ryuk | 826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec

Analysis

max time kernel
161s
max time network
141s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
Size

206KB
MD5

c75b0beff52189aed827839bea3e5da4
SHA1

e9b20948b82eee88081cebe2d62408871dbe601a
SHA256

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec
SHA512

4fe591ab12f1245f7f16efea215679321ff415b879cacfa373824e6f170d08ffcf650783f835fd219abe240b7fe0fd48d4f1dad0e4b730e7e72fb6433b6b8a9c

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.exe826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exetaskhost.exe

pid	process
952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1108	taskhost.exe
952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1108	taskhost.exe
952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
1108	taskhost.exe
952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
Token: SeBackupPrivilege	1108	taskhost.exe
Token: SeBackupPrivilege	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 952 wrote to memory of 1108	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	taskhost.exe
PID 952 wrote to memory of 1808	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1808	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1808	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1164	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	Dwm.exe
PID 952 wrote to memory of 460	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 460	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 460	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1504	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1504	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1504	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 460 wrote to memory of 1816	460	net.exe	net1.exe
PID 460 wrote to memory of 1816	460	net.exe	net1.exe
PID 460 wrote to memory of 1816	460	net.exe	net1.exe
PID 1808 wrote to memory of 680	1808	net.exe	net1.exe
PID 1808 wrote to memory of 680	1808	net.exe	net1.exe
PID 1808 wrote to memory of 680	1808	net.exe	net1.exe
PID 1504 wrote to memory of 844	1504	net.exe	net1.exe
PID 1504 wrote to memory of 844	1504	net.exe	net1.exe
PID 1504 wrote to memory of 844	1504	net.exe	net1.exe
PID 1108 wrote to memory of 1512	1108	taskhost.exe	net.exe
PID 1108 wrote to memory of 1512	1108	taskhost.exe	net.exe
PID 1108 wrote to memory of 1512	1108	taskhost.exe	net.exe
PID 1512 wrote to memory of 1552	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1552	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1552	1512	net.exe	net1.exe
PID 1108 wrote to memory of 1412	1108	taskhost.exe	net.exe
PID 1108 wrote to memory of 1412	1108	taskhost.exe	net.exe
PID 1108 wrote to memory of 1412	1108	taskhost.exe	net.exe
PID 1412 wrote to memory of 1036	1412	net.exe	net1.exe
PID 1412 wrote to memory of 1036	1412	net.exe	net1.exe
PID 1412 wrote to memory of 1036	1412	net.exe	net1.exe
PID 952 wrote to memory of 1940	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1940	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 1940	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 1940 wrote to memory of 1700	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1700	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1700	1940	net.exe	net1.exe
PID 952 wrote to memory of 5240	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 5240	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 5240	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 5240 wrote to memory of 5268	5240	net.exe	net1.exe
PID 5240 wrote to memory of 5268	5240	net.exe	net1.exe
PID 5240 wrote to memory of 5268	5240	net.exe	net1.exe
PID 1108 wrote to memory of 7400	1108	taskhost.exe	net.exe
PID 1108 wrote to memory of 7400	1108	taskhost.exe	net.exe
PID 1108 wrote to memory of 7400	1108	taskhost.exe	net.exe
PID 7400 wrote to memory of 7424	7400	net.exe	net1.exe
PID 7400 wrote to memory of 7424	7400	net.exe	net1.exe
PID 7400 wrote to memory of 7424	7400	net.exe	net1.exe
PID 952 wrote to memory of 7564	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 7564	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 7564	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 7564 wrote to memory of 7800	7564	net.exe	net1.exe
PID 7564 wrote to memory of 7800	7564	net.exe	net1.exe
PID 7564 wrote to memory of 7800	7564	net.exe	net1.exe
PID 952 wrote to memory of 18340	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 18340	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 952 wrote to memory of 18340	952	826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe	net.exe
PID 18340 wrote to memory of 18364	18340	net.exe	net1.exe
PID 18340 wrote to memory of 18364	18340	net.exe	net1.exe
PID 18340 wrote to memory of 18364	18340	net.exe	net1.exe
PID 1108 wrote to memory of 18400	1108	taskhost.exe	net.exe
PID 1108 wrote to memory of 18400	1108	taskhost.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1552

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1036

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:7400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:7424

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:18400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:18424

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe
"C:\Users\Admin\AppData\Local\Temp\826ab21b35cb73a12a56002c87c492d0192e85f912627e440f49e2d2777942ec.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:680

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1816

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5268

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:7564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:7800

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:18340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:18364

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
MD5
5dc1a9ef13d0a6406d1222756737dc92

SHA1
43103c9bd78daeac12cfadc3a31a0b0e84b67dfd

SHA256
cbba7156041f0286bc6d700381355075b1c6b734ffcbfc81642e1b3d95fd41cc

SHA512
92864027890bcef658eaab314ac2891c05724a6eac7af975a012ebd4285fc5ee4a1233dbc807ffdd0b60514921dcbae62bf7f5209216c5d656f14431fcf43169

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
6cbb9128f0c02864f9269e2bb024144b

SHA1
e54440e9a53d86e9bbb6a8f9ca164ad809ad29d0

SHA256
16b3a8d8369d5de00a712f391e49dc355cf11aa5571bfbd2e72a7a756efb1a8e

SHA512
3e263f223b9f66a685d7aa5f762348fb9acdf7f5de82a244b54bcc4b9a866ec954e8d316e2490bc0d97070e8a30798fc2e42b148ebb6227fb69a1665f4187c4b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5
4febd6d0bda90bab7bf9c3b66619c6c8

SHA1
147a3f3288c7e9edd585756b269a0ad07dcd59a7

SHA256
4d1a74393bc6b2dc703ee9dd864c9dea9ac1e996890bef1f9c4124b2409c051f

SHA512
807d0013edb379dd8f00c7d897e1e6ead2b03e5628c49a5da3fd31c933f4f6a09f87d857f7834215259a611ce5f3344470a94bbf3e80bebe2e3b8f1d8f1dd55a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5
4febd6d0bda90bab7bf9c3b66619c6c8

SHA1
147a3f3288c7e9edd585756b269a0ad07dcd59a7

SHA256
4d1a74393bc6b2dc703ee9dd864c9dea9ac1e996890bef1f9c4124b2409c051f

SHA512
807d0013edb379dd8f00c7d897e1e6ead2b03e5628c49a5da3fd31c933f4f6a09f87d857f7834215259a611ce5f3344470a94bbf3e80bebe2e3b8f1d8f1dd55a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
MD5
1745fe02ab278f40a8f42aa17cfe1a05

SHA1
9b7bba5a9f8ec71964a8ef16fd37e3d026e438ce

SHA256
0d87763de56b831e231f6e89769643755afbaeb896536df9f81dd86b2602cfc1

SHA512
f739b872cbce7a2e2e60f369722efbc3d8f10e2f4d76a7037c2fa005771b1d3a20e936e6822fd627ee8304f9859665e009a5fe43c45875c901ce21905a55eb17

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
MD5
1745fe02ab278f40a8f42aa17cfe1a05

SHA1
9b7bba5a9f8ec71964a8ef16fd37e3d026e438ce

SHA256
0d87763de56b831e231f6e89769643755afbaeb896536df9f81dd86b2602cfc1

SHA512
f739b872cbce7a2e2e60f369722efbc3d8f10e2f4d76a7037c2fa005771b1d3a20e936e6822fd627ee8304f9859665e009a5fe43c45875c901ce21905a55eb17

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
e0230b05aa9790880f8ad2cdac842acd

SHA1
474348e0626f799481fd3358217ede0babe835de

SHA256
3dea015de97e7caf84e8d35d949e904dd878c88ad4c299718e3f722368ae4852

SHA512
964f420c23d6ab5963dc9f7d8ce0861d408c4a5b926bd4e2679768e099580175e65ac238726de1c9e0a1ba3084d350f9cccca7bb9a7818366d80abf5f02f0a3b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
10ac538b1a01ffa98a49e5255d91a2ab

SHA1
2ddf71f2b19e8d059c3bfe5518d909ccc84529b7

SHA256
313439267ac0fc66365e35aade4517705bef6fccc3a0b578868852aaf15d02ff

SHA512
398970f2545ba56c220f281357eca126674ce394f0353a1de0d4157e24b23cab5b100173912a5b0bcb053c85a7f0a10cab3e5cc2af4f879188ee3bc665ec0508

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
6ad5356254bf9fd200c820a27174b14e

SHA1
d8ed2165769d3938298110b519c50a781cafee86

SHA256
bbea436f01ab5f792fd198197c8cbe3367ca40832a6b9bdce5b89536dce78693

SHA512
1c6ab0edf310bbbead2d735d5921c1d2b8a2a27e5f85b06aceb389f3aa2636a8a3e2673486c817eaae141fbb14277d56c97719b14bf030d06a1d8a2d4e11548e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
e2d87f81bb88f8c65345c90f3d831ead

SHA1
318b43ed04529c2488729fa8e0cd736c3bab9d91

SHA256
12493d3d55d1aa9a5025387531bc03b09fade1196d441a0f2a724a7dc72224b8

SHA512
bd6b15a48c668aa502a1339bc60361c2d8221887306a85b7a71be00ff6d7f912b311362798966a067fb2ce6fc3b34592830b5ffa988c598ca8e6255af2cacce2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
2faf4337bb8ce001665b27678efbbb02

SHA1
dc2ede457a1f871a5a17f1fda4fdfc8736178794

SHA256
ea16864faea2f78002c49da3b4d2ddef81423a82e84beff95177dbc5e4d6224a

SHA512
249b5c55d9e53956219321339b81c9b04248680f06c11e3a4d1d5d7de7a36934e19258c6145a5278b3b86f72bd3fceb77af6a36ea4c035eba898740dbffc492a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
37fb78ba892e3c221aaec3bc3cec21b2

SHA1
12cb3249c2899d113548c34aa8486fb012e2840e

SHA256
50cb8c228673f7a17d67f8a76792f7f9b18ec3faabc37e7b6e1a7c1fd57d5ac7

SHA512
157ddb0e40b078e1587663eaf93fce758988f82b023d4b45c201498f4c253e0797a81c7b3db97d9bae461638739eaca341f140455e66f7365755eedfabbd8cfe

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
27cc0e8b2c1a930981b21870d216f3f3

SHA1
4d33632a8060bbb242bc52c26c10c39b11b14a46

SHA256
46bb343100856f49c5a99585eecf917162d6741282b9316a27709a78db2f6ec1

SHA512
83bbc1f91fc9d6ab0ed795248cd6a329a761d0d2e78f17bfe441bbc7235f1851366eea47cc248f634a6455e40ca892c2ef858f2052d50c80967eabc6ab6e9e01

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
MD5
f06cf5d430d930e6caaa03745a3d73e6

SHA1
6efbae410ef3d4eacfa0e545fec50a053b6a222b

SHA256
eb98b2ada687f120336c1d93ada4b98aaecc3e7615ca358719d10d54dcdc0cbd

SHA512
e0d0cd91db5ba529ae591d879b66f86adfb31cbe0514095b550c5b41e4d6d245a316f7c851778159dfe2d6040ca066af144293d44b09b275312bfe2ef5654254

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
cc7baefe7415c5936b24e614f5a1202f

SHA1
c3e2526555bc81a59c5343567d5b0906accc9607

SHA256
97590fc7de7d21d7d349d3cf413d0aade66fdc3839292f5132718ae338a064ce

SHA512
1cb723b37ae82dbfb2e08bcb13d2c8bdbeb0bfe5deb5302ae8a1da9b46619fe08a444cab7c1a7288b7c98e7efa906ef61f8dc968e2b0d3fc3410b868f873d035

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
MD5
e489c3a5f0d17b9ae35676856c9fa7a0

SHA1
d55598f9567bf912c0e116f6a43bbcda318cccf5

SHA256
9a7cef78475081d58c9f40b0a1d64f69a23e9abbc5f72762783f793b690ea355

SHA512
3ab5d4a1a084d9543effd7149794174f3e2fe94016da860b0166259b048b98ce481376e210fea2d1c94eaa654796c7025b5baae65de523639bdcedefa69f2c23

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
MD5
d5551eaf434e8e41d0d3f07a38b34a6e

SHA1
eab16c6bfa412f4bec5fd776c4c05225332ab95f

SHA256
263cce4a06561a3caaccc4e4b1b3253453eb6fb4fec6168851cb1f193518d437

SHA512
1a58e3ce6128731d6b9e50bd473e808a7bcade7169a26764ee66e600c11cfffb1d8561faf7db986ddbbc1f9c79e0c0a7759c62727285eb6381aa43d4fe5de766

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
MD5
a6ab9df3e71726be91f95ad9f8ca20ab

SHA1
60ce88be3719bc430186af227d6ef4568915bf22

SHA256
baf6ec8f8b52006b10873b65cb9d48a916acc3f7437151a2d17f01f2a1ffd980

SHA512
b1995d70d557f132aff2c8c7384610141c89828379b62bc81f4ae32a27b4d347b3abafa4d2f8c2feb5192fef222574ecde4f1384fdd4923ce9768068e4035acf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
MD5
f4d52d4a4e4f4baa30bda84a2e6f7894

SHA1
b3c60fed393fa612471874c14def67e6e9f02403

SHA256
836cd82b27467f40511fbdeca7174295b6838241ae7f919acf84c849d039daeb

SHA512
26b7f06fa875f8110142252431b85ca335deb4aa1155de270fc51057790f3446f7a2f4a0684138a200d37492922c194a2dac0ee0c34114a64ca8ada92924299a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
MD5
73e698852dbc216501b58c6b94b70932

SHA1
9f4ede591e4fa20d6cab578d8ce43e5b7b88dac6

SHA256
89d3eeb56d275dad974b8b34b18d0022f33e9561fd9bda9dcc03e7b7a8701e9f

SHA512
9e103b296eff1b0ef052a4e5617575609d38d0dc51230467f5155507ed6585974e797233947dfa0277623e8b2688371806117245455441b7163ec77c0be61a4a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini
MD5
9c026d7d502707acb7e6efe51f19f104

SHA1
fbd77fce2d5efd097b72b3ec00bb6c1c6060b30e

SHA256
df7a5bd7ed07476f25db9e4e65b86e014e32c5138ce3803ba1807a9dd83b009b

SHA512
6dd904ab52658565a434b954bbf773fee70a26f6ba33cee50bcb36dbc625f3e43604f2d7aa00e2386330e0e715f7c6876a3ccdaf0abb1be12659c82978e84f4c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
MD5
06a6fb6c8669b4bae93da5f6e6b2f510

SHA1
156a40b5be0671a716739a7968f7d4e76a59a170

SHA256
4e9dfdbee940576dae538f03173ecf724053a53df394ae4c1c60d3453246c876

SHA512
2f923aa93c10950b6c4d40168aa7230ffa68432657a53530f275e3cd907abd9d941fa4ce5c3a020554663fca580f853d2b86554a4727eba1681f001986de448a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
MD5
54d8b11f40d811e7cd350c75d45ae7d3

SHA1
c19f8b685ae88de55171bb881a6effae60ddb8f5

SHA256
3cbf4102d5fca7d99e0d000651de077764041444bcb051581e9664d8022ecfda

SHA512
4943fd9daef6f804b2dfa9fb022d3243b4b07b3d0e999d311c44d2ee134cfe8ce587253e7481a988a1de0345f326252f7dab22c3d5fbfc5eed39502b58364166

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
1b6aa1f0a8f59980a789bfd051dcdf3b

SHA1
8b572683e61b1cd79bced6283699e2246939dbc4

SHA256
bdf6ec3b1faf9ada775594479091a27bdda769efd374d7c6bad4014cc91dab83

SHA512
20d4c4b6d4f1f7da14c83cb40cc851c8a75134b40a53d61a6164e342cab566fe32517b15764170da94f572b81cd897fe9d79543c8389882781f36dfd944b1f44

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
MD5
36d05e801037e69a8f4a839b09f09251

SHA1
58f0b14feae1b833d568c50d7f94277efa99fc60

SHA256
2c906c4068e1e87a9996d355ef0dfa652ba1aa4bccaac273e0ac779842df5d4e

SHA512
f9e4f24748f647d8d6d12ed6066c6c65b76e9d41ab0b1970878c8334236da2a38d60543b62fc9401e25ec3fb95bc3660326b30c287c433c58ad95db67e327552

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
MD5
856e6d107f3670a93463faee20bdd8c1

SHA1
3a0eadbfe20b351da77f3497c2de89dbf68fec02

SHA256
af77850e8cac43d1d396fff07ccb58bab29f7bc3e5ebe90b4e8b8dcfba9d1cbb

SHA512
d00347fc99abf7c6ea4be6420145c98708460f869f061f0308a2585397981ca83b6eb481fdab0f0dc463e57df96cfd86f45b97b8e711cddb9810d0187a083a6e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
ed933b04c12b450a190f9183d5ddda2c

SHA1
ab08e4700a75dc080be7df0bdf7b891a8b0d05ad

SHA256
1d34be6f9b03bcb639a9c20240f963704c4ed43790ba8af8522a7f634245f7a8

SHA512
bc50349a15a3b5ec4e94cca2a560586b51cc12be7b2006c3fc3d11440817d8f4b98affb734c0c48cdc2e4ecd1786edc257cd173f90a88d337d4aa2b4c3d9a228

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
MD5
4bdc46caaff5e81c5c6e3e7e61048bd6

SHA1
8aaaa8ebc821d34821193ca5f8736f2939b225b7

SHA256
05d7d059740a2cbb2fea610d6f11a6dab90bdf4c33a78eae66acd5951e6b0b9f

SHA512
f397e20773597aeaf2ebf8abefa141f49446c327d7289fd654bede6cb104372980715b9c665c92229ec9d8862cbf8e28277c9f7e0f3d7b64152aeaf43c4181ac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif
MD5
529d947df1021efac988d9ccdf326933

SHA1
d89288926c07c4fa3217bbca5fb8fe15fe6c7325

SHA256
212d2a6cb3ed4c27671551728b2a70a421b0673e918a568471e3a051c5ad0f78

SHA512
9e68bc523d3ee32614af92fcb15142e7152f19d29d60394099eec84fd83d7c104185c452ba16bea96aba345751de48b075730e6f63b8e611524d16433af59545

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
9939ab72cd3a8bb01a812d9e8bf187f7

SHA1
1a5e28062e27bc26323a8affb44b7f182408775f

SHA256
0dcf546bb9a03e9bec07aeeb6632beb163035f816aa55da361f1c69bb8e7c02a

SHA512
d4f84455445f002a7ce36cd27052ff26a21dc7405ce890920a3cb5d9afede2ad31ebf019a73b249d0c4fb819b873bbf49fd056b81ce4ab333ade19abed961145

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
cb5d95f637eca2e4b1569e7bffb089b2

SHA1
bdfa47e53cab9681ca4710bdfd4ddd7c1d05610a

SHA256
dcf795f6d7ece291bb9f407cb40facaf1ab68fde5c492b3acf01183ab22dbfeb

SHA512
a5c143d1b3ed5b4c99a69641b0df3f48cb05a2ec28c02a544b2fa391f6b911a5841f9c55244acffb08a06deaba8734d739344c144dd31e3d3e37c4493f282831

Download Submit
memory/952-56-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1108-57-0x000000013F6A0000-0x000000013FA37000-memory.dmp

Filesize
3.6MB

Download
memory/1108-55-0x000000013F6A0000-0x000000013FA37000-memory.dmp

Filesize
3.6MB

Download
memory/1164-59-0x000000013F6A0000-0x000000013FA37000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads