ryuk | 7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9

Analysis

max time kernel
167s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
Size

203KB
MD5

071ccc24faaf0a8577075b7466293e8c
SHA1

8beed359f92bfc5e14384783526f77049eb2cb9a
SHA256

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
SHA512

454f5db75da3285cc28795078b598b8995d6a3fd586084b68c583029455a437905b5e58451992b3277ff61a1cd3b09a6107d4b94810128a738496137c4a62f90

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.exe7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exetaskhost.exe

pid	process
604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
1112	taskhost.exe
604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
1112	taskhost.exe
604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
1112	taskhost.exe
604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
Token: SeBackupPrivilege	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
Token: SeBackupPrivilege	1112	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exenet.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 604 wrote to memory of 1112	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	taskhost.exe
PID 604 wrote to memory of 432	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 432	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 432	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 1324	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 1324	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 1324	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 1176	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	Dwm.exe
PID 604 wrote to memory of 568	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 568	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 568	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 568 wrote to memory of 1352	568	net.exe	net1.exe
PID 568 wrote to memory of 1352	568	net.exe	net1.exe
PID 568 wrote to memory of 1352	568	net.exe	net1.exe
PID 432 wrote to memory of 316	432	net.exe	net1.exe
PID 432 wrote to memory of 316	432	net.exe	net1.exe
PID 432 wrote to memory of 316	432	net.exe	net1.exe
PID 1324 wrote to memory of 392	1324	net.exe	net1.exe
PID 1324 wrote to memory of 392	1324	net.exe	net1.exe
PID 1324 wrote to memory of 392	1324	net.exe	net1.exe
PID 604 wrote to memory of 1644	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 1644	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 1644	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 1644 wrote to memory of 1364	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1364	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1364	1644	net.exe	net1.exe
PID 1112 wrote to memory of 1188	1112	taskhost.exe	net.exe
PID 1112 wrote to memory of 1188	1112	taskhost.exe	net.exe
PID 1112 wrote to memory of 1188	1112	taskhost.exe	net.exe
PID 1188 wrote to memory of 880	1188	net.exe	net1.exe
PID 1188 wrote to memory of 880	1188	net.exe	net1.exe
PID 1188 wrote to memory of 880	1188	net.exe	net1.exe
PID 604 wrote to memory of 836	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 836	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 836	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 1112 wrote to memory of 1772	1112	taskhost.exe	net.exe
PID 1112 wrote to memory of 1772	1112	taskhost.exe	net.exe
PID 1112 wrote to memory of 1772	1112	taskhost.exe	net.exe
PID 836 wrote to memory of 1956	836	net.exe	net1.exe
PID 836 wrote to memory of 1956	836	net.exe	net1.exe
PID 836 wrote to memory of 1956	836	net.exe	net1.exe
PID 1772 wrote to memory of 584	1772	net.exe	net1.exe
PID 1772 wrote to memory of 584	1772	net.exe	net1.exe
PID 1772 wrote to memory of 584	1772	net.exe	net1.exe
PID 604 wrote to memory of 16448	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 16448	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 16448	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 16448 wrote to memory of 16472	16448	net.exe	net1.exe
PID 16448 wrote to memory of 16472	16448	net.exe	net1.exe
PID 16448 wrote to memory of 16472	16448	net.exe	net1.exe
PID 604 wrote to memory of 16772	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 16772	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 16772	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 1112 wrote to memory of 16780	1112	taskhost.exe	net.exe
PID 1112 wrote to memory of 16780	1112	taskhost.exe	net.exe
PID 1112 wrote to memory of 16780	1112	taskhost.exe	net.exe
PID 16772 wrote to memory of 16820	16772	net.exe	net1.exe
PID 16772 wrote to memory of 16820	16772	net.exe	net1.exe
PID 16772 wrote to memory of 16820	16772	net.exe	net1.exe
PID 16780 wrote to memory of 16828	16780	net.exe	net1.exe
PID 16780 wrote to memory of 16828	16780	net.exe	net1.exe
PID 16780 wrote to memory of 16828	16780	net.exe	net1.exe
PID 604 wrote to memory of 17172	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe
PID 604 wrote to memory of 17172	604	7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe	net.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:880

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe
"C:\Users\Admin\AppData\Local\Temp\7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:392

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1352

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1364

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1956

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16820

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2000

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
MD5
014cb9413db5c3d1e8d7d16db795d357

SHA1
d22f63cc63873c9e2edaa8dca88e3b62f4022c2c

SHA256
c91871c285908129ba11b814a1f9fd5f76da2374498fa73b12c7a6aeda112406

SHA512
67e0b05b14a27f6d06a14622f7971e985289f809c4e5e4eb2adefaea145348c3f521754aef8320120fe5cb844532f96cfc7288c952992611a13dad56fda6809b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
26cc0cbbbaa0ba60004a15738f69c56b

SHA1
bfb68adb4288839a4f824fb9907dee9d93c00051

SHA256
0b0e4567598f76cf13781a7f63eebe76fc804924b5619b1af0e6a336a11eec51

SHA512
f44314d910a92e6d24af5525ba23fb62be7604cf39d816152681310c4a05f13f3bdc717a84a31e942b44774c1a4bba69071be77be7e810c1ecd04bb12a63e6d1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
MD5
14a37196360f7ab8daa2017fa1df4833

SHA1
697834169d99e743ac533e641da0df568fa22a1a

SHA256
854677320c21ad801ef20e60e85db8272eaf8bf02ddd9aaaedbcc03cdb92b2fd

SHA512
1fb797a6b97485f5d21d8f1a03039ae1bcd70e731035ae98b755e0a1ef95f32b25fe4039a5cd80519fb105145699ddc5ff583a54b374f145d7136b93593401fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5
d4bf4909aa9b418895582e3b3b0e7723

SHA1
e397694178e70f62c844028c35400f12a469c37e

SHA256
1822c8d567b195238e373f8952532e85f5a5fd94eb0ef13b70d360ce55c29f59

SHA512
efb364f80481a9d4027d5b08837ba297a716c55dc1d7a154ed705113bc8235f26a4af7c79f4998e4a17cabe83a97e01a79a7a93c18c83de29e6adeb1a094a28a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
b27f81ea9bea8287015dda6e11fd5755

SHA1
81d5fd0ae0ccaf62e50d0ae6e429aa6738aa1442

SHA256
a976b23a66494b428c6f0700a869adf67f9de73f1b08693344c082233d013dfc

SHA512
36157ad35199f3ecbaafbe5137cdbd1722f7057941689e5ad0c173f29dd161f5fdece6dbfcf6dd6d9ddd735f73fc22cf1433cc7b233a3cf11c8ed8250b0c1456

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
bd04e87b225eb94b3922552c26f7d0d6

SHA1
3622e5ee64d4c35179ee0507b6a23d562c4cb44a

SHA256
5427dced9e819bb015617a01affc83cc0cf8fb73609ef996daebfe7d43122132

SHA512
9ac99e9a7dee46b2f4b758e1aaa74a105fa1cdd25670b8397f5754a96774eb32be08f9d9ed596f8c5e8173fa341d3cc5c7789cb236ed64c9e19066641cbec7f8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
b55b4365ec2f23d34e3d3a7d1f154911

SHA1
e26c1a12978071960fd87ec408522b68a5acd07c

SHA256
845d01727535a5804b83bb208a75173eb75cc6d911dafbda2c6181207f0acee6

SHA512
07b0b7e6698cdef7cda6849f2746547f2b52b1b74f41ca926593a8c8ecc19cd7c1220bab5d5469b66da3f43fcbbc546b04fef4781b26d23687779c18cca12304

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
MD5
8b2e355436bd0bca6ade0c53bbb778ca

SHA1
4d0ef586c18e48724c495a401ee05ecfe07a0168

SHA256
a98b0e1106191b7eb1f07b8163c1086f682c6e66d15da421bdefb37d64586c96

SHA512
9c914f9bc94975c0c9a53c6800518c6fac39c36c74273620ce2d9189b790029d16659be5a47f444ee5723865f7650032e6250c5d1fcae61826bfaf39cad5df7b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
8ccdb9e5bda5079e23d226d8a454fc79

SHA1
ce4df2cb2dc78f77bf6064ee66a9832256ac59c5

SHA256
fa1ffb32a72536d8c8bf9764e06c958f059f488dd14baa84d789f9f61fbc1894

SHA512
226b9f8ea37d50ae818e76f07eed7933f7b9cd2778c9c2722843b5cf1e6d814f646bccff18b37d2537fb596c370de2118a30ef1693fc2a43e83ae5d838f0af48

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp
MD5
27fc87797acaba765e0bf29f523cd87b

SHA1
3eda9ba253b2067c1d8785cfa22ff8ef7330e4de

SHA256
b8914a6b98a5412a3353ff65e655cf3fe21df32769ef401fff243ecb66b4ac43

SHA512
59ad1249c4bd56b1fa4566564b053e844649b1ed38fcf31284570d0bcbe5fff3fea46e892678c1ac546254be68e8765e9524c7f82872da45639f7fe8c2fec0b6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp
MD5
0abfcccdf8685533d2dfdc753c0f2f3b

SHA1
bdf2bfdad4e81021be944e50a0563dc2808c0f5b

SHA256
8aa6676af50ec903e139f210171074f7f344abf498cc0cc1a35bab5cf4ad9fb9

SHA512
c70227f6a76b5a6d249af81581cefe1c76085c03e8e18735826c7e3609fd58a712f48e3dc1779f9f97b59eae845b00ae8fb66f9f5e74e40e9bb893f3c70d2530

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
daaee19745115f0f6e8fd66696ced3e1

SHA1
72de0111a5e21204db5425fe5e1bf24ac465ddd0

SHA256
48d064093fbf29ac392524a65bb8a1f54776a1b2f1e838a5232a1d26ce0a4623

SHA512
d14a64f7b1f8dab5c18702d4ccf87454e22413541f78e486e643c4c87b17e564f3a7e5a14651391f9e8b304b574e23f799c9c969007ad884a7b27fe5284bf935

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
bfe6998ccb5ff360e5c370adf26f0dd9

SHA1
c91a66241306357775b70534a3e5013f512e5d05

SHA256
e8d040a4fc0cea7f3f47a045c44fd553d9ab6288795c597a3bb1e877891a3ea5

SHA512
db461274785b66769d601fe7a31e4277ed74a5c66dc52e1dd4e18b314cb8a27b6286b4ce02f7042c41c6776ac5ba2ab4a8004f7abdc02abf801453619d53bf3a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
MD5
6967b25d87b842568698ecb37abce46a

SHA1
8a1318a68f6c4f066ba2ba144454fa8724c12cb7

SHA256
7e1a43e2569504f451b86184e037db5871350f8853fd7cf4eda880c6cc115efa

SHA512
1fad000af4b3755567167d5503da2e659abc6cd14ae58a1a80d4508bd79f18e29f401dcf027631fb4aa8dcfb3169b56f1af4b976ac626f3a7a5c13c851b30df4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
MD5
0ae1d5be1a4b04be7cda6a71958e9e72

SHA1
ea68903f0a6697dc70edc9fe5db538983f719af3

SHA256
32061594378f9db5f9fc78ea644db87fe24a6b5bc19a7d11e7bfb5a0d5a613f1

SHA512
08ee16c6142368851c7986444021f12ddb9a055bb7e479b24ea6183dc28218def4eef2eb154e32e6f3bd0eac89dc7d9880ae7a380310eb4893a927bcb57945f6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini
MD5
fad5ad4a8595abe2521c8fdb58a98996

SHA1
f969dc39f235069a5e07a5d70adeb399832e727d

SHA256
c52983bdb1f1161aa017ba8791359eb52d41d3506d228531603bf00279717a09

SHA512
6eba735d6d4c0977826bb52702c6c23eb67a4b68b18ce68b4cd30e4614846c9e5f92e57572b26fe665e9e5ab481128f08ce1c88eee119639845dafe214be1993

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
MD5
7e8f1a3d4573258a1eec5867a208a190

SHA1
40c62f035bab6656f23ba6b92a8746b4617aa198

SHA256
295c4c8071e6bbb4387385fe44244c428c500858dd3313fe911b12a87105cd11

SHA512
b0dfd8ca535523b39d8b3649aa38f0ef16937ad5e9d12f7c148b1996f7fb2f93afb3951c9f81f30e139c0f9382b3de6651cb7f98c719b129f075a5fd814864b8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
MD5
9c666da527327612c0ba8b70a2a3c6d2

SHA1
6b7e7c01a92573b19bd9c32983e201b537965310

SHA256
dfc8feb18696fae1c9d1fa9cd4a277e13a72b0d8d7aa7eea8d869e3dd2fff01f

SHA512
ef59b0bf16ead987cc3a6bb288bb2e81ddc60bcffd9d2354a0ec227ed221d76fe4595d749bedf6f871a8b3278d896d8772d5531f45caf33b90d343921e175ee7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
MD5
261a4386346e26b1ae3250aaec83508f

SHA1
2d124e70615167bd1c0658a282f33cc481663779

SHA256
fbe8e595029ecdc3834ff7d4388b26c1c2f53fafa3cb2120b9c05140d4dcb7de

SHA512
b21d0943d7a2d04bf723a4e35d4e15553889cdcf429b494010018bcf47cd95273b7355ef9bb16629f0955a4dc10d064d2bb9b0180ad2e318620b46c681117c11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
MD5
996a6ed50213dc056f7095808f6f6397

SHA1
31f1c66d5c4eb2978e559eb62a2d1952eb43df30

SHA256
e4f1940cda1498bfe0029c5c8e982b08a5cbde79d2d7b4aff92aebeb8b376131

SHA512
d4d6d4290e740ca0427599cb887abc67219b5df42686ebac917a53e0ac56edd8c37d504e4cb7490c523d58d0dd6053de08ffba7da6206359d3cb448ac2ef275a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK
MD5
43cbcbcaac7c10df25a0a9a971470164

SHA1
5f2fdb45b48aff6bb89409d5768a8800d5f11048

SHA256
4f2f0acd8a08cb5a63df481a1cffa7cfc67c632a2245190d86324773226d86a5

SHA512
42209d943801a6ec048441a4c80a7e028ebcf2c1b280426e966248f598550d783f293937c00b8e80804db4fb6778af24956628a1593cf656c0fbe2d1a4d6e7c1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
324af71ab96814126f02ebcbb7ea7c92

SHA1
de0a94c696d0394d15b1b00f1c7b5844343d6800

SHA256
353f327215089198bc25452b21d9b2af5646bf522deb9d3d46f45f2376fc7cdf

SHA512
2c67fa79646c0915eb7ffd45f272ff3931575bb5f22b471d35c2390ee8a9b67acfcf5fd60f09041d902aa55893f45bc1db5477f1245ef173cb9018390e0d707f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
MD5
5065b10dd40bb314594895d30c5a42e7

SHA1
146010526eaf565c37abd7b37875a303a0432c35

SHA256
d56e344952abb7c9833be7075ee9bd695e60e8cd77915d9642b5f17814d64eda

SHA512
b9576a87d259fe185563ea09e9d56e3e1e49410c731cfa316a7413b3b93b16776a0afdf4d2f9e1d23b5d86db0db69bd5cbbb106cf6ff62a638e1674f742d89e8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
MD5
a31306420b1a1cc3ac6a92bf872cc0e4

SHA1
8c38b8634d511ba0d6fc978d1f71e10537f26d7c

SHA256
b0290943a3bb31b0a01bc096597645d596689e3a19316603038111f179c61d8a

SHA512
48ce14580a76ce6bb650052878e561a323382f7985afb2362033f5637ca4d7acf586c360d23928bc04ae70e69c13a2e55113f8036030ff3ae3662708d17c58a1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
15be8497c108ad8210dffb644458c45f

SHA1
c406ad1c9e6f56da6dc96396353b331f196cc351

SHA256
338544072b1fdfdef0ca7774fdb949db8e0cfbe38dbe91450670b20107cf1b44

SHA512
71ba6aaf9b77d05713db4fabba2e6bd407f703c8940bbf48abd7af1171424f6159c2582037d01bf26e31a3bd8f39be2f7a896ac6ee7780313bda8dfdb75a3048

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
1cc3496870b33725679dbd389f3f7c53

SHA1
ff03ab527da353efad2a344ddf0bf59454674786

SHA256
9ef629f312ac3f9e513531a170133d1124a3fc731155e36132bff7d1f08466e2

SHA512
a8ff34c3b2129262ed8bdaacbe855223a6d2ff0362798be95229d6ec13a5f9f49e2f0674b84ca4cf0fa4209e4695e47d205ca2ab5dab28544e760f5726ad170a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
MD5
7a7d65e9214e69e1247501a8a627d833

SHA1
5c202c61a525f5bc646b92496e714ab72e005d87

SHA256
d2c97debbd6dcf704d474c4dd7fe56f3b763e8d6b5f49135f570972b1fe4134c

SHA512
9fd91bb2e8c5c4c893231955fcfaca7898f906d0152b2667a84cfc5a5a7047fd8575d4a5b77ecb32b96db4094f70f17a526b6cc4e14d769ae1984727ddf87f34

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
f5eff849442c3baae64bc20353ebe19a

SHA1
12bf93fb9f53e29e2516c461dcc89c150ec07bac

SHA256
d6d58ad7a00326e6217b674d9ea2a125f47850d728d1e405a01339166f5ce366

SHA512
49e6e71d62805fcc82e349f10d57b297714591fcd3642de2176ac2915c4e57045e116ebeda9779e535b0fa7bfcea2c366aff59e4bc573fbf152dbf16c941b3f8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
55b3bfb09c9b34a5800004bbc9cd87d7

SHA1
43fcc0be9f710cb7be8358908127cb31753f38dc

SHA256
3921b57959fe1fe6adac8f3e0af281395f4063d0537edfbcc1fa01f8d1700be4

SHA512
b4b6b947a967182a07c559d8240775ffd05279f6d4536f81d3a0b3ce46d24cca84b5da5e1d4973f68160cbfe20c02a899e2dbaa0b5117a8b0b20a41d47419efb

Download Submit
memory/604-55-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1112-57-0x000000013F410000-0x000000013F7A6000-memory.dmp

Filesize
3.6MB

Download
memory/1112-56-0x000000013F410000-0x000000013F7A6000-memory.dmp

Filesize
3.6MB

Download
memory/1176-59-0x000000013F410000-0x000000013F7A6000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads