 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 5840 wrote to memory of 5992 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5840 wrote to memory of 5992 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5920 wrote to memory of 6000 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5920 wrote to memory of 6000 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2204 wrote to memory of 5800 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 5800 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 5108 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 5108 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 3744 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2204 wrote to memory of 3744 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 5800 wrote to memory of 3328 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5800 wrote to memory of 3328 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5108 wrote to memory of 4612 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5108 wrote to memory of 4612 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3744 wrote to memory of 5200 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3744 wrote to memory of 5200 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1540 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe
PID 1540 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

"C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.167.245:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp

Files

memory/2204-131-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp

memory/2224-132-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 579e97af4d264ec84726bca91bab771f
SHA1 63ebe2a372add9f803ab796f2e1c53f14f259a9b
SHA256 24ec6a1ff80cc3f5a3769fc825ce9de3896ae3cfa7243f06be9a84e7eca89842
SHA512 5374f1bc409e1604d916aab7f5f3c36e97e1efe0c6e48057299e014e80b59369b7a35384499db513d643327e43357b576ae908399ee8c0877c595bee3a02aa8d

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

MD5 e500f8d9f607fd99fd2eca1843695ffb
SHA1 29e9b23c2859225ad6159839f1209c9e6237635c
SHA256 ed246f88900700873b2ab6a0689073c2c2b37579f81833e3d2211437b0fe95f2
SHA512 b618a946eb4b4464eb99e70ab4d8365746be176bcc248554e08301a05bbd8d0f7b1cc6f58407384b8e73cdc74da9336560d328f47c341ab59f19a6e977d22896

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst

MD5 8a58e61e557c6e88b8cde008f4ddbc3a
SHA1 c787fda51cd422cdc97bb18197dbcfdb474ca167
SHA256 64612b322922bd80b16e8a6e2e6a4e5dd851b9dfacff8ce9e7cf9476e77cc099
SHA512 6239de727d749d250476e45df24ac0c66ae872bf92c70d92ccb2d92cda168acda8a754169871af80b7d9e5fdad9ac6b73921de6980b1626ca8c8763851884f2e

C:\Documents and Settings\Admin\3D Objects\desktop.ini

MD5 cf75a607a0b3167e029c91934cf4bbb8
SHA1 518d70df32d2753c6653f697e93bebb9d0031e08
SHA256 1c9f81e00b4c8b2fff7c076bc95af9668a12a138e20d3b6c43aecc1235718a6e
SHA512 fb9e67064bc7e3327750ac207d6a563021a37c38b9e4e30d72446069b4e953d7f05a33dbacf5cff93beb6f9c13127b171b9cb77797f032ed9ae68353fc16b460

memory/2712-150-0x000001F617080000-0x000001F617088000-memory.dmp

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 abf7ed94c50614889278ef19c4e2d04b
SHA1 d4267fdd8694772549f03e1caf517eefcd7523d3
SHA256 566477efd583373f8bb2cf6f65138f14e96e6c821df366b063b61de5767458f0
SHA512 f648eb38ed296645e8532f7650722f8d2900070f21171f2c7a0912d90e15e42da42dba70052b2c7a57e8d41d24b3a8a5a831405522f891a9f0c98cd95600c4ae

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

memory/2712-152-0x000001F617070000-0x000001F617071000-memory.dmp

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 5e5f59b59830897faaf4e75ed01dd1a0
SHA1 95514a849ee5c551d4650bf149bd9e2708c5793a
SHA256 bf0812600758db2f8dd5c300ffc5f7926ef510a9087e5f5d80eabd3bbdd31c67
SHA512 a1f7bac10be8484c3613b2fc8ceac0a53c9f1f348c8c58994f0570682e2c4ed12dd3ca904db56f0bfa6e3987f77bf8f60d03f1b17cc5cb979a5da3f9478359d2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5 a707d73434030defc340698fd0b77d54
SHA1 690a8f47ff6e5558e77eb74248574dd968c1688d
SHA256 439a75185439d523a5fc59200f78305f9a61ded2f63dc453e2276f014881a9ff
SHA512 ac7509e6680704fe1903d4c1827cb33ae8810a76b65f8c4ee429b5cdda28075a419a99c6b272e7de133899890a4699442e5917abd19c1b930e4fc0e22aa8113d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5 2d4cf95a4fcb3add7f960bad23db77cb
SHA1 5a55b56e03ae7aa5a776d31921ebfff0bb0b0826
SHA256 5c84ea7121d54f0e9f745d406fb8543d2d8f66803f0d76677d9127a080f0aa17
SHA512 07b459cafba51d190f36cfc2b9beaab68be54193b5698a87824640c738e272d2f3f0adfe67c155d331c2ccf5b3ffd8bde35cecbeb6634b71709016569f2457f1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 42d6ea12676d225683819e11d67213b4
SHA1 b6fc7c79f138c35cbdbcb8d8457f5a04e2e770ee
SHA256 18568b917f83c8db203bde17291a373c45c5bdc184856f44030251eaed3a652b
SHA512 f914715fe876f51b431a2109e36deaadc98fc9a8795c41bfb0c6756882f6a5f6bf10256d49ea60ceb2f61f8deb0862532ad7803bf6689dd0be83e83662f92a45

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5 5c0a4f62ef1dca05f1467a7321fddfe7
SHA1 15a787f5dc8ce41b6e6733d7b581ebccc560ec2b
SHA256 4af09cca3961d78cd480f0d5919836dc29808d1a9faf2ea0e6b521145624333b
SHA512 1af938a2ee813c88461f98a984992d262094e6491206de4b19bb685f635ab8238ac724fa6f7eab18dfca12e48463e14d8d9729dd7d91a947923c5bc97791f6a1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 888950f03ead7a8602914b955ed9e176
SHA1 aadc0d6c45713f39c58c51dbac0ba580c7c45497
SHA256 c40528aef62fb3e7f303ecaf9065e6a7db49f4417e99dd4bdf159c5e77356f02
SHA512 d897676b114380e376dc764794038ff184890da01abaa4ded65aad0174d57ff73471033433ee3d89f572abcbf7654e5f93bc9cdf3aed391599de9cce2d8059a8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 c0202f002aaeb0372d38020e4bd4e3c7
SHA1 df99c80de6ff4e12d891f2f8405eed6834674edd
SHA256 a68c9f62624503ddaa7e0c7377b7127c94b5957b5d8c9e54d2083bbb2a87d62c
SHA512 7cda715fb2c7e4b64a0c4b2481fd7c097d048e01d623a179f083caa6a98c20106969f98c9a69828c00770ede41661b25c6a70b31e665373e1ee1c54c65d2c008

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 273709337e5a172b700f16c493b112e1
SHA1 eccb7ca5e699e29ae0bacf8dc1218e1f7f446cbf
SHA256 a90ec694afdf5ec11a44fd32f29dc210b635394f75ba09026a8ef5d08de0c607
SHA512 f34ad961fd7a693f8445ce2e97b2ece636c040dc3cc26adb7456807f5fc8414263d2221c9ec8e4938cacb33c1d9ec549072e20b0faff49a0cc38404838e9aa72

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5 01006f4b1f6caadb532329e1e1cc38d6
SHA1 fae889b38c13c3c868e76dd982efc54bd972801f
SHA256 b0c0a1e5d8982b9415ba4ed11edbb127481f01611ad168d082d7dab7bdc91d09
SHA512 1f35da3c018bd00dd11232779d1365d33fd523ec64515415770445b1d45c4705242be12c5605bd758c71a95664d970a307d73d144aac23bff6337e0614bcb049

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 908cea27ffd6a4af2f92c9866de1b64d
SHA1 62856a21799480c22f61a175b9e58708441ae1a7
SHA256 d66aa8b46b3a5d80999b4f4b4dcf9ee2f384744414f203111ef7a066d5dd808c
SHA512 a33c7ae7c089ecbdf4c45a354af17559887d8e46eb19962cd273804803affa5c71f0ce739149940f8583d26cd0aae329cfe4c74704a578a179c178fb1faf5e38

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 4da0ef0ba82c8bb455616bf17cd82031
SHA1 3c1901595f2aa0eb96ab8b77a51fb589835f323e
SHA256 d1b6095cfef336bff58948b375b5a295fa290fbc4823ec87f753d88afc1d4946
SHA512 cf807dcc4be769c383e26224df396af852d9ba071435967998088bb957fc97a6b40f63c2e9d45016a2abd4fe693bd06a7130e89b2a2cc48bad9697309c677cb8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 41c522e764594dc05c08a788f4420275
SHA1 922dacade1eb5c042a631438b202ac439b4a45ea
SHA256 9053d75832af344e14d89c4f233cad8e6c84fcb04c04948f561170f6d526d871
SHA512 105222a9a730604007a118df6ab49a85d47bed4acde2c721c04023138933c853223073980038f4a2cc7b339bd138614a118a1a5d8bb4717f4c3c3685a34edb1d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp

MD5 6f4e54964412daec1fbf03646c54338e
SHA1 2a5612f5e3e2a16649d87cb8d16c476eda6b1813
SHA256 5fd24c087aa3e4931f21c7ee8cd48adb0b0c76a199859db59088c9c93cdfcf99
SHA512 75c974900bda933eb9060a7728c9e407e056607bbf17ac51f8d186289c2ff7b2afcaa25fc662a3e9754437638175c74b168df3e8f72c17d68813f8f2219abeac

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5 64e6a4f71b4028588b2b31f238a9a96a
SHA1 5d2b209075110597a6d58ea30419be0da48f7eb5
SHA256 f47adff1675292e2a77a51eb0fcb3353296b5d1a435566c945e90864b2474e82
SHA512 1ae29ec94fd30224a36fb0c1018667bf6587f4566bdbed304e02664d2ac44ec835b64b78ad46d8c3ab7af29790c279b474c16d97ecf9a182b40de5d62d5abe52

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp

MD5 455d2a5bee71c8ddc86b3fcdb73d50d6
SHA1 6cc53cd79ab6dd066e4f8781559ae0c4d200b8e6
SHA256 61b2aeb6051c812c97615a1c35f19b1417cfa2e8b4a1a96f2b54a77c478a9a59
SHA512 3b0597637006951efca3e82fd845c3ebe8de73a84c362355126a24bbc71ee138041d200daf3856c4173b541c846ba73946a28fffc26eb89816b13c4819b9ebcf

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txt

MD5 ebe9f99a3623fbdeeddc9e62cec32cb4
SHA1 5f69d348bf4d7abf187e9db73111ba87e94b6c40
SHA256 ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50
SHA512 a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa