ryuk | a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622

Analysis

max time kernel
167s
max time network
144s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Size

208KB
MD5

fb61f86d2ea604337ff2da9aaf4585c6
SHA1

c5c63525bda35a317348adf7f2bd7eae9dee6de8
SHA256

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622
SHA512

a8f03d7c63f974556b9c7a2ec12ddc14b7f6124f8ec74520afb0a00e124fc932f07050d1ae64d5be600d08bc5f518a7c458d5ae4813234c32e6ed6b3a982bc69

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 34 IoCs

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exetaskhost.exe

pid	process
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1172	taskhost.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1172	taskhost.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
1172	taskhost.exe
1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Token: SeBackupPrivilege	1172	taskhost.exe
Token: SeBackupPrivilege	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1548 wrote to memory of 1172	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	taskhost.exe
PID 1548 wrote to memory of 1308	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	Dwm.exe
PID 1548 wrote to memory of 648	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 648	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 648	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 848	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 848	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 848	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 648 wrote to memory of 972	648	net.exe	net1.exe
PID 648 wrote to memory of 972	648	net.exe	net1.exe
PID 648 wrote to memory of 972	648	net.exe	net1.exe
PID 848 wrote to memory of 1676	848	net.exe	net1.exe
PID 848 wrote to memory of 1676	848	net.exe	net1.exe
PID 848 wrote to memory of 1676	848	net.exe	net1.exe
PID 1172 wrote to memory of 716	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 716	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 716	1172	taskhost.exe	net.exe
PID 716 wrote to memory of 960	716	net.exe	net1.exe
PID 716 wrote to memory of 960	716	net.exe	net1.exe
PID 716 wrote to memory of 960	716	net.exe	net1.exe
PID 1172 wrote to memory of 1568	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 1568	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 1568	1172	taskhost.exe	net.exe
PID 1568 wrote to memory of 1540	1568	net.exe	net1.exe
PID 1568 wrote to memory of 1540	1568	net.exe	net1.exe
PID 1568 wrote to memory of 1540	1568	net.exe	net1.exe
PID 1548 wrote to memory of 1480	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 1480	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 1480	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1480 wrote to memory of 1228	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1228	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1228	1480	net.exe	net1.exe
PID 1548 wrote to memory of 5012	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 5012	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 5012	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 5012 wrote to memory of 5036	5012	net.exe	net1.exe
PID 5012 wrote to memory of 5036	5012	net.exe	net1.exe
PID 5012 wrote to memory of 5036	5012	net.exe	net1.exe
PID 1172 wrote to memory of 5232	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 5232	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 5232	1172	taskhost.exe	net.exe
PID 5232 wrote to memory of 5260	5232	net.exe	net1.exe
PID 5232 wrote to memory of 5260	5232	net.exe	net1.exe
PID 5232 wrote to memory of 5260	5232	net.exe	net1.exe
PID 1548 wrote to memory of 5268	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 5268	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 5268	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 5268 wrote to memory of 5296	5268	net.exe	net1.exe
PID 5268 wrote to memory of 5296	5268	net.exe	net1.exe
PID 5268 wrote to memory of 5296	5268	net.exe	net1.exe
PID 1548 wrote to memory of 16756	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 16756	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 16756	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 16756 wrote to memory of 16780	16756	net.exe	net1.exe
PID 16756 wrote to memory of 16780	16756	net.exe	net1.exe
PID 16756 wrote to memory of 16780	16756	net.exe	net1.exe
PID 1172 wrote to memory of 16796	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 16796	1172	taskhost.exe	net.exe
PID 1172 wrote to memory of 16796	1172	taskhost.exe	net.exe
PID 1548 wrote to memory of 16824	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 16824	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 1548 wrote to memory of 16824	1548	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	net.exe
PID 16796 wrote to memory of 16840	16796	net.exe	net1.exe
PID 16796 wrote to memory of 16840	16796	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
"C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1676

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5296

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16780

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:16824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16856

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5
01c853ef362c9d5fc48dcfcf1fe4d12c

SHA1
909064cb5fe9153bf82a7c0a475002599694aefc

SHA256
5258676a30cd6d49f0af6434633e61c6a8e160e33a1cc8c6dc137dc674af61eb

SHA512
45aab57c8624e65f8e701f7c3acd20b5b1fc5c86324c8347fad298a7c5503db6b8a4c7e489547c0fe6cf14ec9cb795ec051b79081bff870b5ec44635f7b1f124

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5
acaf19c16ad9fa478c8e90fe50227698

SHA1
6297a17c0f2738fd744c9214057f283579e730f3

SHA256
29bbc7e264ef6800d4167a12eab92f93cc444c008b010c0c5f2772d52dac3bb0

SHA512
adbf4f19925f7036c2e4431f65cb2681ec9e5ed84bf49cdf3a382d6d2e6cc8201913c3d9f4126455451b435520104f84de5be34642753407c61be5ad3ebb286e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5
acaf19c16ad9fa478c8e90fe50227698

SHA1
6297a17c0f2738fd744c9214057f283579e730f3

SHA256
29bbc7e264ef6800d4167a12eab92f93cc444c008b010c0c5f2772d52dac3bb0

SHA512
adbf4f19925f7036c2e4431f65cb2681ec9e5ed84bf49cdf3a382d6d2e6cc8201913c3d9f4126455451b435520104f84de5be34642753407c61be5ad3ebb286e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5
73916559bb8dbee5fa9d3bde54a2ffb5

SHA1
4ad3f5109185b53c1406ea17c506e91e32b2c62b

SHA256
944358549ab79b297d8849827606431a5d2e7ab2edac0b451c338c1af26ed431

SHA512
be6e20085b45b76c6aec53df5dfd244e768ff493e1b43fec001d567b58f6ec97a3a6187ef073bef95435dc7d1e78eff718f49f0d8fa88fef6c4f631d2a324196

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5
d3124bd8d9c933bca5188634af87a3c0

SHA1
8448022a91efce83e75d49c2459f3b7b397e010a

SHA256
b5bea59ad4a81a9ff29b0952c820cea8ba6a7044b61021a088edba73fb43ecca

SHA512
551a7f596de9642d66904f6490fa9f199d5889a41676b69097b29f86bd5898a5fc96c9f7916018adfd397a64715df3dd75364333399e56fc13ae97ecc0d7fea1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5
e90d0f7bcd7a3c41369331a1c3bf3d10

SHA1
89afa1b2f7322e2219f456ef0ba5ac0cdfe43cab

SHA256
5ebc6e4081b2e315a7d82bbe418090784aa5fbc04781ba1fc7033290b196c4b8

SHA512
101329d39694a80339d6621e95767d4e6887740a4dc586086386abed0cd431931d9201243598a3092f6039e19a520b0da71b714246ebcce8fcac1e0a2777e7ee

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5
51709b88ad45d36ea7e2e7027a964e6e

SHA1
700c46d6349969a0f6f6d66fd3d62fa8857fbb2a

SHA256
7dbd3869bb00e3c9fc387282a452e22767de03dd9cb3ea7f64f6783449f9182c

SHA512
80dc186a4ee21c1c21ef8facf42c7ed823f963c81df02314fd2b109ee5e3186e2bf139dedb26f75f4df44f4633092efdb0a17eed89ecaa7637556be84443b433

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5
b5a6c0ceb55d79a2a94978bc3da2c0fc

SHA1
376b91bc1cff5b9a91f0d9af767d2f576aeb740b

SHA256
2c83bebbebc79ab5bd2b81607a1d5f2ed518de33d23b76be580a337a31ee924f

SHA512
3f9f77a26d6d352d43b0389b27671153d862bbc6d1e0e73b2e3ff4ace7272b25f3ec452ba48e0b2cc1ae99ed2dd6b2359651fb3d54173d8d1780fb14ea64961a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5
520576b819e6815ac8a5925c3e266220

SHA1
90e1b21417e12868a31f833d3fe04f3f3cede515

SHA256
e382b4160223cef5760d82664fc8cef69fe339c6552b5bbb7ce50cb1b2699175

SHA512
7be1445068270eb2f41c455a4ad7e2ae3a89003ec95521b80c21a682aad6b20f326acfa5ac1b97dcfd90800727840e6497bbc6e328781ca3ad8ff89e6d7474d0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp

MD5
784e30c80fa31b219a8f868219804efa

SHA1
207852c2bc03cc53674dfaa72644a50547afd356

SHA256
b3269486fb8698385f103c13c273c4873e3a9e1644b7cc3103dd06863b28fc0a

SHA512
2a1aba419ee1fed51a6090e900393b433be2dddb869b0799ac81beb1b5cb6bd757bdc6cf31c98a3cd24fd5d3a2f7e689d6ab24ae44db5a5b56046a961d5ce759

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5
fee6c884e90819904f65a814304bab63

SHA1
a99a4844bc7c6b953d3f862c50b4d7c20b187389

SHA256
8f19d53bb35247f3e4798944d37f9e16594ab68c72779180669159580c44bb91

SHA512
85ca03bbc6fa55a887723c2d718ec0ce7c2a997026f4889bb249cb2f0d0bec9b44def19ebe7ccef88a8b65d2098e86490f145588abf2ba609d38bfea49204730

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5
f6c7e7643f15d868318d5ac799003ae1

SHA1
bcf8019fc730c955878f49e267e5adb1c546b25c

SHA256
96c73ad8933687ef109d6992ebec164e23768e25aacacb7907b2d11e4b603393

SHA512
cf1c119a87b12b8a590e2e7ab51713f9bd06c9bd53e585434331f9d6e46fc1710d7b820a24a680985d813d35f7680683e8e579719960918e00b84c648ea8ebee

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt

MD5
cb695a1514142b91728a1d5a4eb5ebe8

SHA1
333d9d4777c7e8f3ec83ca6f1e881a857f8ef040

SHA256
2b1d343b8b431b6b24ab113c8600d48759c8d85cfbb4f6011494689a125c8696

SHA512
571a5dfecbf3dede917fea17677ee78822d459627290232b929e7dcee131d93671a9397870d0ff02efe886b664dac42507c573a2190eba71d5f73fe685de34b8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5
b061343869d9f92a5882139f49c35a69

SHA1
e51255c020e5e823126300683ee77b6af4c64bcc

SHA256
b5930be2eb0c58c314a20c0ef2ddf3529e65ec03daeb019d6b81f844e8d78ec3

SHA512
7ed54bed13c9f4b0654d7e859caf9efc276948362fd6fde6844521fcdb16e71d4fbff26c32e112967527958f2a681ea09851b9cc80d48a6b8b0d08fb61223bdd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK

MD5
a277a8efc5cca6e345786a7602ca841d

SHA1
902a267e64e92800035eb98c68931137f315eed5

SHA256
0adc42f62bb01a0de2ffbeb2720ecf375bfb2496aa9dfa80860bb78ea3f6068f

SHA512
a8cd6e96e0105eb06c86a6f02419bd04f477675a1b338c4b19d311369ab9f15637b00bdb938426713857374b4ceda9116c5a5e4dc6afac0756dfecd7e564969b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini

MD5
7d4fe55f1b6a369129a3c2f0b4d7790e

SHA1
6bc316c8e111f8e3ba70caca21db1207bd30bf2f

SHA256
e1c6dd7c0649a025ac2faf69de89e8e1e8769ca15ba3b0524245e083174928f6

SHA512
4c95427eb33850fe0f2ab6cb145a8b718a1417cb5f4c4cf35b24323942433f921fc58904dbdf988ea964ae05b563deb27ce99db3b9bd0ad34be30de5abe4eb1f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini

MD5
c654cdff7830003a76cedeeeb6888d59

SHA1
c2e8914e01915b74156e8dcf9ee82fc7a5f6b0dc

SHA256
fb946aa16d0ed892f201b508b2ff51c10b78523ce3ce458acbc57f875956bf06

SHA512
248983fc727fa5955f4a4fc8a30026adbce91f30f977f805bf2a520698b677d69cf6a325a3f4bc8b3d46cbcda3ebdc7ac95e328e8f0bfc2412abe4b3095bcee6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini

MD5
4b50ee25323a5219c498026b2e7ded41

SHA1
78b6e84285413123d12655afce1ee0be6905af33

SHA256
9a804096ebc5bcf18a4167725f3e9c14f23214c90a341c4d3bcb1bc4a3af6a24

SHA512
7da2885416024b6a9ec72d87bf2c37b2b269c3a0a6ac8d945df5324330afdcfdcf3041ff99b3956ebcf39a84fc50b48758399e084d59aa1ad9e4700ac54dee2b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini

MD5
ad8ebe2bf4dd3ccac9d56db9fd90f390

SHA1
accc23103f1aa26ac753b999c3c8a7faa8066234

SHA256
af9ddadf5803d16e5fb4e63c133181f6fc6a7b2cbf78494b07054b957fbdd24d

SHA512
2bb88dd794f441d7355c6e3ace2a421001a82d7fde7ba1b44398b8394514e810cc8dc87017af233519c7e70f5026ef65a8ffd028923adb61280a0ba85eaa5c80

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5
d43bcad08acb83f9beca747adc3e0e9c

SHA1
4c0dbec64de95bcc76c0044da2c110a442dd1c99

SHA256
ef477065d261cd39b6568a8394c9cdadea402df20540ae31d56c8a5694e0ba5d

SHA512
459236a341ed76adea1a381c3bf982fbac72544f36401780aac314fd75e82a52a8d297981c8aee3f177ce18c891f54b4389b2705e91d5fb2afd9cb4791603a58

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf

MD5
143f009777ca7a62e75c87bdf761c24f

SHA1
736b2de7861ad8605eab306a89c7d640d965af01

SHA256
e3fe4aeb8f05b8bac335000c6fcb47b15d15b7e4df96328ceba49a0d5fa25ee7

SHA512
4e4d9bf2e3403988fcd464b971d8786d513b5fa3842c6f8f11851bb692cb3d5b36c2de19e544bcf152885629ae5543f68839a23c1f231c9c2f14a1f7b29c3dee

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg

MD5
126cbb81bf4034052eac10e6bdf29e3c

SHA1
c4ca6574611092f18ef1e2c17c7bd80936a6b195

SHA256
e1b1572d6abd09958cd2aa63ad894eecfea7f5fe73894332aa850bbce7af350f

SHA512
567081e2b63942e647c3f4021cffb9d5511ab13b2d12f82103c5655512d086f9664e45cd594d0c16fb0655162507f2f1358a00936f8fe49c44e8eb183a578bff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5
ffeeca3b7d7f5c96245b3b2964140acd

SHA1
6cfece00fd90635067f62e3d1a9e673f6a929e6c

SHA256
8dc93b5b87260d35f9877a8813b9ed5568a17f55654a3c40f7a0bb9fdb22f0b4

SHA512
d7c773f88f7e594ccdb3c737ac2f18577a06ff256994ac7a5ccf68d7b6dc74e8bd3c316c69ca1d26ba705e4d2dbaa8964cbeec977f91ccd7b84b838bd0c71025

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log

MD5
79774e4a971bda80f142bb79cc69bbc1

SHA1
7d83d36b23d06badd9676e004c7cbefd469422c7

SHA256
63079188633d88c7a4d232ad917dcd10c3ae110b59cbd986ae453b964b9457f5

SHA512
06e0e7550a7d36982fc3fec2e7920cd215fc44f90e760c9931c2d890ac28e86f067d4f5b7aa15c288547df3adb21697b90e11e78a92af8479968b2332ec35fb4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log

MD5
c68c953ae9d004abe99ee9e33a7b3bc0

SHA1
6dd0bf56551d314317d71d84b863711ee214694c

SHA256
4db0257584b65c86181797ead963af6bae4b19e872c3646915de34c10a287b74

SHA512
887bfca68303f587a331c76f3b47d7588696298a89bb0e64dd18531c3e294ec323410c3d248ab988b1c36060cd777b59a8249a27d7222850828306b69635445d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs

MD5
ee5d0c8e1a7e15dbe5b7c77822c1af56

SHA1
4943d9b20cda2a8d521077ba9090440e741c6b0b

SHA256
185879f3abb2822fbb72c5c3db966b4c0069ded26186b55774a4af4a0c0fbfd6

SHA512
e1c7a849ce3bcf3139793b94e0afc29aa0b0bec96802b19414faabc6ef7b0ab3f401f4f3b81168a2ac9924aeffc3dda6b09345c578b6583a8b6367af529dc1bb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5
e6c9c2f9fa55430d972d076aba19380d

SHA1
3be7841c71d616b349cde9b22dceacd54aaea931

SHA256
b14748dd79441e96974d0c84e10f7bdd36a8525158ec8737911eecebb8075b92

SHA512
c9c286689065944fdaf94a928e2964994300de4211e48ac1ad2d0aa850a59166caf2369364bfab1c25f2dc5021b23e6f683abcc9d4d6e03e7cf93cf594312add

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\Documents and Settings\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

MD5
99065eb0c3dabc9af340686a9ef1ec2c

SHA1
126a0381874b292b7c64e6a9775522d18bc00ce0

SHA256
d62dd59321401c32b2fa3108d4946e15e039ac3cac122ee49b1ffacfeae083eb

SHA512
589611b142a42f67537700fbe2ad4136229dbcf0ca86b215bfb774b5a7a37ac519c8e9d3506869ce388aa10850c58176380856b04d06d265d422cc8b90a98d72

Download Submit
memory/1172-56-0x000000013FA60000-0x000000013FD3C000-memory.dmp

Filesize
2.9MB

Download
memory/1172-57-0x000000013FA60000-0x000000013FD3C000-memory.dmp

Filesize
2.9MB

Download
memory/1308-59-0x000000013FA60000-0x000000013FD3C000-memory.dmp

Filesize
2.9MB

Download
memory/1548-55-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download