ryuk | cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c

Analysis

max time kernel
184s
max time network
141s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Size

204KB
MD5

b2a8e087a58b7ae25ac3c85f8d468ebb
SHA1

d3d39b86f3fafde2c21f4d304a04ad579965f19e
SHA256

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c
SHA512

032a2b686215d1c108397c8af88420550fb9e5cb0d91d24539a3d9385dae816dbc45f409372cb3056e87fd23c32fed0469a27e7c4f48398c3c7108ce8e376c0b

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 60 IoCs

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exetaskhost.exe

pid	process
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1260	taskhost.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1260	taskhost.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1260	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Token: SeBackupPrivilege	1260	taskhost.exe
Token: SeBackupPrivilege	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 268 wrote to memory of 1260	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	taskhost.exe
PID 268 wrote to memory of 1252	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1252	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1252	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1644	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1644	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1644	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1352	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	Dwm.exe
PID 1644 wrote to memory of 592	1644	net.exe	net1.exe
PID 1644 wrote to memory of 592	1644	net.exe	net1.exe
PID 1644 wrote to memory of 592	1644	net.exe	net1.exe
PID 1252 wrote to memory of 1840	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1840	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1840	1252	net.exe	net1.exe
PID 268 wrote to memory of 1088	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1088	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 1088	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1260 wrote to memory of 1696	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 1696	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 1696	1260	taskhost.exe	net.exe
PID 1088 wrote to memory of 1552	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1552	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1552	1088	net.exe	net1.exe
PID 1696 wrote to memory of 1820	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1820	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1820	1696	net.exe	net1.exe
PID 268 wrote to memory of 10036	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 10036	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 10036	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 10036 wrote to memory of 10060	10036	net.exe	net1.exe
PID 10036 wrote to memory of 10060	10036	net.exe	net1.exe
PID 10036 wrote to memory of 10060	10036	net.exe	net1.exe
PID 268 wrote to memory of 10328	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 10328	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 10328	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 1260 wrote to memory of 10344	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 10344	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 10344	1260	taskhost.exe	net.exe
PID 10328 wrote to memory of 10376	10328	net.exe	net1.exe
PID 10328 wrote to memory of 10376	10328	net.exe	net1.exe
PID 10328 wrote to memory of 10376	10328	net.exe	net1.exe
PID 10344 wrote to memory of 10384	10344	net.exe	net1.exe
PID 10344 wrote to memory of 10384	10344	net.exe	net1.exe
PID 10344 wrote to memory of 10384	10344	net.exe	net1.exe
PID 268 wrote to memory of 16580	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 16580	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 16580	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 16580 wrote to memory of 16604	16580	net.exe	net1.exe
PID 16580 wrote to memory of 16604	16580	net.exe	net1.exe
PID 16580 wrote to memory of 16604	16580	net.exe	net1.exe
PID 1260 wrote to memory of 16692	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 16692	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 16692	1260	taskhost.exe	net.exe
PID 268 wrote to memory of 16708	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 16708	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 268 wrote to memory of 16708	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	net.exe
PID 16708 wrote to memory of 16740	16708	net.exe	net1.exe
PID 16708 wrote to memory of 16740	16708	net.exe	net1.exe
PID 16708 wrote to memory of 16740	16708	net.exe	net1.exe
PID 16692 wrote to memory of 16748	16692	net.exe	net1.exe
PID 16692 wrote to memory of 16748	16692	net.exe	net1.exe
PID 16692 wrote to memory of 16748	16692	net.exe	net1.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1352

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1820

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:10344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:10384

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16748

C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
"C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1840

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:592

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1552

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:10036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:10060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:10328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:10376

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
MD5
45d565e1bd4cd4ea893adaa862b377d3

SHA1
a15750b60fae3803916bb165bb65d38920b2b695

SHA256
ced95a2f1395c6ce820ca5dca28aa9dd2183d6921a6482875a9026c25d6ba0ae

SHA512
6a647cd3908ae9c07a1747e7bddf173bf4ec099e4a8ac0d7f2ab8dab3e2a4e8a53651df173912bd73da972d56e6fe03e66c607114403740028cda212cd98c7b3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
9d12765a538ef0eacea83578371e0b6c

SHA1
169741bab525305c967102edf18c60250c90b1a9

SHA256
4f236297dc1d97736ea375f6d06b7d3f8b56c5ba7fd4315c0482f4c3c2fc2d54

SHA512
470f55c7f766644568b706cec6e16a524b5e86ae1b5aeed07af8e1480468417336f0ca6f4261f3d11d4c32e110f7feb1d105ac088fd11c14aaf0635c6d9942da

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\ACECache10.lst.RYK
MD5
355abe9336f29ea7bb39e8aa8643955b

SHA1
d231b167064695495c05cd1a585684896dbcfa8d

SHA256
371518169b62105f4c09f458e6488a634a51f1b1e2d755fc4e8f57ef08678ce0

SHA512
b9174489be5ec54587284ee236678a66d81affdf75b2bc843c32b5f02e4f3d1ac78433f619a87e8d0dc32437a672933be096db456918261af79d0fd165b7333b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
99f920055aad84897c3ad62a155f4d1f

SHA1
e77b8dae609ab0c20e0f81484b5d091f4068b705

SHA256
9f9ffc94fecfb76d1f196c818a2036d942261a0ac8da250a43e3c97e126aa7a7

SHA512
d96d74f96f192d35bb9e1577f56f56ba8cb7206a2d8a8fd05d3158eb36bab122ed7413bc66d65a13d5c3fc5e6b4c86c313275139e007f8935c45fb117bf8489e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
90da434bbab9dec408951d26348216ca

SHA1
24ef08fd8a0a4142e38c7b234b744e0ff5662156

SHA256
b7e72b9897296d230a5332ce753e2ce9a222d65061ab7eed89fd9e2ceb8b04ef

SHA512
7b37e3fb8dbdf7319175f72f4ab138bc6456b6fe19d9893954643516700adffc46aeea118eceee94b910214b09c695017daeea3f275dff010d439c2863030a20

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
6d33af509329805f768291d8df231b0a

SHA1
585d1b9b7b59b512ec9609d284668af241066b76

SHA256
35daef1dceacf9c5bd2c326086c33861ce245da1488ff86553ee95259a586b57

SHA512
f41e64c5649316736f43c7782a1e5f1ba11e55eaeb961d0f2d1af32ff4cb443bbd132ce511e5d29d5eaebb39e53caf9a4ceb8ba583b50914abbe4c9bddba9df1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
MD5
828eb0da9d0490f3f3474e2cd12b33f8

SHA1
720658bf228746732a9e2124a91932e6fc78036c

SHA256
91ec31e99dc6498962b01639bb196c0c313d4870f086aed18933f48be7d972f1

SHA512
4114999e8814b2bc99cede91a2216e62e60bf26509093d1a539caa007123a8939f99f456cb720aa558df00d7a658f02147c1ec02328854fd28230626a4ff6a57

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
01e6735e53e2e8f1a9c7239f7c487fac

SHA1
0ff10560caaa3eec8803613a0ab876f0cb3112e8

SHA256
2e126a242b8be849c675283c691263e96d414e91c4ba75120e3571bbe417aed7

SHA512
ea9a658d67f28b88de105dcff7c9a659e13cfb82c8203ee28443e3be74b1df8d804e6b5f7b0d1207d283c5e7a5262e649d1651facd5fa73a25331ad65d13e951

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
103e6958469797649e57107175ed8686

SHA1
f5fdd4c6b348b187bac70edfd659be271fdfb563

SHA256
cd0e3632723849e29a129cd9df4366e4f29bc7f6acbe6651ab8a2aa3fb073ab0

SHA512
b8ddb75cd8295b415af3a7edef311527ac350a01e3d9e1f93e21f9ee129a40a2f5cb154b41e3f4b16d1273af402451d0ed8b622bf2af92fcccde7a5e5359ffd5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
b5e59c9c43b42148ba13e5661bdb8a09

SHA1
643679b72156f4541c95efd303e3253f11f5d3f1

SHA256
cafe58136ac87cce86ce7d0703c2e915d58eba30286ff7a0eacac2b82ab06f97

SHA512
72e99f7091c504a5450d624824110894224e56bd0c15e65f8665b7e2a0ec1e348a0f709c253adda007c1a9daa7b23692363ed14dd4fd50cd10172b3737efc09d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
MD5
0922b0445027807cd9a74b26670afa7a

SHA1
cfc450b6528a57cea06e198c102d7ba942a519ec

SHA256
d7f18f380f018bd639fae1c0cbe36aa15ccac1d52d2c6ece6687235eb19459ee

SHA512
9cf620cf6ddc85221a4bb00363f814154dc1855f9100a8b2a2de9f79107439b90ac8068f06ebb1581b16c0d95b9007f2733469e5d032a90df17ed415966e7855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini
MD5
5204901d67f909fe3d2f1e438b7a5cdc

SHA1
bc7813a05e91aeb0e45df25090676913a7442b9a

SHA256
476fa4c629075cbaed0d994471ef94f538d5f2ba0fbbc7172d5d173adfdb0d10

SHA512
d9c7957c1bb47cf4802ee4b608c2586120fbbaa0b1fcc0445920cac915476f2493236e2c472efbffab082e754d2ec21c8935acf773d70e37d2d88c73eff117af

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
MD5
091a36db0ca260fc3221f44b7bfd6145

SHA1
d565edc9f13b3bb2efe572c3cc07d9d1e90a5b74

SHA256
ffb6d80290e0512fc3ab7fd459eed4524db11ab1a3ac31e554541ddc3bd4557b

SHA512
7c30f941a3d2cd416fb1c5940e90e650920473b7b4e9eb1b1482119abe0b78610610e9b016dec031abdc933f21dddd20445e0fdda56f0f6cf83f9df8d07b6c1e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
MD5
dd20968910226b2f005ffbcc57bf30a3

SHA1
f10e02d73935aeadca56566e251a5d5251815bdb

SHA256
e0b5f7609c69d4c629229db479bd5f9183cbb34144098edfcecb6b387257d643

SHA512
235b0403d68a0d402cc17f61788be6a15f4f7600ea59bbcf1bd8cd14ce56f1fcc4283923bbb03d69a7a2c963e2a13a15dac59ba1da53b46f49a1e895dded590a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
MD5
5a6ce567b96a14bb8a6a141266e2491a

SHA1
c938837c712604ffad0829c8d816aedb9c254232

SHA256
3f0d016901e53e9db2784dc8e4c9cbf2e172fb0e329935e0dea252e44cb1fba0

SHA512
f3e50311d058dfe28cebba681028330f133ae208cab1b1f830201006d0a36b86dd570d2730f28637e033cf92d4dde6b9cd15cb72aa8d779ed4101c098c5e367f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
MD5
fd7b53f96882f1211cdf2185f35788b3

SHA1
fc3059fd0ed855292df8e91c399f1dcf83da2cb1

SHA256
fc3ac850b31e52a66461fd583e9fb069b3713ec77366c1e725c0fc7261764451

SHA512
c1b35f80bde0da7edbe36802385c0ee11e8d16c8818148ec7541b7c531c3b534882d3e4de258c78fe920194a87ec38c889c8ed4ed79d13b9a2154a43b0426993

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
MD5
e06380e2edf884098a8d1e776f19f146

SHA1
c393c99dd7f6cba4b0943a9adce60cc88c2cc915

SHA256
257f523397faf1b78e8971503b234633cb88f761d01097ef908d8a67747734e5

SHA512
6d5a49a3d3ea71ca6bb7e1cb3a27272667bd22843b580583ac8f10dac57d8b7548048a83459f5274c5597878e5ea3c14987bf09262ec48b8780e166eaf493f91

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
MD5
8fca148824399a8fb6ce98609465ea89

SHA1
4c8ef8bf1f227cf09620bd06f762fa711caedcf3

SHA256
3461d63d13c44ee222dc8341ed929ca6aebc088447aa45e7f0f6d4a16c4eae7c

SHA512
bec6ab9c833a1721424afaf2f21805d3e9a9a243a6a95d850ef7621212f96d47cedf194b7e1980bd0676bcc2350ae76359ad8f9c3873cf8a9a1d4b1cbba079ed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
MD5
c23995b1ce705a8f4511a08655434c62

SHA1
43ffd5a908386d158a400e6e912ca11ffc31efb8

SHA256
0391fbd1c1c3230faf21bc58ef4917258530fd0274eb8d11cc9f05f145f01260

SHA512
93317853fad8dcb2195f5ebebcbf0e769df8729b2cc10601d454a1aa9c46f888a4446ff8c950b2da92e364843836a1156bc57d2118729555c37165b634e65a51

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
0d2b7cfcad948e4d4548e68e2cc01fb3

SHA1
e25ecfe9efa1360555da84b55fcdff3f03938796

SHA256
a5dedc956c70500ceb73e782fe5f172fec6e56105cacd81a4cad34aa267ec6a4

SHA512
66bb3b55583347623fb61430ad80cc39daaaadf2015ad956b0ce41c9d6cdf1e2cef730ee085f64c7bf5fc7b4de5787cf2f1aeb87d3657b55319092d23ec69216

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
MD5
9943a5a5dbe6bdb01d61bcd355139c95

SHA1
e7d246f678fc1d86548dec9e53db95f0ca3571ef

SHA256
50f0c306de7b56f3dce414c410dc17f1782514606ca4b9f2c74b4d3d94339c89

SHA512
889dca834e0045260e7bd3a249af26e21bd40331ca50491c2c58ef129fd964c4769302f2352343668b47ea0cd8200e689cc9ca72b977294e0d6040b3a0a15483

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg
MD5
4de511b4f4b769770f5ad58c3b4b0fa6

SHA1
961d5a963d542f76dea5801cdde11b76144b5347

SHA256
20f2a27f32a4f9f2248f27fbfbf879bfada93da720d2b42a4c76e1c66219efcc

SHA512
f4c7f5bd43fd9e0bd97e1b2cecf7b14e4a561be6a2c0b9b3a1030fb9384d2737af0a7b83ace7b4d90d02f95306c116e3d54733efefeb02e5f41a1c470dfb0079

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
MD5
dff856b6d1b4fa46379cd21c2f8cf6f6

SHA1
8f658afc54e6ba225c561121b4fec09f57c48c07

SHA256
f786110c6b726b2224338563474ce4f933697c5713d068bda28f6cc0cf8e9d08

SHA512
307d24d10cc6b916ecdcdace51712626e70cbb13130f121afc8499c806d805e8e7de8a6c5620c72a66fd3a52b70ae48063c6dcb6ce03fc4409fb7c572ca8fba5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
b8b26298f09a51bc551a8d3b788969b0

SHA1
b9aa4b337898312df0ba6071236baa5a83392a37

SHA256
64ff20bb93699ea1799a51589ae66d192e2d75a5a6f0a7976848d9087efa3ce7

SHA512
32119746c63d0d0b4ec4922af18d245fe66c137e7f4b57faff556dafd2e60a85cdd2f767db42efdaad2428d07a142f917d31170f4987e3435396d17ca361c0f5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg
MD5
dbefb70b1c6824544a6f1454dc6b6a7b

SHA1
e0079a308c877e161b52a6ec58685a71f9b1cac0

SHA256
7d95ca00fcb75521fa3550f5f84825bd6a91c1c4575d04c9eba7d6ef3aa34f04

SHA512
f68b4bc0582acacf295252299488feadfa2ddfccb98bc3db6f5127fd1f9490165ef67ed034c0ecc66834b46f44558c7cff4b81463ba82d1c35c24cd4abe28171

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
MD5
bd8e286490829fb540df81ad4c6109e9

SHA1
1bd68aaff42ac49047d373a73c19989e61204ba6

SHA256
1bfbbd259dc6bdd0d00738efca66ceb470088bc9a7e36f3544b112991d016210

SHA512
0594f593265df5dd497c1af7de4999c313e27b72bd1a6d32a76932e270c52458678fb982bfecb54dbacb62651d185211f5bfab7295355c9d388a2a05c9c286f7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk
MD5
4a50be6bcac8032a71a6b84de5936b0c

SHA1
77fbf80bdd8a097d25f33fd8b67b2d5b2cc94d5c

SHA256
aeff73a9f0396c2e5d2a8a85c84bb1a13759ce75872c8ebefd929d1b9245f586

SHA512
f3f8e2a3ae1588562fdb469f03bc64c6bc789c899189d11c002eed26ed0e945f176e7876966906cccfaa35a386718f4b36704e075c524689cf18d5c5f3d8f7ad

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
06fb03d3d4bd287ef7a835a9cbe2c001

SHA1
da1c454e4849cc603a36887e879f806c2179daae

SHA256
d9544231e000bbdb7142db1311b15522e079223e39dc03bafd6c3be083ce2225

SHA512
148dd4844475194ee5fcde2bb1833a9869a3c6c722fdf855f35896747500ccd0d00976f344ee98b04d3f25a6be1a362b6a92f175d4fb8384bcbf20d94b6f0c5b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log
MD5
ac3f828c2e233e2ff585539d7837107d

SHA1
215cf17c614bc4be46e1d3b083d62b1609ee1c8a

SHA256
4c4e51c408aa4b08d7b01f3f79305066ac45e6f4a26111c32f4181e73cc54819

SHA512
26ae6b2899d9171361344617b2ea1b627c6742ed3706ba97cd7888d2ce028d2018bdbc87b7d4c56785e554c79d2125d3551d2b9375970961bf554cc88e62455d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
MD5
e4d6d0ba561c3f21096efef6ebd08499

SHA1
97d6c23b16cf33a3e68df7eb6a7bcd6f5cf6e01c

SHA256
74ef1bd609a842b0037a2c01061e9729f99c848b1866fb66453ab867b53bd658

SHA512
ddb375447273a9c15fff84f65343c7f9d9cb09df0974e11e210f51cf23b39b3dcbd2d449b3885f27287ac3ee5bbe790093cfab5820e8171db37e37c87b71a754

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTD
MD5
b3fbf3f75e9fbf980bc4f72d48991eeb

SHA1
445fd9d52df50179530092b2c5b6977e2c96689a

SHA256
86e41b10faa054e679698e453720dd6e1166b265c70e5de17868deba506b0885

SHA512
2af3fcee5325bb7bd8f6b61b4092600cf7dc024ef327d1d610d84294ab4c970562af16606242f7b5002229e424f8bd7200ff76f6459ef8bb57f6a23d1ccaa407

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
75b3003ed17001c90e2248b993cd5d38

SHA1
a9c73dd79a2896e8043460d3b3ed3e5ab864a9b4

SHA256
d29eba7cbdee943c11096819cae4ae55732cd1fc1597be39dcfa02d21243ad49

SHA512
a7d8c83af454f86ba48ca5e90581d3f2c7d1b1b7e501b74aa40d0b21bee68a17cb55c2a75594bcd80eb4a21221a346fa67f31e841dd34cc376df9377422d061b

Download Submit
memory/268-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1260-55-0x000000013FF80000-0x000000014025A000-memory.dmp

Filesize
2.9MB

Download
memory/1260-57-0x000000013FF80000-0x000000014025A000-memory.dmp

Filesize
2.9MB

Download
memory/1352-58-0x000000013FF80000-0x000000014025A000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads