ryuk | d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d

Analysis

max time kernel
167s
max time network
56s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
Size

201KB
MD5

8fb17e62abc491dc6f8e9630d73d935d
SHA1

ed0b184eb9b1e2a8b9f95b79cfcd691d2a4f4084
SHA256

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d
SHA512

ee075b4a368175c773f400424b97e57de84e37d5858e4c938edd6df9cb6e4917f7fdc0a83df3fdf253fe0401f50cc702d307cf33d05898414796fb36f077039e

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

FVuraIN.exe

pid process

524 FVuraIN.exe

pid	process
524	FVuraIN.exe

Loads dropped DLL 2 IoCs

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe

pid	process
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FVuraIN.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exeFVuraIN.exetaskhost.exe

pid	process
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
524	FVuraIN.exe
1124	taskhost.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exeFVuraIN.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
Token: SeBackupPrivilege	524	FVuraIN.exe
Token: SeBackupPrivilege	1124	taskhost.exe
Token: SeBackupPrivilege	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exenet.exenet.exeFVuraIN.exenet.exetaskhost.exenet.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1248 wrote to memory of 524	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	FVuraIN.exe
PID 1248 wrote to memory of 524	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	FVuraIN.exe
PID 1248 wrote to memory of 524	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	FVuraIN.exe
PID 1248 wrote to memory of 1124	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	taskhost.exe
PID 1248 wrote to memory of 432	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 432	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 432	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 1180	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	Dwm.exe
PID 1248 wrote to memory of 1976	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 1976	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 1976	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1976 wrote to memory of 976	1976	net.exe	net1.exe
PID 1976 wrote to memory of 976	1976	net.exe	net1.exe
PID 1976 wrote to memory of 976	1976	net.exe	net1.exe
PID 432 wrote to memory of 1516	432	net.exe	net1.exe
PID 432 wrote to memory of 1516	432	net.exe	net1.exe
PID 432 wrote to memory of 1516	432	net.exe	net1.exe
PID 524 wrote to memory of 1152	524	FVuraIN.exe	net.exe
PID 524 wrote to memory of 1152	524	FVuraIN.exe	net.exe
PID 524 wrote to memory of 1152	524	FVuraIN.exe	net.exe
PID 1152 wrote to memory of 1192	1152	net.exe	net1.exe
PID 1152 wrote to memory of 1192	1152	net.exe	net1.exe
PID 1152 wrote to memory of 1192	1152	net.exe	net1.exe
PID 1124 wrote to memory of 1524	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1524	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1524	1124	taskhost.exe	net.exe
PID 1124 wrote to memory of 1100	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1100	1124	taskhost.exe	cmd.exe
PID 1124 wrote to memory of 1100	1124	taskhost.exe	cmd.exe
PID 1524 wrote to memory of 1328	1524	net.exe	net1.exe
PID 1524 wrote to memory of 1328	1524	net.exe	net1.exe
PID 1524 wrote to memory of 1328	1524	net.exe	net1.exe
PID 1248 wrote to memory of 1932	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 1932	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 1932	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	net.exe
PID 1248 wrote to memory of 1020	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	cmd.exe
PID 1248 wrote to memory of 1020	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	cmd.exe
PID 1248 wrote to memory of 1020	1248	d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe	cmd.exe
PID 1932 wrote to memory of 1712	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1712	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1712	1932	net.exe	net1.exe
PID 1100 wrote to memory of 1728	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1728	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1728	1100	cmd.exe	reg.exe
PID 1020 wrote to memory of 1484	1020	cmd.exe	reg.exe
PID 1020 wrote to memory of 1484	1020	cmd.exe	reg.exe
PID 1020 wrote to memory of 1484	1020	cmd.exe	reg.exe
PID 524 wrote to memory of 9732	524	FVuraIN.exe	cmd.exe
PID 524 wrote to memory of 9732	524	FVuraIN.exe	cmd.exe
PID 524 wrote to memory of 9732	524	FVuraIN.exe	cmd.exe
PID 9732 wrote to memory of 9756	9732	cmd.exe	reg.exe
PID 9732 wrote to memory of 9756	9732	cmd.exe	reg.exe
PID 9732 wrote to memory of 9756	9732	cmd.exe	reg.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
3⤵
- Adds Run key to start application
PID:1728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe
"C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\FVuraIN.exe
"C:\Users\Admin\AppData\Local\Temp\FVuraIN.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FVuraIN.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:9732

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FVuraIN.exe" /f
4⤵
- Adds Run key to start application
PID:9756

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d.exe" /f
3⤵
- Adds Run key to start application
PID:1484

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
c8eef0a0ada2d448de4b4b5ae65f3d9e

SHA1
ef3676c461e2dd3d3d9889e64aeee864e3680f18

SHA256
ca086162f21d970d0fd705800ea664ff8838ec1c185941278a352126612eeeb0

SHA512
3bb61d678669b6ca9d92cd21d05df004c66825a275c0189a0a91eb4b8c48b5402935ec309289d7eca6ffdd4f6392bf13ff0cf194481ad22e6c3372967e9fef28

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst
MD5
203ce92494e1ed07a18e6a6055ead0ce

SHA1
4e7956e8bd05fa305201d87a1b3e479e8381a056

SHA256
38c3c6e871e34f723e15b944492c85be4b5716b776f2ea9e9215244502df66be

SHA512
790020f132d4e18733d8626ceff8bd874b2ac0789c5e24dc838d8e115bfb6611136046fa77492a795b0b6cb11f043d7cf8a2a0f798c70e23a0e58fc4914cde6d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
d174d47401d95108838fea719aac77e7

SHA1
46f1f992545b35c0a2c43f9b24c204b91fad8659

SHA256
2e32885cef8eab60641d6c2d614483a2cedbec000051818e1ef960e097d04a21

SHA512
a2cd1ce3a016b062224e156bf193a1f3eb2a45c807106b284d51284e1e1837781b30184e1b7b3ac5ab9b6747b4d57a204298c5c429e95b71370fc634f9b47fff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
aab32d35d54421a1cb66f7109f37a861

SHA1
19e9d7d71593093798c6139e3293a03bbd76fde1

SHA256
3fffb9fbd2b5b344c75f21f343ca252f2fa64d8cc24f1c6833f2d99719023b7d

SHA512
4f3b087ce47acaa0b98932fd88b5aceba263ab9d295518022eceecf35b3aaf286025e988445ee466c5653121be70cebb20550fc582a640ae24aec8c8e72ba1db

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
af901784e90239b7f670c14d1875f510

SHA1
47214fef433d35a41b6e940450228cb62bd3bd75

SHA256
426c440681342cac5eb387e43314c8fea52b0243cc8b28f64511fd83fe7a0cf4

SHA512
c6691611d1c820cb3927c145726a843be8edcd14c710d6330965eaa587692a19e5dd91715ed56601d6ce465758c8aacda10ab98f844deecec5656399acb33ab2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
2148694cc0a9293d2f5389e847a47485

SHA1
14c9bb60f92b0fc3c5a30a297ad73ef0b3892628

SHA256
807dbfca42ca73461cef7825af07cfd616277e2c8bde57fb45c1ec9c1baaa424

SHA512
e2b565ad55d8f1d15101a627842a962e22122e59d370ec5c2f1b40da629dd04e75c2f24cca9bfa4adfb7cdd119e64c046c091202fb4ffe160dada723a11e9602

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
MD5
66c116ce8a931868477b5708ac3672d0

SHA1
1c609b7bd628bccc67b0b04c9408bc4f792cdc61

SHA256
6798b28e3736783531b2038beaacc3e189eb6d5c2ca72a4e7b8eebc2549906d5

SHA512
ceddf41727260168490592e4b3d02900846f63c3625d055ddc7879c0196a7f81dc7030a3097156aa5e36721d928477319184b13404e0c34e58ee5e068e51b7af

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
cac1a6d9eb8cfa807f2e033fb2549de9

SHA1
7ca94fba23c19ae886415db92610cbffc2cd7635

SHA256
111944f7b4d490edc798e8b78cb36ca2713f05083cd96b25b36aaea149925fb0

SHA512
d5ba2b495cb916880e1e2274f110b02fed7ee0618e2c50d7408eeb73473cd48a273de408ad693f3920e48a4c84897c7e353c1c1fda0a3c6ed274adfc48cdfe63

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp
MD5
faca687d036ef5aa616754f0f642c347

SHA1
3e347a5cad12da2895f7b9734fd99f13cdd75308

SHA256
74d4df810a606880286244e5d9eb1a83f64ae60a3fdbdca179c3680e961e635b

SHA512
741c47c7cad5bb840ca7bc66d83773425009ba668700f3270f3b00d4307ed88f81dccde6108c4e042032ca2af22e8f94d1abd115bd1de0b5815559210307aa46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp
MD5
e55a1b7d779624c43b6cc1514adb6aab

SHA1
ed1d03c13a688811917558b8f0f1f909be39b226

SHA256
908295e4f35a4d1f6d2116ca659e9214f276dbf3402810d774c27ab19b43b026

SHA512
ac6ba4d86f25931f853b0b47b809044b0b3b080590c748a2a61019760d71c50c9dda63833735f0a9f3352f61c4cf414ea9d8102ea1715b84c2968e0ff3d1b99d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
33fdf324905e3ed00be12cd9900a64ce

SHA1
f30a1503e3f825a68fa2a8c7d8b37d86aeb0f1f6

SHA256
19be169237bbd96a45d14c4c65b84862a0ca81aa9e3c3b49d628cf1fd40e15ac

SHA512
0dc5a89d59a10a78b3bd94d5ebb41b8a774a8a483fa34811f8e2abcc1ead2c7ecdfc380ac837871362a8a05dbe61e834157028d941fc48381cc96976cbe0d160

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
e03c513981e09cace87c2c01a8d68750

SHA1
40dea043af16cd5dfb7bc980f314d2b1d3a35293

SHA256
9c6989f27b2847a34c39e1b461d58a5ece684d8747607c624a52df37c6786c6c

SHA512
ee54ebecaadff221104f8f539db670c6a74c23c066f7c692d47c8b2b7b00154e8423795159ffcee33f5be2b8f3ed6473f42f8077c3c798a50747d0582ea59ecc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
MD5
d951290dcf3b599a9341684f5bff7509

SHA1
9078ff49f9c26d9dcea74e95ca2e9bb95c24e191

SHA256
b25baef81a126dd8e58467d9119438ba360de3e36a7b2f539dbf1e8f66de311a

SHA512
6c80a026b239cdb3d066047a09a77220bc49c0a232c2971baf90137877d411b4db036538308426fd687ae8e5ccef8af4efdbda977f8bf0300aa5cc1eb20fd9c4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
MD5
c6a1bc0e709abe3a8562957933ee6fa8

SHA1
b05f244f265440a9bab0fbb6bc9f335ea4a7789b

SHA256
36e41f2a050d2d2ba072db6517b8d60cbef83dcc2dea274851f050e90c0fa386

SHA512
273b5225a18bb3c53fe78a92d39ad96de2acd675b6bf7f973a7861ef91b07e3d4a20650b8754e9ba29674bb0b8174c0fdbacdc19a1abed7c30764eb50ef30dce

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
MD5
37b291c4f8e983ef326bcd00891eb496

SHA1
f944e8dd1b6b3d723e5e86f3b82565c70a33ca6c

SHA256
3acb4bdd6703f732be1fb4b4034407b302a2a7d9c7f33bb73fd2a5b581149400

SHA512
00efef311b0a8121514fe58cc84e8da4c3396b034962be5f9c9e6f1d393b016e90ebb7947ec130dc203639acd93d248267e6a03cd33f5530f9cbd855fa2411fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
1fd17d1120f58babaa1abfa1fac80ff2

SHA1
e7eb7c7bfb398d57273fa2e374c489703ee91df3

SHA256
8e6d025f747951ccc217fd2ea98d22b2b704e953d3005d3b62d4b8a8653fa422

SHA512
97709c1c86728feb1b2c74965997e22428b2c1bca512278ca62d9beb6523b7c90064b466355851f80e9841dd99d3bcd80a79203c25f2105a9ec2e4fafbf93c44

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
493901b61f1de2930b88842e7f8b7cc1

SHA1
05334ceb08b4bd51b9e3e6d6e3256fd411e4fed5

SHA256
505a1ee732fb23c178fca92281fd119294a3a2583e7bfd090703b72811f39c1d

SHA512
8dc870206479ca8b42512dabb23acc0839781d996afcace91b65922b0b6fe647e71c9b79e2997ecd8d682a5288d601fd55c5cdf14b1fb530d6405869c48583aa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
3e924d77f09b84e8003c903b51514da0

SHA1
cae9de5fb584576ec09397a986cc03f06607f560

SHA256
2b9d9895c488936a06a766df6f42bb16285f5f946c062684f2ef54a8dc43c955

SHA512
ac6760785d1e63c9c27098700c52b8a20b039a7a52f0444141de1d64e7453a519e6c0a5879a79bcc6a2eeaf85f4bf665a02890d53dc101948f18c8c4c0493463

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
MD5
19037ea9c1a3b099a5abea44bec48df9

SHA1
31cf89d78a2c2bd1c3ac138c828399f794b031f6

SHA256
9e4c60435b2cffbfbc194995b68cc37f9e9b46a4d9e0a31f2bdd9b82f45289ab

SHA512
21fb688eeb2f6a0607d1a9520de7863c2359af9289946201de6af35f5c0b38af14fe0d2bcbcdfae69d686371dec07ad63dd6539a39286ca8a5ac3bc2fe3792ee

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
3b3e0cb08bfafbf09390a4e1e49c3bb5

SHA1
b5e9bf72342f538bf82a723873fe845c080bcf0d

SHA256
958305cb45b141e3f7afcf5007168a27dd3f0b1e10c2ea6a1a21bf40f83271a8

SHA512
56fcd75fb88f1f49c3dcd709aec2e6c8c9a0a257609822f9114b9616370a41d4ab46b942e8553ddf6f71ca83082f056b443e9e6e2dc283992bed74902d39c7c6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
MD5
865ffbf364ea744e093e83930eea74a9

SHA1
4a4c0d714302a9cae3a63fd8ec70e1794ba008c7

SHA256
46d1238cd18c5078f1fc637e8cca7ad7a16dc335d8f8002052a05ccbd01ffc6b

SHA512
6aed956c839d4f706c47e5781dcce91c49c8c3113f0277b751848681454d413d84e975da88cec2e4cace6ee92d33d9a0fee74d59a954ce7fa2a8396787ad2897

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf
MD5
d4c9f5f143d834f1f7d0abd884eefcd4

SHA1
144cd5887d5600842049bab2830479eb1ca7d64e

SHA256
8ed532e46b6008e5966facb1fb41b1a4b9a6ad8e56d7147c146b9ae847e7a818

SHA512
8be2d394539cdd1c3575b13fd47529809dc77f90f5ba722a37aa9d4b2cd833e7d5c44d71ebb86ef3468f0ddfe0fe067a271169d24790eb823277b0d562c1adf7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
MD5
6393a5e77b1042912e5ab5eacd64d354

SHA1
2493313d33ad7962c28d5663babfb06af9c12667

SHA256
3dc4ded2a6b6146b5f85ca83def78d1560a6311c4eed97efe1c2254a6cd50d69

SHA512
5f7e640f20dec4712a79f355be7dec1a1b77dd66714954f527cc139b75d14ab1cca743063644022171d6fbb39857736c0de80cea5995d2a00d6e6cabe0fe2415

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
8dbc3afe0f710806ae099d84ca9eda47

SHA1
3640f10d527c57bff2c3191c6b101e39cbc7ecc8

SHA256
7f699c9df6e764753baf8fb2b051c7a877abe840c51eae6c1e4eb54833483f8e

SHA512
e7ca8389efd062ee916c8e2697f0bf587759603f62d0bed5a37ca42f8115ff1af0d80efda471e2a4d13920b508e952fa7afeaf2aa6f381909d46d8f00dccb4f5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg
MD5
8ac17ba86c524da4d2eeba57a11e14bd

SHA1
1a119ed1051d0b4df21480237f8bdb7ca6a093c8

SHA256
b23eb2749bb554c8361556ffa4efd02d6160ce68c0f8b5c2ec094a42417cf998

SHA512
bd7f8e2ef1458a544c9c5c53e4d482118c3a23452ff313e41067bd05ad2ef80e253d08db5e831a1c01158aaa827a84b1467c2a75152986098fa30bbc735f65cf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
MD5
0f4f890fc1e4de44c3c867679d567096

SHA1
d974c816ed065fd48f791ad25ef57907d685ae2c

SHA256
deea7d4843cfbc328000e2b6304f1eef23a7d7e886e47e4d8f273a3cca749a0a

SHA512
054d0e66e2e722dbfc99cd4fa9fb211de48edb653a7b2cb9b682a7290c31bfd525831c16a3c4336adb5d168219ecb20ba41dcf04b94775c5c4eaf4899a96affd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif
MD5
124b0c07cffbec87792f6aa707f28a0a

SHA1
4882f3292dbac65ecac09976c544c040b12f0513

SHA256
c70e3105f1c5fcb793058c5d20d407dc1023ce752d1b2ef4b1e13e71d73befe0

SHA512
68d56cff657a9c26ea482b456ce5d8cb060901b4a4bff3d5464171a675f3e500143618c152e1de09b57209cf45527a3ae166d235ceff7183040f269a9ad7f687

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
1e8f4c8210066e7ed644c2ec9092153e

SHA1
ea23b7d64a5c4c6089d0d020369685b230222563

SHA256
0c5ccb011a68f9bd082dd286e5ce0d90341ba69fd4abadd117a3af5f6ee793c3

SHA512
820cdbd8982c4f22e1beb2448fe80ff08956ef60cbc5c8c8db580b672dbd955d68f603847073b84a4e02ff6a1bc4285a6e38b54b5825ec5df65fa00ca65d8e11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log
MD5
82dfdfe14764bec27996cf0e75d1454d

SHA1
2897ea9ce7fd2723b49449ca6e18c6b03990ad61

SHA256
8db156a35e1b5050cfdb7f0f0ea0ac34c73a87d797f6cab8970c3eccc34f862c

SHA512
f66286b9993203a3502bd7467911ca81c24d65181b791e531359f638cd2438404389a7e5af316d8152d5ec93f5d9852f34d6425b4c90bcceabd5133a5b08f1c1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
MD5
fc1fcd1e11f5b61d29481e8a1403599b

SHA1
f37dba26c1fdd7822cee1f8dda5209cc69e5d4ca

SHA256
309d1642364359ed130e401139f302823ebf959017606bbd0b4e2543f0c7ad0f

SHA512
71c36b582edb31e3659f4407a42ac713b43a90631b1fb3ee7d2f4b019b73ce1101cd3e6de66c2977f99afaade44fb5a74ab3da5bc1193720a2e96eb3df1f37f5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
a6e43a36a8f8351a46273ec5df352920

SHA1
58c9b8e02b5c74a6a487d445c6c169e9a69e7e19

SHA256
68bbf7378f301e336a7dc31526a80a692d50e34a77bbc3c49b2e0145ff8eac91

SHA512
b9de1709de29471ef24d76db17f47864d7e87706eadd9bb5ed930c0480f778b33842894fd086a803cc31b58344cce895d8177318a6129834504cd23374b37727

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVuraIN.exe
MD5
8fb17e62abc491dc6f8e9630d73d935d

SHA1
ed0b184eb9b1e2a8b9f95b79cfcd691d2a4f4084

SHA256
d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d

SHA512
ee075b4a368175c773f400424b97e57de84e37d5858e4c938edd6df9cb6e4917f7fdc0a83df3fdf253fe0401f50cc702d307cf33d05898414796fb36f077039e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
7cf8bbf7ceead8e0ae5ef06fcf587812

SHA1
c52fee04ee1ef00a2963b0dc4a95eb3c0c9d59cf

SHA256
4e6a6f66ae9340d806a8b4aa65b4b52c9fcc8094230133cdbce0fe342620b910

SHA512
c31e16892e08f5125c22277c06680d0ba8e445d5302654c04d08a99d36c5439b3ddf3d3547c1dcf038d5ca72b3a90d49a9b168af4d43942300e384f21f3afe40

Download Submit
\Users\Admin\AppData\Local\Temp\FVuraIN.exe
MD5
8fb17e62abc491dc6f8e9630d73d935d

SHA1
ed0b184eb9b1e2a8b9f95b79cfcd691d2a4f4084

SHA256
d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d

SHA512
ee075b4a368175c773f400424b97e57de84e37d5858e4c938edd6df9cb6e4917f7fdc0a83df3fdf253fe0401f50cc702d307cf33d05898414796fb36f077039e

Download Submit
\Users\Admin\AppData\Local\Temp\FVuraIN.exe
MD5
8fb17e62abc491dc6f8e9630d73d935d

SHA1
ed0b184eb9b1e2a8b9f95b79cfcd691d2a4f4084

SHA256
d91572ef64c5c77b1085a5e6cc40cab2a78f714288c29d1d8bdbb613aa5c9c6d

SHA512
ee075b4a368175c773f400424b97e57de84e37d5858e4c938edd6df9cb6e4917f7fdc0a83df3fdf253fe0401f50cc702d307cf33d05898414796fb36f077039e

Download Submit
memory/1124-61-0x000000013F940000-0x000000013FAB5000-memory.dmp

Filesize
1.5MB

Download
memory/1124-59-0x000000013F940000-0x000000013FAB5000-memory.dmp

Filesize
1.5MB

Download
memory/1180-62-0x000000013F940000-0x000000013FAB5000-memory.dmp

Filesize
1.5MB

Download
memory/1248-55-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download