ryuk | 2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357

Analysis

max time kernel
162s
max time network
49s
platform
windows7_x64
resource
win7v20210408
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Size

122KB
MD5

268c8c879f67be89dbb020bf0844d9e0
SHA1

631ae3e5bb0b791c2926829a00e99154c94621c9
SHA256

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357
SHA512

047ddf54dc13b455528ec3370e02c0ca006bd86b207a6b7dabb86390f0dcf7d194196876fdf44a6e6556a6b32210e71edb2889ff1071fb899795e6373d75fb52

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at TonoErrando@protonmail.com or TonoErrando@tutanota.com You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

TonoErrando@protonmail.com

TonoErrando@tutanota.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.exe2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Recorded TV\Sample Media\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBUI6.CHM	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF.RYK	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18217_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241043.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.ELM	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2B.GIF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.RYK	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.RYK	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01356_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\MSB1ENES.ITS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Austin.eftx	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44B.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188519.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME07.CSS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.INF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-spi-actions.xml_hidden	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

pid process

1840 2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE

pid	process
1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Token: SeBackupPrivilege	1120	taskhost.exe
Token: SeBackupPrivilege	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

description	pid	process	target process
PID 1840 wrote to memory of 1120	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	taskhost.exe
PID 1840 wrote to memory of 1172	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	Dwm.exe
PID 1840 wrote to memory of 1212	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212

C:\Users\Admin\AppData\Local\Temp\2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
"C:\Users\Admin\AppData\Local\Temp\2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe"
2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1120

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
744111548b16eea3d013f07b40629149

SHA1
22c746d464ef0a6dcf664b2daf334471b0d79bbc

SHA256
9aa68fc7ee29b89a2848e35aa496c265fc6de772aee0f7eb01476775e0590b66

SHA512
51a8c03c3bc8b47fd1bc27a5b0f5bfa9d5f970b9cfc6dfe7ca0486253efc4cf46a592c5c5417fe0011b027f342e65b51ee19065ec3143986dde64a068ef0ad97

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
MD5
ab9da09ea1b933707cd2d197473e99e2

SHA1
1e4fd12df400c2c546714018f147f69049b4bc13

SHA256
7daf7dc4dd01ff00646bebb65c37b7537d742a6850e5023ae92f1eaf424df3e9

SHA512
10e1d4871f99e0465ebb50734a4179c51814f8192e77f81d22573da01515621a9b4b99c72f00891bea7b358d4e17f921f631b2c46e9e909b67f6b2f699df1910

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
a58fb45f22d05566a8ffaf81921e892b

SHA1
887acba88fe5e2652e2c9bee2c9df3e962bafeee

SHA256
b5a92aff1917ab562d2a2ca65b3a9e3b4b8b98f90f1e6ef870fd8e559508899a

SHA512
33596d4c6dee6845c129bedbae9e46ade2daf92763e527c79644fe3ba7411c39848bcd3868c966e564cab7816101867dba9ea9e9d6db3335d1313786d54ef032

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
9f8b052fd6ad4afee8d08704718871a3

SHA1
b7e6dc67952bad57a8ed667544973097dc1bac94

SHA256
353a8310644121b0b9cdf09302f953a070ff1e77069391d075b4553a4937f1b1

SHA512
c241c0018f9b23102d8c127239f7f7d5b4ac3a8e021c1a75ae7aaabef36120707413e38c9411631cdca8fc76ce7f8196d59b9bf697ae08605043a684023f08a6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
146f772ff15763dc5bf62f3fd3f6bdcc

SHA1
8dc044799ac10dc187925ed284761fcaa1a961a9

SHA256
241264a06c83c1f6ce71bf8efc74e0f1fc8e6c6c6df07aed0c93434babb0bdf0

SHA512
be380dd9a8241f08f0233e3df526618191479179514af6055be5ea772f952088dc1de9de766ce6f1fb070b9e09093b7abfc7bf2c03b9408ec630890a3847561d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
ec48dee7efc0c0b8ef737c1ffbbda4c7

SHA1
ff372c5db7094d7cd905818bb36368eb64d2c397

SHA256
be1f362888641f8ce7139f80c09cd050e84ad09571b87fd54eb5762aab83dff6

SHA512
fb409236102c6c3f4c04b82ff51db340dfe6f1a6df504bd782d0e5ecdf62383352e8ddc9d1f437933e9be11d72ab031f5e55283d455434a8adfd0f5a908f86f4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK
MD5
0b3089c321422037d0393946b508c9d5

SHA1
2441f7aeb9fb25b2001ceab5884312e903e3d969

SHA256
eb6611c57ef451892335effa498ead4c2ff0165e4801174ba0f42e6b4a980838

SHA512
8135f55067fd758ea83e9ae3ed06cfe8af8d008f8d5b3970455c7988ef8fca04dccc4ac8077b858c6ae21e68d788e98864036407e38f3041cf953c5ac4c4fa6c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
MD5
30f59479e9a45965ea820825e48eacf0

SHA1
4ae3e8ee50366cf432a6c8b804a8d71b6dd8fb7a

SHA256
212918e30f19d9c18407c14a6cd54457165753804cd96999c898982701c7136e

SHA512
afb6284e07609831f024d86e55c24c0d7edc162d544aba9249559ddf025cee549d9b1f6e5a6e81086c6b63b53ab64498fa17b776cf874bc04d1f8e8aa8c86bed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI26D3.tmp-tmp.RYK
MD5
90c594e50aa684c5c9afb2da5d35184c

SHA1
e9fd45fa2da222515f20537d34d32aedc46d2c38

SHA256
c0e49b348e6ca3b475d3ab8e6aa67d260c62a56391edc36597ee5b316dd34a85

SHA512
e8d402995fb05f2628a6eb47dea8a4fff10d3ffa7ea5475540f94b76b2b3c600281d3e2cfb67e4ec61dd9cbea4e79547e20568313447048e48b21fea8824fdeb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI26D3.tmp.RYK
MD5
cace264e63cccf1b61821166a2bddf95

SHA1
243c09363ba78c0b52ccf5eba60eb8d710cdc8a8

SHA256
9b94ebe563e06d9de0bc023aed9765392d4aef546af4b2281e0ac34691f2e68a

SHA512
c7eb6f633d43557c9e253e678d19417d181d79307080dd6dcf609b7ff77aa270d0506568ff597955ee70a03e870cff6d08d4f1c9e3f1341483cf73f213cd6e37

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK
MD5
57d0e483ac09c51e877b27762385baef

SHA1
439cf722454f4b8db4df97a01b0be4754e70c4b3

SHA256
2f3d6b3ada8bcc0da93be05fd03c1ce781b9adbb3a0238d857bacd8ea891f852

SHA512
ad132ef1d410718d201e70abf910ae86e6f3a064b1f8e3a626dbf95d3f9b133d0df03e9366c9ba7b28073e66b0c988b77ff8bfb9c797a49b5d30987dc69ac9e9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
MD5
0bd6188d89093e85ceeefa571ae23d4d

SHA1
b6d3372040cf371b548334188891b83f5e97629c

SHA256
3bb41ae9e82d50cb8990e9984bbbc857894a86953c81462db8d625a3cdc36cfe

SHA512
5ba015b33cf3bb8999179c5e238d1efa0e1f414871fb29a4b1f4cc65aec73139c1ac1e3a0d98cba6df46309d16f6495edd5990dfdd39e1e2480b28bfc0b5dded

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
c89b3429336ee8fe0f98317918aec6c8

SHA1
014e0523e4e4d6087a40214ea37474b2ad0d0b6a

SHA256
d77b1e4a89b354ce15dbf4fc74b509ab78ec2eae4c4e38c6a564b3349f220a9b

SHA512
0f9c99f4e5aa726f3dafd97001fe31baf82a92b86cee2d2d29bde5189e88e8e332f25aa0b823a789eba21bf0de7b93d384c807042ebe18dd823d92fd117c89e6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
MD5
9039f668dfa604e9f2e7a3452cce0e61

SHA1
0ebe9f324a91c344dc7c163eb5622869b68f7d74

SHA256
cb1466cecaba3fd7976de3f046620742f19869e1fcaa71997be5ce3220d26dd5

SHA512
6064bd348a06bbc16bc61c6c94866777b8c34a9d0c59f113fcd42e4ae389b8f1c07a1a82bd751996ee2b016723517b7c4b76abdcdeff71048f85efafcda3cf34

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK
MD5
a5c58a74ebae0b0610d0f29ad0d78e2a

SHA1
e842f13d4b469101e07f1973001cfc813bcda3e6

SHA256
b5f7ed6296fa47b0ede63cb5aa8ed077953c5e211c7ec7bfe1e7e9b94b055d9d

SHA512
81b459cda241f8ed1dc17e80752cea9d433cf32da8fe52a0d9ef1ef94ddaec506f74e73875ed1238315a3cec1a3c65e40aa1ac7b8234829a14b386943548fe67

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
8679f985039f06b71e6a3a27b04b01ae

SHA1
4fe205a982583cdced674a4f57c7c99aa76ee449

SHA256
5837c947af41a0826130b5aaee117a5f269e0286ed6d666510a06b4310f2dc78

SHA512
836a1267b2751b1b5bc238e1d9597f9c84f40bde8fe89aef8b3ce270e204a788aab34de42bfd567acb594a20385a4a955aa28236551fe6ba8b3e597516c089df

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
48765000951b4fdfeee6d5600de6eeab

SHA1
e5e3f2914c1549f551adc86b8919a7f861b2d9f0

SHA256
fecc85e554425f5f7e866f3bdd047699e0975b78fb85327376a4172fdcda85dd

SHA512
02b0afccd4a030139dbce5ce9ab61724ccc565d4a3954a6712c6bd109371c3b5be4e745d7a91669bb0b29e877c4983abe824abd9387ba7493e2a099b4d78756a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK
MD5
6fc11db265bd968b98ef73021dbafd6d

SHA1
33934e4daf635681e6f1cf142edf2c9466976eaf

SHA256
64b6d63b678e65950a46932ede1c964bc69e5e1753080005355503c803d7e789

SHA512
86cf8ce5b2b798244a3d86979941e4914c7a0b190ee690cc000ee176f5a016514b94f32aae06233d0e3b564e100cf77528f09e02b936f3bb76ef691e61f524ef

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
MD5
a24d3d5d1871f8e7d276fdcb7807531d

SHA1
00b739807d656970930e5f07e3a4448e4b657061

SHA256
d0b5b0331163e26e13156b2e13bbcbe55e069286035802d5a2ed218a130e64b3

SHA512
c461e13f3f5455d2a1d8d69df9f35be499b1c15008c7fce663853242787580c497e634f81148e506ae202e715c2889985be48af8f8b1230ba4d1748b2c738b85

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK
MD5
0a2e1043de26be067a1e90fa2b009c25

SHA1
1e388c84c1a42f1894144852133d3a4ca3b4b6f6

SHA256
42f5951becacf16af893ce651f98099b179bf50a26a51313a69dabda0583a09b

SHA512
a2c12624e4cf0ac03e00a878bbab28dca8c132957cea7f64b500ab3fd0c07940e52a8b96b1954515dd1c0090cf9cdeaaa60f5c297b45b37e773f2b6c23606360

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log.RYK
MD5
362f247a52917890f496053a62cd879f

SHA1
f4f48edc383ec95903cea80ccd894503bb9b8687

SHA256
e8adbe229f331f6cf791d301c7278aa454bb1ab9fb47061e62968a55582bccd1

SHA512
8a6efd9d48a3b245ab90469cea51101cb10d8b060cec55051f007d3646e7311b9c1931514e5e1a6c319298208168ecf5e8aef92e46cfa2ee234c80b9aae92904

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log.RYK
MD5
d651c2b88c01d6f83888670fad0414b9

SHA1
bae325d7aa507682a960836f73a7c5d93b7a7175

SHA256
39f275fa634d50dc857de35e1fab9fa33e7f18e55ce429fd5f7ecccd20be76dc

SHA512
8038cd534cfc6a654249f04207c59012c5e4666e4ff6a0653a257942f1272de33d564a3cfe28a50b68d254f12c5875d7e9bb703c28f91ebbb97d988337abc7bc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs.RYK
MD5
15d78f87daa98c0f28a7cae007251ca4

SHA1
0bf5c66b055677eed6dc41da2034b6b6e64146a4

SHA256
e8add9616fe0512932e89d8fa7aec6e7db38ea07d410c726f1037d1e342ddff4

SHA512
b454b96031011d7c62304bbba26ef21e9f8f7226d54e15a3865b2f783f4f25bd60a6eaec98e1348173ad41fdd7c11bed90e085eeaed2537bc9c4afe9ad6531dd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs.RYK
MD5
debf9662298d876d864717a8ddf1cc2f

SHA1
d2ef9f725c1abf8b930beeda7ccde11328177e5e

SHA256
2012a2f0fbd8d3efd461be2290ef2aa241c8db81a85d624b71529b3afde59cfc

SHA512
50bbd0ac9b1e4e62f5aa0a7635ecbaefc6fd754eb35c29ab77db6e51645b53dc83ce1d4457d406a2beff5cdcf6d109ef02acbc5c55a0d8fb023f0a80166b7aa8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml.RYK
MD5
682e586aa0a136467607f04a1e70f529

SHA1
7c6ecc5306a325bd73e7c83a61b14f8c163fe973

SHA256
b81614b668075719a00f281f89e35f00e508b95f0af7148776ce69a234d55db2

SHA512
9155efd9d117f25ac67cc156fc3040b5d585d267ed00048fd19e1811390b5f16a2973bd33bd7b335378ee2675c73f6d9f887dc9ff77a7e9982ba70006c39ed88

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\PowerShell\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
1c0c5c986e8049f76288ccb16a436f8e

SHA1
bac174e2747c9acb5591b4af750df98f3ec3a3ea

SHA256
a11c79ba5eefda5b8a215c930a7f3213884bf67bdb80c384d244b5b5e2bd5a20

SHA512
631d25940754491c44220f0ea29b9b4109f7e693e1ffa6e295cf77c0a2eca6fb12ab054b641da92e89e9c30c79d53c254be97e132a31c6f1115aab620b7d4e16

Download Submit
memory/1120-60-0x000000013F740000-0x000000013FAC1000-memory.dmp

Filesize
3.5MB

Download
memory/1212-61-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads