ryuk | 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

Analysis

max time kernel
141s
max time network
73s
platform
windows7_x64
resource
win7v20210408
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Size

132KB
MD5

ab3681a8456319f1330f7525ec6935c3
SHA1

244e178e2073247893025bd51eb7618173bbac29
SHA256

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA512

63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

orfhissipmay1970@protonmail.com balance of shadow universe Ryuk

Emails

orfhissipmay1970@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

964 bcdedit.exe
1988 bcdedit.exe
3320 bcdedit.exe
3620 bcdedit.exe
Executes dropped EXE 2 IoCs

Processes:

GnbrVovnalan.exeCHzchNQeHlan.exe

pid process

1768 GnbrVovnalan.exe
1244 CHzchNQeHlan.exe

pid	process
964	bcdedit.exe
1988	bcdedit.exe
3320	bcdedit.exe
3620	bcdedit.exe

pid	process
1768	GnbrVovnalan.exe
1244	CHzchNQeHlan.exe

Loads dropped DLL 4 IoCs

Processes:

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

pid	process
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

920 icacls.exe
1952 icacls.exe
1084 icacls.exe
1688 icacls.exe

pid	process
920	icacls.exe
1952	icacls.exe
1084	icacls.exe
1688	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified.RYK	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\RyukReadMe.html	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\London	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\RyukReadMe.html	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	taskhost.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2008 vssadmin.exe
2484 vssadmin.exe
Runs net.exe

pid	process
2008	vssadmin.exe
2484	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exetaskhost.exe

pid	process
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1124	taskhost.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1124	taskhost.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskhost.exe1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exeGnbrVovnalan.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1124	taskhost.exe
Token: SeBackupPrivilege	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Token: SeBackupPrivilege	1768	GnbrVovnalan.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe
Token: 35	1588	WMIC.exe
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exenet.exenet.exetaskhost.execmd.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1344 wrote to memory of 1768	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	GnbrVovnalan.exe
PID 1344 wrote to memory of 1768	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	GnbrVovnalan.exe
PID 1344 wrote to memory of 1768	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	GnbrVovnalan.exe
PID 1344 wrote to memory of 1244	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	CHzchNQeHlan.exe
PID 1344 wrote to memory of 1244	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	CHzchNQeHlan.exe
PID 1344 wrote to memory of 1244	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	CHzchNQeHlan.exe
PID 1344 wrote to memory of 1124	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	taskhost.exe
PID 1344 wrote to memory of 1536	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1344 wrote to memory of 1536	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1344 wrote to memory of 1536	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1344 wrote to memory of 588	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1344 wrote to memory of 588	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1344 wrote to memory of 588	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1344 wrote to memory of 1176	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	Dwm.exe
PID 1536 wrote to memory of 1572	1536	net.exe	net1.exe
PID 1536 wrote to memory of 1572	1536	net.exe	net1.exe
PID 1536 wrote to memory of 1572	1536	net.exe	net1.exe
PID 588 wrote to memory of 1748	588	net.exe	net1.exe
PID 588 wrote to memory of 1748	588	net.exe	net1.exe
PID 588 wrote to memory of 1748	588	net.exe	net1.exe
PID 1124 wrote to memory of 544	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 544	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 544	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1016	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1016	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1016	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 240	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 240	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 240	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1120	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1120	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1120	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 920	1124	taskhost.exe	icacls.exe
PID 1124 wrote to memory of 920	1124	taskhost.exe	icacls.exe
PID 1124 wrote to memory of 920	1124	taskhost.exe	icacls.exe
PID 1124 wrote to memory of 1952	1124	taskhost.exe	icacls.exe
PID 1124 wrote to memory of 1952	1124	taskhost.exe	icacls.exe
PID 1124 wrote to memory of 1952	1124	taskhost.exe	icacls.exe
PID 1016 wrote to memory of 2008	1016	cmd.exe	vssadmin.exe
PID 1016 wrote to memory of 2008	1016	cmd.exe	vssadmin.exe
PID 1016 wrote to memory of 2008	1016	cmd.exe	vssadmin.exe
PID 240 wrote to memory of 964	240	cmd.exe	bcdedit.exe
PID 240 wrote to memory of 964	240	cmd.exe	bcdedit.exe
PID 240 wrote to memory of 964	240	cmd.exe	bcdedit.exe
PID 544 wrote to memory of 1588	544	cmd.exe	WMIC.exe
PID 544 wrote to memory of 1588	544	cmd.exe	WMIC.exe
PID 544 wrote to memory of 1588	544	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1688	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1688	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1688	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1708	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1708	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1708	1124	taskhost.exe	net.exe
PID 1708 wrote to memory of 2040	1708	net.exe	net1.exe
PID 1708 wrote to memory of 2040	1708	net.exe	net1.exe
PID 1708 wrote to memory of 2040	1708	net.exe	net1.exe
PID 1688 wrote to memory of 2000	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 2000	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 2000	1688	cmd.exe	reg.exe
PID 240 wrote to memory of 1988	240	cmd.exe	bcdedit.exe
PID 240 wrote to memory of 1988	240	cmd.exe	bcdedit.exe
PID 240 wrote to memory of 1988	240	cmd.exe	bcdedit.exe
PID 1344 wrote to memory of 1076	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1344 wrote to memory of 1076	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\cmd.exe
cmd /c "WMIC.exe shadowcopy delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\cmd.exe
cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:964

C:\Windows\system32\bcdedit.exe
bcdedit /set {default}
3⤵
- Modifies boot configuration data using bcdedit
PID:1988

C:\Windows\system32\cmd.exe
cmd /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2008

C:\Windows\system32\cmd.exe
cmd /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:1120

C:\Windows\system32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:920

C:\Windows\system32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:2000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2040

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:48324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:48352

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:82616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:83036

C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe
"C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe
"C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1244

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1748

C:\Windows\system32\cmd.exe
cmd /c "WMIC.exe shadowcopy delete"
2⤵
PID:1076

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\cmd.exe
cmd /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
PID:1988

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2484

C:\Windows\system32\cmd.exe
cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
PID:432

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:3320

C:\Windows\system32\bcdedit.exe
bcdedit /set {default}
3⤵
- Modifies boot configuration data using bcdedit
PID:3620

C:\Windows\system32\cmd.exe
cmd /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:1684

C:\Windows\system32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1084

C:\Windows\system32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
2⤵
PID:2080

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:3308

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2872

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:45620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:45648

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:49640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:49680

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:79156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:79560

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:83052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:83080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
8a9aadfc35cc2fbcb6855a747c03398c

SHA1
a6e9a2f249fa3bdbc59a2bc727a8a43bf87f2f6f

SHA256
6221c230747e4f7bca71f2f8072f29c07996296f4e217440903a320e60b8c802

SHA512
5647ff6233224416a139c3adc80c1a2bea60d478cf29e7f5ba61600c95fc22fd99ade7a95447c6d5d52b72a02eb6e6974e07a305eb4e21a1868aad04b6cf6a5d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
MD5
96c313c3ea3ece49054a654b86f7584d

SHA1
e522dd4ea8d820f777ec093df0a9c6aab4886b1d

SHA256
a8ac31fd345316a4d454aa8336f88b601c544a731b6589ecbbd2b45a51f5042c

SHA512
c0995a7d17769b0785e56b88def42bf9b08a384c3ccdb71aef2f1edaf7821d19e6032cc395857ff42ca4fd5d01e38e7618fdf9047514d56e14fd051d47a24b2a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
9d17b804d7dd1ccf08d1000ac189ec75

SHA1
21ea2615d1ca3bf5bcf5733b2b8efae8b7b77a7b

SHA256
401a395fcf4350d9ef4bff4b376abc3e48e01e29d94208eff00bd167015271e0

SHA512
8f43fbb4a18f6047566daa78c09cf52898b73f7e72acb0f3e38f1964f4b2de083266b534b2cdf58477a25912d0b9030663e74c46e035abd092a357dcb5a88695

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
1f384a7dd5e69e3dab2dc8c4136aa46b

SHA1
43ecf98e34c6bb9b7169690856cbb34fe2a3b2b8

SHA256
bcbe9757f65913298671e4d95eadcd98274520b39fee920780570b15e73d471b

SHA512
8b1f6a5a2cb26b13d4d9e6c132bafa9eb4b2dbc79f12a387e17d8d80a26061d3a1f06c041a3f4fcdd936b8b7bf807ac83fce860144516889f82596449cb90a3e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
2678aac13fc99e354cf5a6791b0ce0e2

SHA1
20097e7bd999f3f28949ebbcba2b0b30d5d3abf4

SHA256
828ee69afca34f91cdd61ce268ffabbd0dd6e05ed140ffbeced65eed716ba6d3

SHA512
78893a3ced6828efa9e0e068a9d443c68c43e80fc7ecd51ea5046fb2f919d970e8eb699c11c8159b322e1590fa2800d5858f638380655b0c5d3b37f5d77ac5d5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
7bdfdf81095c9c8ae1dd5354671b2ba9

SHA1
04fb9b8c837c7409f15e7198b68bd4ac7d88fbfd

SHA256
5f34eea43d1e3d76156a53316830c76aea2ef32efb7ee5fc679e1c776328a61f

SHA512
23cf14d21a0385d45c9cad3c1d5ce66aa8f8dec8b367aa12217dc888a828d336b4b9c5e6c68d4cb4304a2d53e7f0b0c7bf00d3a68d78763b36644c18090155c6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
3f2048d8c615c26a1985b68c04693567

SHA1
2923ce76ddd635063bb717cbbb20a56f3b816677

SHA256
ef2f08ad7fe0f2a71bbd99a92da3b89a33819dd60514ddbb1970fab1b5f645fe

SHA512
40b4bbd4d7e4f96d0e9046403347cadd6fe015f48967367a614fddcef42e029842c8224ea189f96dd41401a2de347abe64cf20772d994875c90887d9d3e5b6a8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
5af44387b1c6d8063a9d4600a95ef9af

SHA1
7a833e17f8036b93b1c30b6a166d9eb6106011d8

SHA256
33580135ae87bb20a9244dba4a6c47dae5c03ebea3ff35400ebd748059737003

SHA512
73e5b2e8755838fad3d53186687ef7b209b8198a97e375ee3ad7f34e2369fa030de11f637d178083a1e5cabb1de04b14739d6d500d12e846a06b0453d8ad67a6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
374571ec2039fcb0bf1316109a118fbb

SHA1
e7a0dabec97d514b3dbcfbbd28149a2064abb5f8

SHA256
a6a36a0a1be0b6b4f61a4065fa02d3f5f9b2c106037b168e03a07443cdfea61c

SHA512
9bd01472457fbec13054f1056c7eff4bcc1ea1ad8bf4a3a59cdb60c2351b7ed24efa3be3e22c91880913471551322f8d674940d530a7092105f530d9ff039680

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK
MD5
f65b37804040dae97320562dd45e71d2

SHA1
dda49e0bf161f5784a1e4bd05b651f0a4afcfb88

SHA256
938738f0f1f9df3b2d769fb77849a9a5195d032d44360977d4990470bfa42b0d

SHA512
44819bee38fa59815d2e835b74ca3299ffacc245fb4365ad2a6e58dce848b7252f693590e21f96fe62d9117e18a117772760b25ff9894a9437a0f307eed6d08f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
MD5
169d32d5d7eb1f74bcc06af844ab7253

SHA1
d707cf7901b6b00576bed3c6763165a6858bf518

SHA256
110e501f89d6519b0b2c56fd8d31785cba535b996bc561af7ec36505ff685cf2

SHA512
047913d235a3c9b70399c960f2ce8a460645412c264119f2da73e8ca8c42cd7b87534e41bdf55a4544aadc41f1eb6156827e0998abfc39c401bc43c85a179a4a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
64defb6a52de1fa5988fd297590455bf

SHA1
88282ddbedaba77f7fd164bd29e42df2e3d29ca9

SHA256
3146d67686e3ea90c01811c517b605543f4568860b17ece6bae4dc9fe3490bb6

SHA512
23566a84332823d8dde950d42375b1c0630755bd4c3d45b61008b3de9a20547eeea0356c9dcecbc8cac5310688d6776792919651acfc619b4c0afaeae9f44310

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat.RYK
MD5
91aab16fba4de4a2c137e32c1b7ddb69

SHA1
41a729ac6a814b52193b25e60da4e82ee50a8f5d

SHA256
f968932ef36abe25c273b6624cea8fe6308037a8ec119b2f3e04ec415b7267cf

SHA512
92588d92616323adb2a79fdca650b9744d2f4aa30d8a2457f2d04f07ea460af45edf4a42fc0ba50aa71a6d3e8f5c1a0fe6663a827162f8585c02bddf99a0ed1d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK
MD5
504b5fb33e46b8f6db9a7670203a097d

SHA1
08fb26f58a4ad6e3b3c63cd1d8ec4022430be453

SHA256
17c395f263a802cfa9270f65b6febf3f3d2c633d449ecdd954cb9cd5abbc05e7

SHA512
e6e84d62f658f98af1740356fb086634d73908f508fa24ca33b00fe6327ce6ed9a5f60bd9e17672ce5e6ffb535889c58bd3f4bb6db048efe344f9beaec91add6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
6a48ff79f7b882ff26abd21748ef6319

SHA1
9c56274cc2961b933789de84af05f8f57e1edf96

SHA256
802b922c0e2cc593b124f86402dab69a345237d4d724a4140751d3a669fd751a

SHA512
9e2ff45901c02b32ede0753e5088d42d63c59da41e027efa6d3ac32f5cdc5701ccd0eba9b6c24c35638cb00f0cf812fbba550c6b70712744d52a0f658eff2008

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
6a48ff79f7b882ff26abd21748ef6319

SHA1
9c56274cc2961b933789de84af05f8f57e1edf96

SHA256
802b922c0e2cc593b124f86402dab69a345237d4d724a4140751d3a669fd751a

SHA512
9e2ff45901c02b32ede0753e5088d42d63c59da41e027efa6d3ac32f5cdc5701ccd0eba9b6c24c35638cb00f0cf812fbba550c6b70712744d52a0f658eff2008

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTD
MD5
cf3f312d1ea206151b7fff83d72f5fd0

SHA1
11786b08d4476e3897284079fb907d6b33669548

SHA256
c3703012360f32dcac860043a0d33ce0d9c0b7b52ec4263bbb89edfacadd8441

SHA512
4b61dc147562d40cbe3166d7546ea3598d61f95f643a7968fa90540f1d514f85e0a7bb2fad1031eaa5559677efc70bebaf83abcd77ff57c19b0b511607d96bdc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.XML
MD5
8380f90c9d518f2589343cb87f4e3d0c

SHA1
16483b6056119d770dc88ea1b3cc5ffd476d3ded

SHA256
cc445413a4123faa17af0fa4939c5dcce61e8bd5288570bbe5eae2274c9ab1a3

SHA512
d7274fa3d12dd8627823e69dbbc000415b1660ba1e45c639313f231b26b92a5284a6e05b759dac3407fb1134c6d97256c213e6e5cf401d7d328e7852e7b66a72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
memory/240-77-0x0000000000000000-mapping.dmp

Download
memory/432-92-0x0000000000000000-mapping.dmp

Download
memory/544-75-0x0000000000000000-mapping.dmp

Download
memory/588-71-0x0000000000000000-mapping.dmp

Download
memory/920-79-0x0000000000000000-mapping.dmp

Download
memory/964-82-0x0000000000000000-mapping.dmp

Download
memory/1016-76-0x0000000000000000-mapping.dmp

Download
memory/1076-90-0x0000000000000000-mapping.dmp

Download
memory/1084-94-0x0000000000000000-mapping.dmp

Download
memory/1120-78-0x0000000000000000-mapping.dmp

Download
memory/1124-70-0x000000013F890000-0x000000013F9F3000-memory.dmp

Filesize
1.4MB

Download
memory/1176-74-0x000000013F890000-0x000000013F9F3000-memory.dmp

Filesize
1.4MB

Download
memory/1244-67-0x0000000000000000-mapping.dmp

Download
memory/1344-60-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1536-69-0x0000000000000000-mapping.dmp

Download
memory/1572-72-0x0000000000000000-mapping.dmp

Download
memory/1588-83-0x0000000000000000-mapping.dmp

Download
memory/1684-93-0x0000000000000000-mapping.dmp

Download
memory/1688-95-0x0000000000000000-mapping.dmp

Download
memory/1688-84-0x0000000000000000-mapping.dmp

Download
memory/1708-85-0x0000000000000000-mapping.dmp

Download
memory/1748-73-0x0000000000000000-mapping.dmp

Download
memory/1768-63-0x0000000000000000-mapping.dmp

Download
memory/1952-80-0x0000000000000000-mapping.dmp

Download
memory/1988-91-0x0000000000000000-mapping.dmp

Download
memory/1988-88-0x0000000000000000-mapping.dmp

Download
memory/2000-87-0x0000000000000000-mapping.dmp

Download
memory/2008-81-0x0000000000000000-mapping.dmp

Download
memory/2040-86-0x0000000000000000-mapping.dmp

Download
memory/2080-96-0x0000000000000000-mapping.dmp

Download
memory/2452-111-0x0000000000000000-mapping.dmp

Download
memory/2484-122-0x0000000000000000-mapping.dmp

Download
memory/2800-120-0x0000000000000000-mapping.dmp

Download
memory/2872-121-0x0000000000000000-mapping.dmp

Download
memory/3308-141-0x0000000000000000-mapping.dmp

Download
memory/3320-142-0x0000000000000000-mapping.dmp

Download
memory/3620-150-0x0000000000000000-mapping.dmp

Download
memory/45620-161-0x0000000000000000-mapping.dmp

Download
memory/45648-162-0x0000000000000000-mapping.dmp

Download
memory/48324-163-0x0000000000000000-mapping.dmp

Download
memory/48352-164-0x0000000000000000-mapping.dmp

Download
memory/49640-165-0x0000000000000000-mapping.dmp

Download
memory/49680-166-0x0000000000000000-mapping.dmp

Download
memory/79156-167-0x0000000000000000-mapping.dmp

Download
memory/79560-168-0x0000000000000000-mapping.dmp

Download
memory/82616-169-0x0000000000000000-mapping.dmp

Download
memory/83036-170-0x0000000000000000-mapping.dmp

Download
memory/83052-171-0x0000000000000000-mapping.dmp

Download
memory/83080-172-0x0000000000000000-mapping.dmp

Download