ryuk | cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d

Analysis

max time kernel
169s
max time network
37s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
Size

209KB
MD5

a48d9d97ed4698432823d5fbc4426e35
SHA1

77b6c5b3c3890ad324743367e37da8a35882fde2
SHA256

cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d
SHA512

1baadbbb701db4f75f40adae0da76ccd9ee4b20c82697cfaef3e34f20b9142f1ff90edbc96984c0de8e99baec63ec378730fa4fd0765b931cb4242bd79862521

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.execf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exetaskhost.exe

pid	process
1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
1276	taskhost.exe
1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
1276	taskhost.exe
1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
1276	taskhost.exe
1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
Token: SeBackupPrivilege	1276	taskhost.exe
Token: SeBackupPrivilege	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1796 wrote to memory of 1276	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	taskhost.exe
PID 1796 wrote to memory of 1376	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	Dwm.exe
PID 1796 wrote to memory of 1240	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1240	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1240	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1272	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1272	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1272	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1240 wrote to memory of 1768	1240	net.exe	net1.exe
PID 1240 wrote to memory of 1768	1240	net.exe	net1.exe
PID 1240 wrote to memory of 1768	1240	net.exe	net1.exe
PID 1272 wrote to memory of 1140	1272	net.exe	net1.exe
PID 1272 wrote to memory of 1140	1272	net.exe	net1.exe
PID 1272 wrote to memory of 1140	1272	net.exe	net1.exe
PID 1796 wrote to memory of 1844	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1844	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1844	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1276 wrote to memory of 1636	1276	taskhost.exe	net.exe
PID 1276 wrote to memory of 1636	1276	taskhost.exe	net.exe
PID 1276 wrote to memory of 1636	1276	taskhost.exe	net.exe
PID 1636 wrote to memory of 1712	1636	net.exe	net1.exe
PID 1636 wrote to memory of 1712	1636	net.exe	net1.exe
PID 1636 wrote to memory of 1712	1636	net.exe	net1.exe
PID 1844 wrote to memory of 1500	1844	net.exe	net1.exe
PID 1844 wrote to memory of 1500	1844	net.exe	net1.exe
PID 1844 wrote to memory of 1500	1844	net.exe	net1.exe
PID 1276 wrote to memory of 1748	1276	taskhost.exe	net.exe
PID 1276 wrote to memory of 1748	1276	taskhost.exe	net.exe
PID 1276 wrote to memory of 1748	1276	taskhost.exe	net.exe
PID 1796 wrote to memory of 1400	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1400	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 1400	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1400 wrote to memory of 300	1400	net.exe	net1.exe
PID 1400 wrote to memory of 300	1400	net.exe	net1.exe
PID 1400 wrote to memory of 300	1400	net.exe	net1.exe
PID 1748 wrote to memory of 1944	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1944	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1944	1748	net.exe	net1.exe
PID 1796 wrote to memory of 25716	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 25716	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 25716	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 25716 wrote to memory of 25916	25716	net.exe	net1.exe
PID 25716 wrote to memory of 25916	25716	net.exe	net1.exe
PID 25716 wrote to memory of 25916	25716	net.exe	net1.exe
PID 1276 wrote to memory of 35088	1276	taskhost.exe	net.exe
PID 1276 wrote to memory of 35088	1276	taskhost.exe	net.exe
PID 1276 wrote to memory of 35088	1276	taskhost.exe	net.exe
PID 1796 wrote to memory of 35112	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 35112	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 35112	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 35088 wrote to memory of 35140	35088	net.exe	net1.exe
PID 35088 wrote to memory of 35140	35088	net.exe	net1.exe
PID 35088 wrote to memory of 35140	35088	net.exe	net1.exe
PID 35112 wrote to memory of 35148	35112	net.exe	net1.exe
PID 35112 wrote to memory of 35148	35112	net.exe	net1.exe
PID 35112 wrote to memory of 35148	35112	net.exe	net1.exe
PID 1796 wrote to memory of 35492	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 35492	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 1796 wrote to memory of 35492	1796	cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe	net.exe
PID 35492 wrote to memory of 35516	35492	net.exe	net1.exe
PID 35492 wrote to memory of 35516	35492	net.exe	net1.exe
PID 35492 wrote to memory of 35516	35492	net.exe	net1.exe
PID 1276 wrote to memory of 35528	1276	taskhost.exe	net.exe
PID 1276 wrote to memory of 35528	1276	taskhost.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1712

