ryuk | 0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f

Analysis

max time kernel
168s
max time network
138s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-02-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
Size

203KB
MD5

ea9759d8023c9f6f269fbd0875561783
SHA1

1c4c718294647cb7df8dae914100394f2668715a
SHA256

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f
SHA512

2be12260b22224132c27f60c8943303c89210d58b22acc5efce03fb379d912254493df9eee97a7d1777faf7bf5702537331373711690d9621e642cf698140e81

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exetaskhost.exe

pid	process
1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
1124	taskhost.exe
1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
1124	taskhost.exe
1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
1124	taskhost.exe
1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
Token: SeBackupPrivilege	1124	taskhost.exe
Token: SeBackupPrivilege	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1660 wrote to memory of 1124	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	taskhost.exe
PID 1660 wrote to memory of 2044	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 2044	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 2044	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 1180	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	Dwm.exe
PID 1660 wrote to memory of 1628	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 1628	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 1628	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 980	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 980	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 980	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2044 wrote to memory of 1104	2044	net.exe	net1.exe
PID 2044 wrote to memory of 1104	2044	net.exe	net1.exe
PID 2044 wrote to memory of 1104	2044	net.exe	net1.exe
PID 1628 wrote to memory of 1516	1628	net.exe	net1.exe
PID 1628 wrote to memory of 1516	1628	net.exe	net1.exe
PID 1628 wrote to memory of 1516	1628	net.exe	net1.exe
PID 980 wrote to memory of 1532	980	net.exe	net1.exe
PID 980 wrote to memory of 1532	980	net.exe	net1.exe
PID 980 wrote to memory of 1532	980	net.exe	net1.exe
PID 1124 wrote to memory of 1140	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1140	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1140	1124	taskhost.exe	net.exe
PID 1140 wrote to memory of 1264	1140	net.exe	net1.exe
PID 1140 wrote to memory of 1264	1140	net.exe	net1.exe
PID 1140 wrote to memory of 1264	1140	net.exe	net1.exe
PID 1124 wrote to memory of 1780	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1780	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1780	1124	taskhost.exe	net.exe
PID 1780 wrote to memory of 1608	1780	net.exe	net1.exe
PID 1780 wrote to memory of 1608	1780	net.exe	net1.exe
PID 1780 wrote to memory of 1608	1780	net.exe	net1.exe
PID 1660 wrote to memory of 568	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 568	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 568	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 568 wrote to memory of 2040	568	net.exe	net1.exe
PID 568 wrote to memory of 2040	568	net.exe	net1.exe
PID 568 wrote to memory of 2040	568	net.exe	net1.exe
PID 1660 wrote to memory of 6152	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 6152	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 6152	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 6152 wrote to memory of 6344	6152	net.exe	net1.exe
PID 6152 wrote to memory of 6344	6152	net.exe	net1.exe
PID 6152 wrote to memory of 6344	6152	net.exe	net1.exe
PID 1124 wrote to memory of 6636	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 6636	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 6636	1124	taskhost.exe	net.exe
PID 6636 wrote to memory of 6660	6636	net.exe	net1.exe
PID 6636 wrote to memory of 6660	6636	net.exe	net1.exe
PID 6636 wrote to memory of 6660	6636	net.exe	net1.exe
PID 1660 wrote to memory of 9580	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 9580	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 9580	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 9580 wrote to memory of 9604	9580	net.exe	net1.exe
PID 9580 wrote to memory of 9604	9580	net.exe	net1.exe
PID 9580 wrote to memory of 9604	9580	net.exe	net1.exe
PID 1660 wrote to memory of 16952	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 16952	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 1660 wrote to memory of 16952	1660	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 16952 wrote to memory of 16976	16952	net.exe	net1.exe
PID 16952 wrote to memory of 16976	16952	net.exe	net1.exe
PID 16952 wrote to memory of 16976	16952	net.exe	net1.exe
PID 1124 wrote to memory of 17000	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 17000	1124	taskhost.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1264

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1608

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17024

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
"C:\Users\Admin\AppData\Local\Temp\0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:1104

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2040

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:9580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:9604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16976

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1216

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
1ecb7c74dbf04129fad3215d8593eb9c

SHA1
ab9a736480b84052248e3d77fe8366771f886bca

SHA256
8bb921a52c0c1a72bbaef2fcf1be60d1a0866200281e13eb243728a3ebe5aa2d

SHA512
5f12adbd14b8e4e69a25a1e76f72d3f558db4d49526ef8d505015a888166b510a8f124324ff12f6a694035ca5712d951934cfeb1b687084004f3d80f6609bb8d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
MD5
6841d1cf3109cdeefacef980f75b68ed

SHA1
58bc5881e04fc1b5265804ad97de149105160230

SHA256
f593b6a50dbe577a9c9ba65d8a47dc46edd08a5eb5fa89dbaad362d202cf8c3d

SHA512
578244cbca0c1ea94caa5642e395dcc204e19f7b736bb7d4b251dd23aba6eab1e06d770d8840c3fd9e62f17f62e1496e9ae782a55cc3993843ffba43a32441a5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
43240b61f6f3c6f47858e1ff2a5ba04c

SHA1
3eba62ab672a522f00aee62044c14af503da0bf2

SHA256
ee0b18cc789ad093839a25d56adcf667991305529c636095546d735c80b25308

SHA512
a6b57d6eaad81ec275a8639eb638f70745de12fdbf2027262b204b904d0c604c97dc1b1890e2949f6a08f63c329a6176b99d9ee2be92faf0267ad8724ae43a4a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
MD5
329e2f6dc707cfa12c6c778ca5c6d810

SHA1
8d5678eb8d14d7bddc890c95a41fd1ff0a038225

SHA256
c3c120ad2111b0bebe93cbd39e8e20e560ec6b5dbaf5cc37b91a06855ac6efe6

SHA512
73c7ca712e28b199f010fcf7bfb67707ff1522976f847ef2c34920fa21d2f8b4ee458b55fd9dfd96e818d0e39194a3c568134f85f95c627ac83df972d263faa0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
72b6c81ced2e3246345a49f79c4124ce

SHA1
1a726c52d3b72dec513cec79015872ef79e0ab95

SHA256
b13af2a5029c8614390f6f569de3ce2a882bab38c7314bd514e5c61237341e20

SHA512
6a34df8e56680aeb7807e6b0c5b92bfe003b890f2b7153ce309fbcd5be283b1e394f2ea2f69f6b3a8188b3d61abf0480e3e9a8dc3dcc226cf0b7fdc4699f39bd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
4a18dce12229ceb9c49d6b84042cd9da

SHA1
455ea3bbf4da725a66c5a40f73f9423a12feb9ee

SHA256
200f8170dd78cd9b857f2e315ffc0254e025265b9d72cade70c00bae0d4a0b8a

SHA512
06841865027103258d9df89c03a8256352354ad59672e64e0d1cd5ae1476437e39988b4342c5e02530e8b1777e0bf5ff9b8438b478d0253d9b8fd7bbbdd156df

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
052496932cc2f92c99bdae587c8ff21d

SHA1
949f06de337748b1fd4c419d17a5e10554fff6b2

SHA256
0adbc0bae17e556f9348ead20e216d8cf0a93ba848db9e00734d90434ca66103

SHA512
8095ebc9fe845251eeb1efedb2254f495e12a07b6038d3c2669bcb71e81d5d4b66d86123a5ced2be27ebc5a6540692cac095aa113c6c4d74efde7c833ab72c91

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
0eb9c880064416ad16ac3cd58df041b3

SHA1
987cb923170b45250ba37e768f4181a03c7310ea

SHA256
de41e2ea2ccf422aae003595ec6012741528564c9733c3b967613a120836e0e6

SHA512
1b05346e8b54e42656a9f363ca929d9de381d7359202b82485cdefc95d248942aeef9e71909430df2ed6716258bfcde19113721bb58ec10d64ec487ec4d5004d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
MD5
e679ab6d192ee96f691518bda30d9d28

SHA1
cfe8880551d668c11fbf563ddb731712ba6109eb

SHA256
88d004594623b861b606314a569d94359cab7c6d879d0f90aed9d8a07870600c

SHA512
849cf03674524a02bd68b6266eb84082c1029d9d0339c196bd2a1feaa71baf2f89cff651cbb8462b2c78cd5fb73ee19d0f69cc045e06955d66f41f0eebd49e31

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp
MD5
ec71b010755bd3617a2c755887b2b585

SHA1
11cccca4fefbf92bdf263af0ecfa3998ea1fcdad

SHA256
abaa3e2cf9800f281a82c9bf4bab8aec6be12b8453ce00f1d3839b5c3e369d4c

SHA512
02daf98c8f0b6804cb41f366ef3c88d8e62cc8204f14bda929faf05266ec349a8bf55e16da37b8ce0edc0ec0ecc214f3ede2e14ac7fc39c4744acf065133a2d4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp
MD5
004104235c9bd413e2735306db0d4025

SHA1
5d7ce29b99aab6687b5ce7e6535d52ad65676f20

SHA256
c63b1f3e8935737c27612c0213883336d10c630c242053caad21f9508607f052

SHA512
40bc17f2f1720f3e50ca64fe75488e19e62958f809b57dd3f2d234c8e7899597ca80705907051a1491bd8683ce0e8034201eb6858db26e2727c5e00bdbd14d9f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
251d34df4a677610d1a67c6b588a2c71

SHA1
2ab1826c971e65d22417bc2bf15d602ffdd2d529

SHA256
3da9d2d383800b8ce5a68d32142d055647e7745ead9828557967b51684444cec

SHA512
7b73484f13b73eac3c29af0a0c4aa79475ffc76cdfda92ef1498f85ced83be8b1715e4aa1c0edbe8f9559bcf81aa542b99a6e4581d9c69d42e229518a433f408

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
MD5
375def6a7b40997e1e2bdeb32336d004

SHA1
45c5ac03a21f85dc4e1096d291747cfb30cecef9

SHA256
26dfbdd7400e12121d35805189e0667b96e8fc8668ae63bdb04c85af58e3d9f3

SHA512
d28e94f12d41ae708e26ea96ddab8219cad6a0db089416c7335f625b8afc6cd6ef2bb702d83fd88a56c87ca69bf927e630df8f4e1eabcb2e33a3897f76748f17

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
MD5
8269b7a6d06c0d993f02c939c59a8ea2

SHA1
95cdfa4fe18920b0ccca87fcc8ab84552766d6a3

SHA256
25f6f6ce7f43ed6bf9fb642f36b6dcf91ddf3651b5e0977093cfd09e4b4a5905

SHA512
6604bc04443bce234cc9088113779bc7f10b938d68fe05eb464df671b611dc5728b6aee19c61323744c77436a4a835a7c8364f05c3cec95dbd79ceddeedbf090

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
MD5
fade05be88bbde6c7ba2790e434a3b7e

SHA1
d5beda8a460f3b81ffc2835534c81b6946bbf7dd

SHA256
8ca9c29dd44c889683d5a56ad19e31a2130578d37a0818a1dcaacd7bfb0a47e6

SHA512
d788fba04c0a2ebe458cb1211a8c3820d1dd4b129cdd25f686008ad17b8a71eff819568990ecaac5e5e3bcd8ffe49e3406200f168e59d103233ded413f5b9aa0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
666e148a3863279005055f46c2611724

SHA1
28b26b8a0403558813bfe551c9c6ceaf19d29e6d

SHA256
e00b22445a7169da50ad8ae69a31cfd4cd985462cf3c4ce115186134c65ec64e

SHA512
7a2912d3b7c996e614630a201c30eb3f091b554443887ac70740d56231e86c149473d39ab0ff75a23772da8f09dacb46ee600df98a2fd1b744a39ef6302df5b6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
MD5
75da016f4431db61c01eda2e0cebfb25

SHA1
0fedfca3418770ceddaf3943b24c2c4d3b6366c9

SHA256
9bc655e0a2dfbf03e83640fa876e969e661dbe86062174caab281d3e7dc7a612

SHA512
80a770c45a90ccbc65f5b7e8fd9b64bddadbf3334c92272d7e442ad16f11fe0c15124b7b554eda48b0698901a9b32d8c3881e11ad8fbd6b16c26eeac82ddc550

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
MD5
45fe58d181ee4e388a1d7c1c2b7802cd

SHA1
5fa08d28221a7362f78238dca5b6ab66f0cc3c78

SHA256
e42f97ef4ea36da015b77ec3ff4579c1c3f4929983bebfd8c329c6dd5120140c

SHA512
6b8c4b4e0380d4b811f95c1b9f358dafb315dffa4391586a5693f6a0ff5247b3a8ce9705c38db31355dd9dc14ed2083aa72461f67e3fb18d4342db3d2d99bc09

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
MD5
fc4af3f93c0b7a1d62d553634fa70070

SHA1
0d220383ba7422bb6d474bf42a2978b15b43c1ac

SHA256
0ab1e14d286b42eb24ee180b78fdc00dd32a6ba06e890fc16a6f1c326637f209

SHA512
114dcd830eb64ce45b4e486fcbd0bf1fc0b744bf5b8bc6bd0b0a7a4c59e1d1b4e6f29a58d6457bfc973b9aa607fe38f87cdefdf3d86687040f8279cdbd32d915

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
MD5
7ebbce2563fd352eae2d64bf58b6c50d

SHA1
776c7066c985158eab0d9c965bf87dfb7e2177b5

SHA256
4a97a2d9d39094cf6c5afc94b1666ef6350eef29e50af3083b9d26f9f8fc472c

SHA512
0ce130cdf20dd780cb190031cad7d5bfe85e0425e78dc4dc5f2247fdfe3735e00cb678149238a0df0a170ca2db02b58d199a0fddc1a5efa5b046bf5143dd284c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
MD5
5d62d5a3f69d739c0505f1291f619094

SHA1
88bef3098688f8072950adddb2b08b09f1a5bd5c

SHA256
804fceecf65aefc4f73029bf33f0baca27059b7d45dbbe810a2f3a95416c2bb0

SHA512
3c912b5ec672b852c4faf0fd9aa6391c3ef3574789910633529cea2eca215a43e9d49f25e9db275acc91358e1f287e44c161b16197f75c07b86b524a261360cc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK
MD5
019e716f991aed2f370d3274091e760e

SHA1
8b2813a5f5549169c0beee6f383e1c5ff00716e7

SHA256
4670d8d98c40140fba1a0d836e273c5133d612fc7961343689f15e54c884c17b

SHA512
0157202ba831a835b5b8aab14a2a78fd779715caef47f7fc65a56c93d185ec9ecfca3fe57ccb24acbdaceedc59a2885edf362c2dedd392376de3fe32e831f64a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
cb20bb1630f8e9feb79ac42892dd4dca

SHA1
33c300ac4b198f628b029b617094b119f98c5dc9

SHA256
633588a34e7ea5ea041e98f486156c47aa29e39e9d41482b98345c73c851ae7b

SHA512
51c44bc694af7222aca305414a941a5597e220079fa37af8fc2d9a2f86c732c89f7948c4dd82ed9a7172d96ca2190c64c4424e11a3139c6535ff1183d2f09633

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
MD5
1e8b54f06a27f130e27aab411e8cb185

SHA1
746daa41f2046f59fdf8769bf51fa581cedea98c

SHA256
6b22810696f983153f44f24f4d98ca6f37837f5c406b175a0c5c76c5a73ec4bd

SHA512
2e20b2a1337ddea092bd6d4b0569f50c42aeffb14f04143432b809082e63338ae707929bcef4fcdf9fcbdab442fe7cd1d8081a64e8ae12a3a3975b1c59172bce

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
3852b8b54f3bc09f8323229bf3b6c0d7

SHA1
f89815f3c75d98245f5067aea13d8c59fcad8ff3

SHA256
8d1f8202d6c58df3b969ccf7819cc711d9fb0f830fae1e9857b3ffc48e5d10e2

SHA512
b14ab7676dd4f6130ff8e5692873b17b3a5d527b3fab7abafefbd824ea0852d4202dafa4d62738030fe8d02c2e380c00d3f83781842258e6415565855bae5d77

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif
MD5
cb58b0b050ae53de307f66b6b1f5da4f

SHA1
22db52ac599214afdb9f6e967ff58cca346d4cfd

SHA256
014bd1d85ce447d0ee1f7177a91882d169a14b11c61c3a734afbb35a20edee86

SHA512
a953bc198b38f7e2d7f27e602fbc702656b9bbb0332c32ba136de95ff12d859c39125ed8789144ac2d7f113c11b74ea1d6b9a77d74581a505e9ddcf47e35f974

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk
MD5
8842bc179fb854932614790be378a7b3

SHA1
e0f59672f1dbfadde1a53a97ecaa1049047b408b

SHA256
df504c08df53443eb33f64c04f43b00c20c012d9d64c5272eb7ed49d625f8dd7

SHA512
480de7013a9b5d3d9f416f728f224802fd6cc8de9d86f7adffa56f929cab6089695d89db08076f86955f3ddf32dc08a50d0030cbe29d084ee2b2ea43e17821cf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
22910a01b0e346324ab11b5abe65ca65

SHA1
dfac387095381a154ac3f10314603484ee06dc34

SHA256
101fcfe40b53ea2fe48a72c0c99ed0742054503172cb6e8061527589028cfbe5

SHA512
97a7557f99a784cf7c6c4ae2b189d0a4c09849bd6a54184cf2b91cfcc028f1648f43489fb5a8363ea45e8011bd92a2346aa9ce8ffeb8f6755e08e9c9bd6692b7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
MD5
85df390b31b6c1e9b3de9b98294e583e

SHA1
86a6a369d95f9746684d525196e30b19630b251f

SHA256
9c9de4ab6c7f2a35fca1635aabd4a78ff3b073c36fa4f35b4ac67af21025034d

SHA512
c67762265a1d8f0bbca65b6b98cf863c4cd98c123d1f016ec71898147e35ce6871c77a66bece95b229b0cd0f4fa92d2a9eff22ee78d5d34a0959b0398e2fbae9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
2eb3225f5583a3d628f998330023aa98

SHA1
b94e76747485234f5f544c6be490f67e185e4fe4

SHA256
3f919348aeecc4f514e58a46e334c0612e967d90c9a6a5d8e50488424c29aa5b

SHA512
bef0818b04b3acd4bf95160c129dbb691e2f4676447b1a4f1e2a957addd7c8a8904f65ba509b07f7d203daf8bcb8856afc894e92183ebdcf6da0ce92627589de

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
memory/1124-55-0x000000013F640000-0x000000013F9D6000-memory.dmp

Filesize
3.6MB

Download
memory/1124-58-0x000000013F640000-0x000000013F9D6000-memory.dmp

Filesize
3.6MB

Download
memory/1180-59-0x000000013F640000-0x000000013F9D6000-memory.dmp

Filesize
3.6MB

Download
memory/1660-56-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads