Malware Analysis Report

2024-08-06 09:27

Sample ID 221220-mq4kaahc78
Target bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
Tags
ryuk discovery evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

Threat Level: Known bad

The file bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion persistence ransomware

Ryuk

Deletes shadow copies

Modifies boot configuration data using bcdedit

Executes dropped EXE

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious use of WriteProcessMemory

Interacts with shadow copies

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
File Deletion
T1107
File Permissions Modification
T1222
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2022-12-20 10:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 10:41

Reported

2022-12-20 10:43

Platform

win10v2004-20221111-en

Max time kernel

26s

Max time network

31s

Command Line

sihost.exe

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vFwHWlccClan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\juzIfIFtSlan.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\vFwHWlccClan.exe
PID 3228 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\vFwHWlccClan.exe
PID 3228 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\juzIfIFtSlan.exe
PID 3228 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\juzIfIFtSlan.exe
PID 3228 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\sihost.exe
PID 3228 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 3228 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

"C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"

C:\Users\Admin\AppData\Local\Temp\vFwHWlccClan.exe

"C:\Users\Admin\AppData\Local\Temp\vFwHWlccClan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\juzIfIFtSlan.exe

"C:\Users\Admin\AppData\Local\Temp\juzIfIFtSlan.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 209.197.3.8:80 tcp

Files

memory/3796-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vFwHWlccClan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

C:\Users\Admin\AppData\Local\Temp\vFwHWlccClan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/4852-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\juzIfIFtSlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

C:\Users\Admin\AppData\Local\Temp\juzIfIFtSlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/4920-138-0x0000000000000000-mapping.dmp

memory/220-139-0x0000000000000000-mapping.dmp

memory/2604-140-0x00007FF643620000-0x00007FF643784000-memory.dmp

memory/3876-141-0x0000000000000000-mapping.dmp

memory/5104-142-0x0000000000000000-mapping.dmp

memory/2788-143-0x00007FF643620000-0x00007FF643784000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 10:41

Reported

2022-12-20 10:43

Platform

win7-20220812-en

Max time kernel

150s

Max time network

52s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Windows\\system32\\taskhost.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.RYK C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.RYK C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_it.properties C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.RYK C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Moscow C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Taipei C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CSD C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.RYK C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01434_.WMF C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 576 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe
PID 576 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe
PID 576 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe
PID 576 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe
PID 576 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe
PID 576 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe
PID 576 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\taskhost.exe
PID 1616 wrote to memory of 1536 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1616 wrote to memory of 1536 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1616 wrote to memory of 1536 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 576 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 576 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\Dwm.exe
PID 916 wrote to memory of 1680 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 916 wrote to memory of 1680 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 916 wrote to memory of 1680 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 576 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe
PID 1216 wrote to memory of 1296 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1296 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1296 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1416 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1416 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1416 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 972 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 972 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 972 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1712 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1712 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1712 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 1060 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1216 wrote to memory of 1060 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1216 wrote to memory of 1060 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1216 wrote to memory of 1736 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1216 wrote to memory of 1736 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1216 wrote to memory of 1736 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1296 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1296 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1296 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1416 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1416 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1416 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 972 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1216 wrote to memory of 700 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1216 wrote to memory of 700 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1216 wrote to memory of 700 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1216 wrote to memory of 1484 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1216 wrote to memory of 1484 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1216 wrote to memory of 1484 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 972 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 700 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 700 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 700 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1484 wrote to memory of 1748 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 576 wrote to memory of 8388 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

"C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"

C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe

"C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe

"C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\cmd.exe

cmd /c "WMIC.exe shadowcopy delete"

C:\Windows\system32\cmd.exe

cmd /c "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd /c "bootstatuspolicy ignoreallfailures"

C:\Windows\system32\cmd.exe

cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"

C:\Windows\system32\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\system32\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

WMIC.exe shadowcopy delete

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Windows\system32\taskhost.exe" /f /reg:64

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Windows\system32\taskhost.exe" /f /reg:64

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

cmd /c "WMIC.exe shadowcopy delete"

C:\Windows\system32\cmd.exe

cmd /c "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"

C:\Windows\system32\cmd.exe

cmd /c "bootstatuspolicy ignoreallfailures"

C:\Windows\system32\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\system32\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64

C:\Windows\System32\Wbem\WMIC.exe

WMIC.exe shadowcopy delete

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default}

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
N/A 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
N/A 10.127.0.1:7 udp
N/A 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/576-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

memory/2044-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

C:\Users\Admin\AppData\Local\Temp\pyGChhyEUlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/1624-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QqxlXGJRqlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/1216-63-0x000000013FA40000-0x000000013FBA4000-memory.dmp

memory/1616-65-0x0000000000000000-mapping.dmp

memory/1536-66-0x0000000000000000-mapping.dmp

memory/1216-67-0x000000013FA40000-0x000000013FBA4000-memory.dmp

memory/916-68-0x0000000000000000-mapping.dmp

memory/1680-71-0x0000000000000000-mapping.dmp

memory/1296-74-0x0000000000000000-mapping.dmp

memory/1416-75-0x0000000000000000-mapping.dmp

memory/972-76-0x0000000000000000-mapping.dmp

memory/1712-77-0x0000000000000000-mapping.dmp

memory/1060-78-0x0000000000000000-mapping.dmp

memory/1736-79-0x0000000000000000-mapping.dmp

memory/1124-80-0x0000000000000000-mapping.dmp

memory/1964-82-0x0000000000000000-mapping.dmp

memory/1400-81-0x0000000000000000-mapping.dmp

memory/700-83-0x0000000000000000-mapping.dmp

memory/1484-84-0x0000000000000000-mapping.dmp

memory/864-85-0x0000000000000000-mapping.dmp

memory/628-86-0x0000000000000000-mapping.dmp

memory/1748-87-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_4d2ef0d5-1240-4a07-93d0-06481c31e0ad

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

memory/8756-90-0x0000000000000000-mapping.dmp

memory/8388-89-0x0000000000000000-mapping.dmp

memory/8768-91-0x0000000000000000-mapping.dmp

memory/8856-95-0x0000000000000000-mapping.dmp

memory/8800-92-0x0000000000000000-mapping.dmp

memory/8828-93-0x0000000000000000-mapping.dmp

memory/8880-96-0x0000000000000000-mapping.dmp

memory/8844-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

memory/9300-114-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 4f3a1332a3f015335d9feac94c8322a0
SHA1 39983305d7789255fc10d1e537cd772ce4997a88
SHA256 c49a8bacdce854a0bfa938d8baff71188ff385fd046f70b2deb8f7a91857ce68
SHA512 fabe1f7310ab7e14cff59a7e47554a39e0063c06cc2d1d753f8fddfafd885b98a2b88382986d36351bcbe34aaa700bd4173bf9546ddacbcc2627a76f715a35fc

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

memory/9336-119-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\$Recycle.Bin\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

memory/9312-115-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 f1827cf65944f0909e1fee829e7b8757
SHA1 b593a7cf11971bbe61f38df8e0d6d94fb6a80042
SHA256 e3b23775c6130b4c0a8491c2f2265c8b65f5bb664a8f436f27a21df225cb5d57
SHA512 79c62909eacb5c61cf8cb153fd9e9255a0baf9b2add0324c52c3bf3e41f6bd932354a58cf2e447c8a36b5c51c4b9f9dc7b4ae39a352f8593e9ee7fd9c01727e4

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 e325c762077ffc8509cd208998eda206
SHA1 6e89b7425d4f704f9dc8a2f48edbf5a24cb6124a
SHA256 58d433d769cf415da014da45432a7467a2cada664c23b16ee69c7f2b4ef2eeee
SHA512 e6df08412c713f91aef32ca7516fbd80ce0d4439389b2ef6c999476c2e7fe73a812cff089aa1ce6ba5ce6185382dbeef0d48b5162b2cce0746dada246e20bb05

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 13f521c9b37e4ef9e61048d28e3fd429
SHA1 e5a7635e5d67ecaaabc35fa41aed8a83c9d0adaa
SHA256 93d08c332ffb4f4251976dff7c0a7e629197ceae156e8d0c1ef295dff42ab106
SHA512 b096c6864fa02ccbf7fd592716c6c5cc757df22c533b6ec3c735425472eb7ae14fe10598fc212e08bcc6d2019f479f10b7ae9626883b3e6a62fbd68a32ab9583

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 e855e4d68be1f3670b9c54222182ed30
SHA1 d4dad99cfd5f85e88fd57b5103901a909b443f44
SHA256 d74f731e3c4c3fde51070c234f214da31b6becec95afae1d5ba23a00a8311614
SHA512 17037cd9484195a0b5c1c6213e4ddf6661f4ac90c50456b72aca4d7b65eed1298bfde1d70b094ffe3d43f7dbf77a5e937f53c0f37802c34d9c18ebd7f72166a1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI456A.tmp-tmp.RYK

MD5 4dca8584107bc18c0e38b64854ba72aa
SHA1 10d06dab95f65cb16fe6dc4552a12cf1b25f9d8e
SHA256 90e3bbebb987b9d0ce330213a00008a2ded5fd002d6cc68b93274b0638b81c92
SHA512 e1c6d993b48793ec35263bfe13130ad0158539bc78a0bc8212ecae6307591caab32f2f815b8758299c9e8869a5ea866cdbf5b27ae7e13d09f714a4559f3d2470

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK

MD5 f4eb25c462818275aa7f4b8ad2cdd6e0
SHA1 dd97f9074afa71eaf3e5d756e99c9f1f1bcb6c42
SHA256 ef71a76f5124ee684c5047dfacc2cce06168054fe29315f845d54396bda9a62a
SHA512 eee20f17855d90866f3d28d1ee679000cdb1713da1e40830ac2eeeb00c74d85e49dc41efcaf97a1a5e4296968e81b3d6e0347800e0fcd70d65f7aba89a871239

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5 00d8337394d81d947d35170c4a684f89
SHA1 dbcec9c12f4f7f85a8060ea6b99f3b8f9f78dfcc
SHA256 56f6830bf605e0f9df0999dc361fdfcf4b34d4a568b0f9d1086241224f72142f
SHA512 ed58ad6ce0ed6e8f166fb13d9e22c9f6b00bf4fdccadf3b1ebf68171187e7b976e524b7b77de9903b9f84628a7c788d5b09e898b94eefd67203a9f88ed737e07

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI456A.tmp.RYK

MD5 4a9b13abb26147580193171c1295ae3d
SHA1 6446abfad92adf8dc59ac6eb485537324fe59245
SHA256 9cae1d59a94d422519501da21c24c81540b03fccabe87361d14eebec940f2f34
SHA512 914cf6783a8ac2d7ee753ea1aa9bb3c1fddd50a6a7e8a763a99ab622e7f1ee72b9c23d8a37e5ba499f50ecd9c23ae75d8275dbabfbae7eedd2e752cf81e31a94

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

MD5 b39a3426a6d7c686f5a981c8c1041f89
SHA1 9e760b525bc5fdb9591ebeb9338b783c96e9bec1
SHA256 88c6b9d47619b05bb9e2e3d72a643db3a409a63ef079710c68c5b9d114290a02
SHA512 cd791c4586e0f8cfd382b30c07f2e8d25d352fbcdae905133a9c18f084632d9d629dda66a6b2f4a82dcfa73b576a08839b989bd0b69de643e07412ceea3ee240

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

MD5 9f4ef1918167aee28694042ba450fda1
SHA1 ae8030244189982d1e950643b4d4898ef9216369
SHA256 3cce69b355d116bb0e2764107ab47ad6e52705ff67c94a7e9258b50f0e4cec1a
SHA512 674b3661c91d2bf577b4535e7624a9a6a3c0d128de9f40b87e18b275f2714b99cb707939fe26699151ad464133eb5ce063c2bf4fe83b1ba0149880efff4f380d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

MD5 608bc918754568b8561c757d24beed69
SHA1 7f3fbc1f77c46f5cc9488f06da085ce49d0452f8
SHA256 4b4ced0556dcf143a8a0e879d6e8b5c96af23d80a006a86826b3e438dc81f8f9
SHA512 843c2f6c79fa2e4918afb87d2bbee46b0d7a4ac2db3680007d3b91ce036b6255f3b19ae8d435bc2290d98bd8472b53a5fac706cdd01445bd8f774936dd0daffc

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 2ce0dbda5d9f1375ebf8e2626dcea016
SHA1 5b37e4cefe717115be07e038090cb9e3529e24d5
SHA256 45dc782221ac6486109ceef9c267deba3f0ef333223542917b4055af5d3e4820
SHA512 763153dec5342c873bde53de2378343ad4ff24e9ed8f453daf288f173b54bfaaf96f7c918c2b32838bca1df2e4a8ede09cb29c42a1f8add61a4639bf1a9379ec

memory/9668-135-0x0000000000000000-mapping.dmp

memory/9728-136-0x0000000000000000-mapping.dmp

memory/9752-137-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 14fe72f8edfe808e5468f5fb96bb61b1
SHA1 f8fa5b1a926724072ca2ff22b4e04ca5c7999ada
SHA256 1867686b6e382a5f3d4ee76b19175b60977292e9c1f1841c7ddce5c867e86c11
SHA512 844577567f176552763142932eb802bfc3d72ec95fb91a55867b33851a38ad71a7f3e84d01410d2edf0d65dc17c65c8f023d92df3de80dc656c0beaf511525ae

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5 bb24816b0e93a1c943838cec7c66238f
SHA1 8fc191fe81825064911cc979f9886d7a6314825e
SHA256 0790dc92e3c9bd588b70164dddfc149ce8db22b2ab2a6cbd0f3a1e03997baa37
SHA512 70f2cbfb3ef99d8a3377ce297c88f0b9ef6777754ef892af610d06081ca1b7269b75933bd4b51ee989926f1437d192eda807d789768d5711cfd8c601a7498346

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log.RYK

MD5 5f77578b9615d9d8afc29b5589170c1f
SHA1 08efcd421e934d3416aa379557b55efd93322cf1
SHA256 94fabe3de54a1519ba34bb2a56775a6e71281b98ffc7d325fbb2f091204cc9e4
SHA512 04f7035429c39c11adbe66d9ed804e17bde663f389d95c4786a84df51e548d51a53f5c78c88034f59fdc4f7548a6a02e2da6c1a494a6fe75239bd10b5876f919

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 c219d401b84d57bc1d0abb1634e87996
SHA1 18715db929bd7a38f63f926e41ab2e898c2609c9
SHA256 fb1539042e6c18111e0eef4bceb29350e9dfdab72d6f5d24ca81f0bb8744af4e
SHA512 f4c7dcd8a88229df289f6e52d34d7d924b4f2cd65d0ca570f348921260b31293a49330853af51caa4c6f96058509d01ad1e276859a8cff4ccbdf3732bf6ab1ac

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK

MD5 1ddbd92923bc83165c9282ffb39adfd8
SHA1 2b9cab32593c2aeebe38276534af4d0fe4dbf1fc
SHA256 44c7136928df0371356fd7040dd4d9ab742c506d3b10d7fb0f017a88899157e3
SHA512 48f036b8f7f9e45cd08e699434276f921a85eb0ab7f5bc2577a4bc8b84fd5cd7bdd413d8ff8481baab0056f323c5e34c82c5a6e82c4286b816fb572d03fef9db

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5 dca99170b6a27702d379a4e5dbc100f4
SHA1 603894f11166a48b322de94372bfcb7e202f778e
SHA256 714f4b6dd713a06d9636f2404e5ac86ece8380aaaff2ed4a13c627cdc18d9532
SHA512 e20463e11c033e6647f47533919e7e7c28549a86dbc9fd6dec131b8e7b05a76c6ab4571e88d03d8b57c88bfae3b2f04f746499900144d6a9d72f070cf9b7ae79

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

memory/1216-160-0x000000013FA40000-0x000000013FBA4000-memory.dmp

memory/66804-161-0x0000000000000000-mapping.dmp

memory/66832-162-0x0000000000000000-mapping.dmp

memory/75136-163-0x0000000000000000-mapping.dmp

memory/75164-164-0x0000000000000000-mapping.dmp

memory/78088-165-0x0000000000000000-mapping.dmp

memory/78132-166-0x0000000000000000-mapping.dmp