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1944

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:35088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:35140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:35528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:35576

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe
"C:\Users\Admin\AppData\Local\Temp\cf2e3265c9a05b2616ebc53a6f9ed7e8fc188ba15834295bb16f68c48de65b7d.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1768

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1140

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1500

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:300

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:25716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:25916

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:35112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:35148

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:35492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:35516

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:35552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:35588

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst
MD5
37ff91f00547ec10c1a7793fda74ab13

SHA1
d07f36f7de8e4064fc2204a5e86aa7dedb26b1c8

SHA256
c45a0b6c9d1e3d015ccf8f41ff617203047a1d3c2a2d7a64b5b99cb470743080

SHA512
9af05d5ae205f67ceef4458389005b771d1e4ca6c5e3f2d50f4adb3a2885f985f817424d521e864953379293e908c6a3bd1c2067463abdafaf401ad1be4386bd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
MD5
98c80e0bf83699e25a104acb43cf15b4

SHA1
ff845b86d18a5fdf5bbae7f9aff1fbf52b2280df

SHA256
dfe1ce1ae9a16a9c38bf5d3aad8e764201ba5060c54a97a50919dbdc29f36510

SHA512
5e0ccae3ecc7f4905c21a3fa7fd43e1e2729fbb822a6dc9d450c9f8ebbe32886e976b4276fb1a130a702093fce505fe3099bdb94006eb99b38d901e0641132b7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
f49e98a754ba0b831f81ca5962181530

SHA1
4bff1b95b512e7662a4140cfb231067654d24e20

SHA256
43f8a9b47fb7d18c56d9fdf10a296d18d303fe54a05c382a3df57c8eca036eb9

SHA512
1c4f792b7b5e5f698d4b83946fc9686c23012708a849dc1aed55ba6b1b60830eaf714ecca1594625f7c620c23a3b2e174fc90e835b5de5d109fe4cebba6529b9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
98c80e0bf83699e25a104acb43cf15b4

SHA1
ff845b86d18a5fdf5bbae7f9aff1fbf52b2280df

SHA256
dfe1ce1ae9a16a9c38bf5d3aad8e764201ba5060c54a97a50919dbdc29f36510

SHA512
5e0ccae3ecc7f4905c21a3fa7fd43e1e2729fbb822a6dc9d450c9f8ebbe32886e976b4276fb1a130a702093fce505fe3099bdb94006eb99b38d901e0641132b7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
a19ce7af734aa01363e9784b34380f9f

SHA1
d1ab25714223b1899873c6fca4e1bbb38a2dccd6

SHA256
b0342159df2fea3438c23cf93a76f24ed815c51f416d0beac1f470319e1d826e

SHA512
28c60d986ddc116563efb6b7292cb8e499498b74d303ab37dacfc7c3a98bce19d9935d18035211f7452b022682a954616eae43a8d1c9940e297a034cf0595340

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
a0f2c539fa9cf41de4ef89d8141a9dd5

SHA1
99f3e712aafd558e55ecc59de87f576c92fa5723

SHA256
b018381f226e10a80122e311189be029d47a77c01b520acad04d611425cd585f

SHA512
85623373fa560de1d504ca1a935fa5147d542df92693ae4ee68c77d7b3e9a7e7cc8620db105ba19dcdc4c6e4cbacf02c3194a0a7b10f79b3c9fd0d9bf4be2225

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
MD5
4ec928392b608d98a93343d57579faca

SHA1
cb7399278b26f1056fc56f2ec1954fa094b7c17c

SHA256
818f86212ff636123000f92fd2a217e65e6e47ecf03a3f8bdf1c22256290eac0

SHA512
2f43f2dfb84efd47e5a3939fc27f907b14330cf58c74dac82806f67a519196d29da21b90ed12b806aefcbd2593a5b76786b03f7a95921fc7627ee57ac4fba9ed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp
MD5
cc25e9f10789ae92605c58d0bc52c22b

SHA1
3f3a8e3939f57a6d9016914dfded1d9be7474164

SHA256
4b5c437b60b7cd607f60e6ae694ba6c9f9f70e46d8c97f531ad4579f366395f1

SHA512
943a16b1a5a69b0826b48263393b93c043768164c5324b2e82022daddbd80a814d0622564cfab9bd02ed30dd0145e328a3eb14b8bc70df6e32eaa0affdedc263

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
6087fe37ca96da8374cb13b87dfd10d5

SHA1
3b1d4da26edfcc5114e32d5867fb6bf0bcc578bf

SHA256
39ff83948604dae466b80eca2adffa8358eff53ccb1ae8533a0948f307e0de0c

SHA512
3d2c0d21092c2e7ed8c59a0691ea0d9476c210851c7ee51e13eed7f7515a6f94ed57ca62739e7796549c014e7c057f2286e0e679e163b143de666f739665659b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
MD5
be7896c191c4d79077965b3d3d4039f3

SHA1
13afe19d22bff258f5938ab44c996578a4eb9a34

SHA256
b138bb5a7ea0a70ba53ced4d001214948378def5d8e59cba02dee1e181de9caf

SHA512
e153f200eb036afd6ba53179138634cc19fe753bef9e1f33b2e75df76057ddf7ce1ce0b53364e84e892d43a27a9b806c49cedac40d56fb44e924ae3ce36fedca

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
5d6edc70e32e36d945aceb823385f828

SHA1
bfd5481e143a3f42c1c16eafd9463a442dc8ec95

SHA256
f591928381a1a23211d5aaa81cf7e8c4c2f3a1968534f81e9343537f4a472964

SHA512
8fbdf11db31102511791fd321bdf10d07c70f147c3ed5ce717bbbba95b278551123e39816c6fed0c13eb871c1f7deab61b8451ea8293ca0274c7c095fc6397c5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
MD5
4d6789ef1e7d39efdfce4504c1affaec

SHA1
8af29928a80918a7974728ec4d5f103151f9a419

SHA256
7193f84bd9fe636f5a5c7efd2189e3810e2b16fe68f9050495ef940a794a4df7

SHA512
afdbd0a71c7e0186cdab7cb4416e6b0afc2a580a18e64a1f4eadc6548ac5492238cdeec91bfcf67af380ec5fe3108f7ec581722f936ba3eb2c9cf6b573444da5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
a19ce7af734aa01363e9784b34380f9f

SHA1
d1ab25714223b1899873c6fca4e1bbb38a2dccd6

SHA256
b0342159df2fea3438c23cf93a76f24ed815c51f416d0beac1f470319e1d826e

SHA512
28c60d986ddc116563efb6b7292cb8e499498b74d303ab37dacfc7c3a98bce19d9935d18035211f7452b022682a954616eae43a8d1c9940e297a034cf0595340

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
MD5
2f8cb94ab73322c52079f22efd35a3cd

SHA1
aa26c2deb6d7ed61f1b9bffac58cc072f891f48a

SHA256
ac1b58bfd98440eda2de157fe8a111ddec6db25b7b01715de59dcaca52320cb6

SHA512
da716887a4e97221877bf26eb05abb9a687fefed6c0ee6c0c40070c76c4e41d01e90df651614b7882c78d7453cfaf0fc35c6ac37cb4f9d0f2d1c947ddd7eea23

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
MD5
4a99bb4a172a944eb87c98ec439e3abe

SHA1
61ba9123ac4b64b79c73107ad51f1410de64d442

SHA256
bd0d36e9db00693f94532a661c626af82620133c21ad964246803d4c086a0023

SHA512
00b509c2b13928cc67fab0ccfb3f5d55ea5acfba39609f352d0693f302ddb0905599db0ae3b96a96c9f8a3fc73b0971af4987f74d9cebb57e0b8e1a0f631b1ce

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
MD5
2245bb3140ce1431ba3f4f4ae98a4c3e

SHA1
d3133f1f9061abeefbb9e613f85c18228a88006e

SHA256
287d44d7448e4e7612f218b3d3495c6adc7ee708d3e5323a4177d94a5ebba3a2

SHA512
689d92b46f0efb0bd2457b604ac16cc0a895151fbe55a9c9ef9e08905ee800f74a15302edba0d85530028d584384781c72bea791c848c12442610183566d557e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
MD5
6aff7e3af563813ede2b5487ed44b3f4

SHA1
8722084f8f6a109773753b551bff0095416e56c0

SHA256
b7338dabf06770a9e74d094d34732811a7854eda45eb63b6eae259e6a9e54055

SHA512
e5c8cae176b5a23af83da2896e350cb24122ee279f4d4fd7521e5b34aa890429e5dc2ac54a22c865afecd5a61e3e8e765c08d2f2f71a85a15aa4cc2c80c2cbba

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini
MD5
541919204303cd09e9eb31445a8a82b2

SHA1
eb36d414db97e879bd10290a7b3a9b442b592200

SHA256
f5f015414531788a4c4dc2f030969e42976fb34c86eb59dd4ec17c8fea518077

SHA512
76417df28719e424aa7963096d479a000a30c874257bc04018179206744757b97671dd8592c3fac489e2415fc5ee741890917b31c0287e0d2a7aa1420a801e9b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
MD5
cafeeac75dd9b88b0fb4c4580e993497

SHA1
e21296d40ee54510caeacb9c3e00416d59605d57

SHA256
8139057639a4a6504dd2bd38d638c20d21f745bcccf1a0a2331ce5f592eb4c18

SHA512
5d0d3030fb3c8d1bc37572b01bd5bb1e4e7bb1378fa61b1f0dd4862f27007691ecc0a79d3328f234343f886fda81edec1dc4708b9c1a88d0acecf14d62feaa69

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
1ae767e8978d50782afd256af774fb9a

SHA1
1ba4788a3b57c1b5a03d5c8b7a17adf6cb187904

SHA256
eece9853eafada4099953b0e8ed935186addf6faa49fe52a6cfd6c923209b4e9

SHA512
452b532c2d2b7542e8dfddb47f6e12354afdd40361487b65e3f1385ff4403dd500d94a863aea851a7bdbdc84b2c1ba1e91494419ae55fc216e6202cd2bc6a0d5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
MD5
9bc5fd36a477081b00e1afaf63eef44c

SHA1
e5bb24b8a2f5f658de1bd6244c167744173341c3

SHA256
0a3809c8e095f548ce0f2126dffbe466819a7b240581e6a6c07716eea774c1f7

SHA512
ba3f136b35ad1971fbc100e0c8f16103fcd5bc8fadae366cdd7c69ce4a4c18777406cf74144f672b1af7c04e4efa9f13b78c1f3a4dbd8108cfaecb5651066db9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg
MD5
82cce9bf2208abf4a96bd8d63e1aa2fa

SHA1
ce26a55e1f496185177387e09df58a20211665a9

SHA256
3b66b335ef722db989188b4ef56d6d632ce7d7fd938bacce71f8f28d37231e35

SHA512
bc45b7c941ded509d684e747607bff17c25c7f9723fdf1003854cf34fc6da3b7f6adf642e4326a649b3fa81f7daac8c900100a143702fd4288d9999f881857e4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
4f9055fe1ce5daf102e254878b243b39

SHA1
6d8c64fad38ae8c2ab509297cffb57aed5d4542f

SHA256
061e8d27f0d53506922ecf0170aaabf2c52377d35ac893e774165af30709bf51

SHA512
fee660d7c8071b06a03d9c99dac4970c1d2c0c4e532d809b3fc354381d307612fdc00910a565d8025db68c5a720f0cd656b11990668955874cd1b6cde377e1be

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg
MD5
32be7ee7abc2cb6f5744a40e68d81ef3

SHA1
4bce418f8289c9dc7744cdf6957a9ede7752f19f

SHA256
870e0ea53e9d4f94ad3574a59cc2e4f9790a747d590b898601c2b3dbfaab2f06

SHA512
9e2e1ae00cdec8b697113788178c9806932135783bb8f9171a4cb519ec3374d8565be912c9d7fe9dc25b0489ccc7cba4b9dcc578815240d1fa8861f13760db91

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Seyes.emf
MD5
267c501bb1f5d25d69afb5a1a1ff9a59

SHA1
4850e2d2af33c3c183edc46ee8bab6c1f085e5fb

SHA256
224bcf81f6afd350bf22c8aac233ea1fd70a32af6c7d3234fdf8aa1b2a013903

SHA512
10d57d8599c62639d2f669e2adb50f7a7aafa55bf414dc9465e76f08b0dce7147ae894bd3d0348ad3a94ca32d0aeecb33e9e379653cf7dce31758c1afc91589c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
MD5
3ea40d11e4712edc975134d5ccb8063a

SHA1
faf207d1ff6d9a9d8ae55978fdac0bd4b934c6c0

SHA256
d041a60ecea9eef88889a2a71ce71fb77e5c6a850860707dfff7a9dd11ad8667

SHA512
bd9f483ed7be4bdae2bbcd55af5696fe58e580cd3fad5b509e388fe57fc94aa12baf448655431377a5a5212b4c60251ea9f84dbdbefbd2fc7619bf4a8712cb8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat
MD5
986cd7954153bc628466fc7091f425bc

SHA1
046626acef375089109ca48668b046ac279eefe3

SHA256
ed41b24ac2f269346d00d4a993a6ba79efb90acc05877470ae2685696f478dba

SHA512
292029e14f88e4f84234853ae5c0b9131ccd6b9ebc057baa99d5a9a620fbc334384fe5fe9edd41f62d295bb456cc23f99098c1e92daea8a5f86799bb2da999e1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
a789ea433296f18d98401c81210b5708

SHA1
bab1371c00a0c65a479e22881bb3a0685b562b40

SHA256
300ac4cc954c2e789e8785f9479065742127ff15532198a79cb3eb6262f8aec5

SHA512
d9335753f4ac971dbb8d268288e04940b8bdab6053051fc05911ac58fd0b15f21c5fd05a1cdabf00a5e94260b01f57eca21cc6ea439ee9c8616626dba62d94d6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log
MD5
b82332801ee73bf5225d9d782be4380e

SHA1
dd63016013a94b8fc8364a64799783b8095c08df

SHA256
01f4d23458f4429a391959073e2a2ba6e37eff7cf918d3b12804f760c891119e

SHA512
ff376b48940dca448b780f04e730cf92db86650b50faa838e0be22f63d5a489bdcba17f607d36f8d7701352322b5912b1cc89e047599688f6e5521d040abadcf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs
MD5
a5720d74d5ef2b64b53671be22ed79e4

SHA1
9fa338eae3ebf01942641f44f0f4320072ba9725

SHA256
ca8e4a75aff4044da2a9f421fdbe334dbba0fa5732fd25085cc2b73254f23179

SHA512
317f320cb4aaaf3c73d1bf297824b50b2a607ac65781a0cca62ab7b2185c54d3bc76e1d602cbf75cd2daddf7801902a37b789556c31d98c19647da7d1ee8e471

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
MD5
55fe6ed3edbe187ab30a4fb0f62b7555

SHA1
f684bacd79296738a2732aaf63ba105de8a3d997

SHA256
99b9491a996457f6eb406256ca550bd77bb4ada6bfa4f19ea37536ed535230ba

SHA512
8dfab9bfdea6f85b858430dc072892e675996665757d643d1b5548c706889d6f52b2ddfad7ebb27778cdb7c4c86115f5aceaf53667264f6385757ac8f06e8c95

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
e7dc14683a96a3e21e4ba51372bf6918

SHA1
60819e472298bee91003ddde28a0219cab2d7eb2

SHA256
c4783cadc7b80eddd95c2216c5fecac39b7b19c7675cd03a46b4bc251983477f

SHA512
f997605aa9ecbcf7361e6a58e70c108d28137551e693e421975f60cc014b2d7058bcd89bb6b0636649b5f5df24d0f9c84e96df0932b0d98be965dde7a5289885

Download Submit
memory/1276-54-0x000000013FCC0000-0x0000000140057000-memory.dmp

Filesize
3.6MB

Download
memory/1276-56-0x000000013FCC0000-0x0000000140057000-memory.dmp

Filesize
3.6MB

Download
memory/1376-58-0x000000013FCC0000-0x0000000140057000-memory.dmp

Filesize
3.6MB

Download
memory/1796-55-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads