Analysis
-
max time kernel
141s -
max time network
73s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Resource
win10v20210408
General
-
Target
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
-
Size
132KB
-
MD5
ab3681a8456319f1330f7525ec6935c3
-
SHA1
244e178e2073247893025bd51eb7618173bbac29
-
SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
-
SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
Malware Config
Extracted
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
ryuk
orfhissipmay1970@protonmail.com
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 964 bcdedit.exe 1988 bcdedit.exe 3320 bcdedit.exe 3620 bcdedit.exe -
Executes dropped EXE 2 IoCs
Processes:
GnbrVovnalan.exeCHzchNQeHlan.exepid process 1768 GnbrVovnalan.exe 1244 CHzchNQeHlan.exe -
Loads dropped DLL 4 IoCs
Processes:
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exepid process 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exepid process 920 icacls.exe 1952 icacls.exe 1084 icacls.exe 1688 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Windows\\system32\\taskhost.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exetaskhost.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\CST6CDT 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml taskhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wake taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\RyukReadMe.html taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified.RYK 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Creston taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\RyukReadMe.html 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.bfc 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.RYK taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\London taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RyukReadMe.html taskhost.exe File opened for modification C:\Program Files\DVD Maker\SecretST.TTF 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\RyukReadMe.html 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\RyukReadMe.html taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.html taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\RyukReadMe.html taskhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\RyukReadMe.html taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml taskhost.exe File opened for modification C:\Program Files\Windows NT\TableTextService\RyukReadMe.html taskhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton taskhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css taskhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png taskhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2008 vssadmin.exe 2484 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exetaskhost.exepid process 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1124 taskhost.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1124 taskhost.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskhost.exe1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exeGnbrVovnalan.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1124 taskhost.exe Token: SeBackupPrivilege 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe Token: SeBackupPrivilege 1768 GnbrVovnalan.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeSecurityPrivilege 1588 WMIC.exe Token: SeTakeOwnershipPrivilege 1588 WMIC.exe Token: SeLoadDriverPrivilege 1588 WMIC.exe Token: SeSystemProfilePrivilege 1588 WMIC.exe Token: SeSystemtimePrivilege 1588 WMIC.exe Token: SeProfSingleProcessPrivilege 1588 WMIC.exe Token: SeIncBasePriorityPrivilege 1588 WMIC.exe Token: SeCreatePagefilePrivilege 1588 WMIC.exe Token: SeBackupPrivilege 1588 WMIC.exe Token: SeRestorePrivilege 1588 WMIC.exe Token: SeShutdownPrivilege 1588 WMIC.exe Token: SeDebugPrivilege 1588 WMIC.exe Token: SeSystemEnvironmentPrivilege 1588 WMIC.exe Token: SeRemoteShutdownPrivilege 1588 WMIC.exe Token: SeUndockPrivilege 1588 WMIC.exe Token: SeManageVolumePrivilege 1588 WMIC.exe Token: 33 1588 WMIC.exe Token: 34 1588 WMIC.exe Token: 35 1588 WMIC.exe Token: SeBackupPrivilege 1088 vssvc.exe Token: SeRestorePrivilege 1088 vssvc.exe Token: SeAuditPrivilege 1088 vssvc.exe Token: SeIncreaseQuotaPrivilege 2800 WMIC.exe Token: SeSecurityPrivilege 2800 WMIC.exe Token: SeTakeOwnershipPrivilege 2800 WMIC.exe Token: SeLoadDriverPrivilege 2800 WMIC.exe Token: SeSystemProfilePrivilege 2800 WMIC.exe Token: SeSystemtimePrivilege 2800 WMIC.exe Token: SeProfSingleProcessPrivilege 2800 WMIC.exe Token: SeIncBasePriorityPrivilege 2800 WMIC.exe Token: SeCreatePagefilePrivilege 2800 WMIC.exe Token: SeBackupPrivilege 2800 WMIC.exe Token: SeRestorePrivilege 2800 WMIC.exe Token: SeShutdownPrivilege 2800 WMIC.exe Token: SeDebugPrivilege 2800 WMIC.exe Token: SeSystemEnvironmentPrivilege 2800 WMIC.exe Token: SeRemoteShutdownPrivilege 2800 WMIC.exe Token: SeUndockPrivilege 2800 WMIC.exe Token: SeManageVolumePrivilege 2800 WMIC.exe Token: 33 2800 WMIC.exe Token: 34 2800 WMIC.exe Token: 35 2800 WMIC.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeSecurityPrivilege 1588 WMIC.exe Token: SeTakeOwnershipPrivilege 1588 WMIC.exe Token: SeLoadDriverPrivilege 1588 WMIC.exe Token: SeSystemProfilePrivilege 1588 WMIC.exe Token: SeSystemtimePrivilege 1588 WMIC.exe Token: SeProfSingleProcessPrivilege 1588 WMIC.exe Token: SeIncBasePriorityPrivilege 1588 WMIC.exe Token: SeCreatePagefilePrivilege 1588 WMIC.exe Token: SeBackupPrivilege 1588 WMIC.exe Token: SeRestorePrivilege 1588 WMIC.exe Token: SeShutdownPrivilege 1588 WMIC.exe Token: SeDebugPrivilege 1588 WMIC.exe Token: SeSystemEnvironmentPrivilege 1588 WMIC.exe Token: SeRemoteShutdownPrivilege 1588 WMIC.exe Token: SeUndockPrivilege 1588 WMIC.exe Token: SeManageVolumePrivilege 1588 WMIC.exe Token: 33 1588 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exenet.exenet.exetaskhost.execmd.execmd.execmd.exenet.execmd.exedescription pid process target process PID 1344 wrote to memory of 1768 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe GnbrVovnalan.exe PID 1344 wrote to memory of 1768 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe GnbrVovnalan.exe PID 1344 wrote to memory of 1768 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe GnbrVovnalan.exe PID 1344 wrote to memory of 1244 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe CHzchNQeHlan.exe PID 1344 wrote to memory of 1244 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe CHzchNQeHlan.exe PID 1344 wrote to memory of 1244 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe CHzchNQeHlan.exe PID 1344 wrote to memory of 1124 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe taskhost.exe PID 1344 wrote to memory of 1536 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1344 wrote to memory of 1536 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1344 wrote to memory of 1536 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1344 wrote to memory of 588 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1344 wrote to memory of 588 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1344 wrote to memory of 588 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1344 wrote to memory of 1176 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe Dwm.exe PID 1536 wrote to memory of 1572 1536 net.exe net1.exe PID 1536 wrote to memory of 1572 1536 net.exe net1.exe PID 1536 wrote to memory of 1572 1536 net.exe net1.exe PID 588 wrote to memory of 1748 588 net.exe net1.exe PID 588 wrote to memory of 1748 588 net.exe net1.exe PID 588 wrote to memory of 1748 588 net.exe net1.exe PID 1124 wrote to memory of 544 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 544 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 544 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1016 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1016 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1016 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 240 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 240 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 240 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1120 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1120 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1120 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 920 1124 taskhost.exe icacls.exe PID 1124 wrote to memory of 920 1124 taskhost.exe icacls.exe PID 1124 wrote to memory of 920 1124 taskhost.exe icacls.exe PID 1124 wrote to memory of 1952 1124 taskhost.exe icacls.exe PID 1124 wrote to memory of 1952 1124 taskhost.exe icacls.exe PID 1124 wrote to memory of 1952 1124 taskhost.exe icacls.exe PID 1016 wrote to memory of 2008 1016 cmd.exe vssadmin.exe PID 1016 wrote to memory of 2008 1016 cmd.exe vssadmin.exe PID 1016 wrote to memory of 2008 1016 cmd.exe vssadmin.exe PID 240 wrote to memory of 964 240 cmd.exe bcdedit.exe PID 240 wrote to memory of 964 240 cmd.exe bcdedit.exe PID 240 wrote to memory of 964 240 cmd.exe bcdedit.exe PID 544 wrote to memory of 1588 544 cmd.exe WMIC.exe PID 544 wrote to memory of 1588 544 cmd.exe WMIC.exe PID 544 wrote to memory of 1588 544 cmd.exe WMIC.exe PID 1124 wrote to memory of 1688 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1688 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1688 1124 taskhost.exe cmd.exe PID 1124 wrote to memory of 1708 1124 taskhost.exe net.exe PID 1124 wrote to memory of 1708 1124 taskhost.exe net.exe PID 1124 wrote to memory of 1708 1124 taskhost.exe net.exe PID 1708 wrote to memory of 2040 1708 net.exe net1.exe PID 1708 wrote to memory of 2040 1708 net.exe net1.exe PID 1708 wrote to memory of 2040 1708 net.exe net1.exe PID 1688 wrote to memory of 2000 1688 cmd.exe reg.exe PID 1688 wrote to memory of 2000 1688 cmd.exe reg.exe PID 1688 wrote to memory of 2000 1688 cmd.exe reg.exe PID 240 wrote to memory of 1988 240 cmd.exe bcdedit.exe PID 240 wrote to memory of 1988 240 cmd.exe bcdedit.exe PID 240 wrote to memory of 1988 240 cmd.exe bcdedit.exe PID 1344 wrote to memory of 1076 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1344 wrote to memory of 1076 1344 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "WMIC.exe shadowcopy delete"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "bootstatuspolicy ignoreallfailures"2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:642⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe"C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe" 8 LAN2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe"C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\system32\cmd.execmd /c "WMIC.exe shadowcopy delete"2⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd /c "bootstatuspolicy ignoreallfailures"2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:642⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYKMD5
8a9aadfc35cc2fbcb6855a747c03398c
SHA1a6e9a2f249fa3bdbc59a2bc727a8a43bf87f2f6f
SHA2566221c230747e4f7bca71f2f8072f29c07996296f4e217440903a320e60b8c802
SHA5125647ff6233224416a139c3adc80c1a2bea60d478cf29e7f5ba61600c95fc22fd99ade7a95447c6d5d52b72a02eb6e6974e07a305eb4e21a1868aad04b6cf6a5d
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYKMD5
96c313c3ea3ece49054a654b86f7584d
SHA1e522dd4ea8d820f777ec093df0a9c6aab4886b1d
SHA256a8ac31fd345316a4d454aa8336f88b601c544a731b6589ecbbd2b45a51f5042c
SHA512c0995a7d17769b0785e56b88def42bf9b08a384c3ccdb71aef2f1edaf7821d19e6032cc395857ff42ca4fd5d01e38e7618fdf9047514d56e14fd051d47a24b2a
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYKMD5
9d17b804d7dd1ccf08d1000ac189ec75
SHA121ea2615d1ca3bf5bcf5733b2b8efae8b7b77a7b
SHA256401a395fcf4350d9ef4bff4b376abc3e48e01e29d94208eff00bd167015271e0
SHA5128f43fbb4a18f6047566daa78c09cf52898b73f7e72acb0f3e38f1964f4b2de083266b534b2cdf58477a25912d0b9030663e74c46e035abd092a357dcb5a88695
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYKMD5
1f384a7dd5e69e3dab2dc8c4136aa46b
SHA143ecf98e34c6bb9b7169690856cbb34fe2a3b2b8
SHA256bcbe9757f65913298671e4d95eadcd98274520b39fee920780570b15e73d471b
SHA5128b1f6a5a2cb26b13d4d9e6c132bafa9eb4b2dbc79f12a387e17d8d80a26061d3a1f06c041a3f4fcdd936b8b7bf807ac83fce860144516889f82596449cb90a3e
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYKMD5
2678aac13fc99e354cf5a6791b0ce0e2
SHA120097e7bd999f3f28949ebbcba2b0b30d5d3abf4
SHA256828ee69afca34f91cdd61ce268ffabbd0dd6e05ed140ffbeced65eed716ba6d3
SHA51278893a3ced6828efa9e0e068a9d443c68c43e80fc7ecd51ea5046fb2f919d970e8eb699c11c8159b322e1590fa2800d5858f638380655b0c5d3b37f5d77ac5d5
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.logMD5
7bdfdf81095c9c8ae1dd5354671b2ba9
SHA104fb9b8c837c7409f15e7198b68bd4ac7d88fbfd
SHA2565f34eea43d1e3d76156a53316830c76aea2ef32efb7ee5fc679e1c776328a61f
SHA51223cf14d21a0385d45c9cad3c1d5ce66aa8f8dec8b367aa12217dc888a828d336b4b9c5e6c68d4cb4304a2d53e7f0b0c7bf00d3a68d78763b36644c18090155c6
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.logMD5
3f2048d8c615c26a1985b68c04693567
SHA12923ce76ddd635063bb717cbbb20a56f3b816677
SHA256ef2f08ad7fe0f2a71bbd99a92da3b89a33819dd60514ddbb1970fab1b5f645fe
SHA51240b4bbd4d7e4f96d0e9046403347cadd6fe015f48967367a614fddcef42e029842c8224ea189f96dd41401a2de347abe64cf20772d994875c90887d9d3e5b6a8
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYKMD5
5af44387b1c6d8063a9d4600a95ef9af
SHA17a833e17f8036b93b1c30b6a166d9eb6106011d8
SHA25633580135ae87bb20a9244dba4a6c47dae5c03ebea3ff35400ebd748059737003
SHA51273e5b2e8755838fad3d53186687ef7b209b8198a97e375ee3ad7f34e2369fa030de11f637d178083a1e5cabb1de04b14739d6d500d12e846a06b0453d8ad67a6
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYKMD5
374571ec2039fcb0bf1316109a118fbb
SHA1e7a0dabec97d514b3dbcfbbd28149a2064abb5f8
SHA256a6a36a0a1be0b6b4f61a4065fa02d3f5f9b2c106037b168e03a07443cdfea61c
SHA5129bd01472457fbec13054f1056c7eff4bcc1ea1ad8bf4a3a59cdb60c2351b7ed24efa3be3e22c91880913471551322f8d674940d530a7092105f530d9ff039680
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYKMD5
f65b37804040dae97320562dd45e71d2
SHA1dda49e0bf161f5784a1e4bd05b651f0a4afcfb88
SHA256938738f0f1f9df3b2d769fb77849a9a5195d032d44360977d4990470bfa42b0d
SHA51244819bee38fa59815d2e835b74ca3299ffacc245fb4365ad2a6e58dce848b7252f693590e21f96fe62d9117e18a117772760b25ff9894a9437a0f307eed6d08f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYKMD5
169d32d5d7eb1f74bcc06af844ab7253
SHA1d707cf7901b6b00576bed3c6763165a6858bf518
SHA256110e501f89d6519b0b2c56fd8d31785cba535b996bc561af7ec36505ff685cf2
SHA512047913d235a3c9b70399c960f2ce8a460645412c264119f2da73e8ca8c42cd7b87534e41bdf55a4544aadc41f1eb6156827e0998abfc39c401bc43c85a179a4a
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htmMD5
64defb6a52de1fa5988fd297590455bf
SHA188282ddbedaba77f7fd164bd29e42df2e3d29ca9
SHA2563146d67686e3ea90c01811c517b605543f4568860b17ece6bae4dc9fe3490bb6
SHA51223566a84332823d8dde950d42375b1c0630755bd4c3d45b61008b3de9a20547eeea0356c9dcecbc8cac5310688d6776792919651acfc619b4c0afaeae9f44310
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat.RYKMD5
91aab16fba4de4a2c137e32c1b7ddb69
SHA141a729ac6a814b52193b25e60da4e82ee50a8f5d
SHA256f968932ef36abe25c273b6624cea8fe6308037a8ec119b2f3e04ec415b7267cf
SHA51292588d92616323adb2a79fdca650b9744d2f4aa30d8a2457f2d04f07ea460af45edf4a42fc0ba50aa71a6d3e8f5c1a0fe6663a827162f8585c02bddf99a0ed1d
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYKMD5
504b5fb33e46b8f6db9a7670203a097d
SHA108fb26f58a4ad6e3b3c63cd1d8ec4022430be453
SHA25617c395f263a802cfa9270f65b6febf3f3d2c633d449ecdd954cb9cd5abbc05e7
SHA512e6e84d62f658f98af1740356fb086634d73908f508fa24ca33b00fe6327ce6ed9a5f60bd9e17672ce5e6ffb535889c58bd3f4bb6db048efe344f9beaec91add6
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.logMD5
6a48ff79f7b882ff26abd21748ef6319
SHA19c56274cc2961b933789de84af05f8f57e1edf96
SHA256802b922c0e2cc593b124f86402dab69a345237d4d724a4140751d3a669fd751a
SHA5129e2ff45901c02b32ede0753e5088d42d63c59da41e027efa6d3ac32f5cdc5701ccd0eba9b6c24c35638cb00f0cf812fbba550c6b70712744d52a0f658eff2008
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.logMD5
6a48ff79f7b882ff26abd21748ef6319
SHA19c56274cc2961b933789de84af05f8f57e1edf96
SHA256802b922c0e2cc593b124f86402dab69a345237d4d724a4140751d3a669fd751a
SHA5129e2ff45901c02b32ede0753e5088d42d63c59da41e027efa6d3ac32f5cdc5701ccd0eba9b6c24c35638cb00f0cf812fbba550c6b70712744d52a0f658eff2008
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTDMD5
cf3f312d1ea206151b7fff83d72f5fd0
SHA111786b08d4476e3897284079fb907d6b33669548
SHA256c3703012360f32dcac860043a0d33ce0d9c0b7b52ec4263bbb89edfacadd8441
SHA5124b61dc147562d40cbe3166d7546ea3598d61f95f643a7968fa90540f1d514f85e0a7bb2fad1031eaa5559677efc70bebaf83abcd77ff57c19b0b511607d96bdc
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.XMLMD5
8380f90c9d518f2589343cb87f4e3d0c
SHA116483b6056119d770dc88ea1b3cc5ffd476d3ded
SHA256cc445413a4123faa17af0fa4939c5dcce61e8bd5288570bbe5eae2274c9ab1a3
SHA512d7274fa3d12dd8627823e69dbbc000415b1660ba1e45c639313f231b26b92a5284a6e05b759dac3407fb1134c6d97256c213e6e5cf401d7d328e7852e7b66a72
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\AppData\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\Admin\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Documents and Settings\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00MD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
memory/240-77-0x0000000000000000-mapping.dmp
-
memory/432-92-0x0000000000000000-mapping.dmp
-
memory/544-75-0x0000000000000000-mapping.dmp
-
memory/588-71-0x0000000000000000-mapping.dmp
-
memory/920-79-0x0000000000000000-mapping.dmp
-
memory/964-82-0x0000000000000000-mapping.dmp
-
memory/1016-76-0x0000000000000000-mapping.dmp
-
memory/1076-90-0x0000000000000000-mapping.dmp
-
memory/1084-94-0x0000000000000000-mapping.dmp
-
memory/1120-78-0x0000000000000000-mapping.dmp
-
memory/1124-70-0x000000013F890000-0x000000013F9F3000-memory.dmpFilesize
1.4MB
-
memory/1176-74-0x000000013F890000-0x000000013F9F3000-memory.dmpFilesize
1.4MB
-
memory/1244-67-0x0000000000000000-mapping.dmp
-
memory/1344-60-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmpFilesize
8KB
-
memory/1536-69-0x0000000000000000-mapping.dmp
-
memory/1572-72-0x0000000000000000-mapping.dmp
-
memory/1588-83-0x0000000000000000-mapping.dmp
-
memory/1684-93-0x0000000000000000-mapping.dmp
-
memory/1688-95-0x0000000000000000-mapping.dmp
-
memory/1688-84-0x0000000000000000-mapping.dmp
-
memory/1708-85-0x0000000000000000-mapping.dmp
-
memory/1748-73-0x0000000000000000-mapping.dmp
-
memory/1768-63-0x0000000000000000-mapping.dmp
-
memory/1952-80-0x0000000000000000-mapping.dmp
-
memory/1988-91-0x0000000000000000-mapping.dmp
-
memory/1988-88-0x0000000000000000-mapping.dmp
-
memory/2000-87-0x0000000000000000-mapping.dmp
-
memory/2008-81-0x0000000000000000-mapping.dmp
-
memory/2040-86-0x0000000000000000-mapping.dmp
-
memory/2080-96-0x0000000000000000-mapping.dmp
-
memory/2452-111-0x0000000000000000-mapping.dmp
-
memory/2484-122-0x0000000000000000-mapping.dmp
-
memory/2800-120-0x0000000000000000-mapping.dmp
-
memory/2872-121-0x0000000000000000-mapping.dmp
-
memory/3308-141-0x0000000000000000-mapping.dmp
-
memory/3320-142-0x0000000000000000-mapping.dmp
-
memory/3620-150-0x0000000000000000-mapping.dmp
-
memory/45620-161-0x0000000000000000-mapping.dmp
-
memory/45648-162-0x0000000000000000-mapping.dmp
-
memory/48324-163-0x0000000000000000-mapping.dmp
-
memory/48352-164-0x0000000000000000-mapping.dmp
-
memory/49640-165-0x0000000000000000-mapping.dmp
-
memory/49680-166-0x0000000000000000-mapping.dmp
-
memory/79156-167-0x0000000000000000-mapping.dmp
-
memory/79560-168-0x0000000000000000-mapping.dmp
-
memory/82616-169-0x0000000000000000-mapping.dmp
-
memory/83036-170-0x0000000000000000-mapping.dmp
-
memory/83052-171-0x0000000000000000-mapping.dmp
-
memory/83080-172-0x0000000000000000-mapping.dmp