ryuk | 748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43

Analysis

max time kernel
158s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Size

205KB
MD5

9a93f9da4f9556fde6ba47ed634bf5ca
SHA1

56d1f6d60411119dbd5e58581af2440cc6acc78d
SHA256

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43
SHA512

9f77b6f8c0847d1a9f4aacd75bac316e204b1d18cf83d23fb189e0b6bc8ac06e1307cb0bea2d0d9d030d930fc22a9e661a6097f073168e6f3260978f7b614e9e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exetaskhost.exe

pid	process
1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1224	taskhost.exe
1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1224	taskhost.exe
1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1224	taskhost.exe
1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Token: SeBackupPrivilege	1224	taskhost.exe
Token: SeBackupPrivilege	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1624 wrote to memory of 1224	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	taskhost.exe
PID 1624 wrote to memory of 1348	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	Dwm.exe
PID 1624 wrote to memory of 460	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 460	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 460	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 636	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 636	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 636	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 964	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 964	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 964	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 460 wrote to memory of 1196	460	net.exe	net1.exe
PID 460 wrote to memory of 1196	460	net.exe	net1.exe
PID 460 wrote to memory of 1196	460	net.exe	net1.exe
PID 964 wrote to memory of 1156	964	net.exe	net1.exe
PID 964 wrote to memory of 1156	964	net.exe	net1.exe
PID 964 wrote to memory of 1156	964	net.exe	net1.exe
PID 636 wrote to memory of 1832	636	net.exe	net1.exe
PID 636 wrote to memory of 1832	636	net.exe	net1.exe
PID 636 wrote to memory of 1832	636	net.exe	net1.exe
PID 1624 wrote to memory of 1488	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 1488	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 1488	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1224 wrote to memory of 1128	1224	taskhost.exe	net.exe
PID 1224 wrote to memory of 1128	1224	taskhost.exe	net.exe
PID 1224 wrote to memory of 1128	1224	taskhost.exe	net.exe
PID 1128 wrote to memory of 1164	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1164	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1164	1128	net.exe	net1.exe
PID 1488 wrote to memory of 1616	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1616	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1616	1488	net.exe	net1.exe
PID 1624 wrote to memory of 1088	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 1088	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 1088	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1088 wrote to memory of 1904	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1904	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1904	1088	net.exe	net1.exe
PID 1224 wrote to memory of 1928	1224	taskhost.exe	net.exe
PID 1224 wrote to memory of 1928	1224	taskhost.exe	net.exe
PID 1224 wrote to memory of 1928	1224	taskhost.exe	net.exe
PID 1928 wrote to memory of 1728	1928	net.exe	net1.exe
PID 1928 wrote to memory of 1728	1928	net.exe	net1.exe
PID 1928 wrote to memory of 1728	1928	net.exe	net1.exe
PID 1624 wrote to memory of 5216	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 5216	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 5216	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 5216 wrote to memory of 5240	5216	net.exe	net1.exe
PID 5216 wrote to memory of 5240	5216	net.exe	net1.exe
PID 5216 wrote to memory of 5240	5216	net.exe	net1.exe
PID 1224 wrote to memory of 12476	1224	taskhost.exe	net.exe
PID 1224 wrote to memory of 12476	1224	taskhost.exe	net.exe
PID 1224 wrote to memory of 12476	1224	taskhost.exe	net.exe
PID 1624 wrote to memory of 12648	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 12648	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 12648	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 12476 wrote to memory of 12888	12476	net.exe	net1.exe
PID 12476 wrote to memory of 12888	12476	net.exe	net1.exe
PID 12476 wrote to memory of 12888	12476	net.exe	net1.exe
PID 12648 wrote to memory of 16412	12648	net.exe	net1.exe
PID 12648 wrote to memory of 16412	12648	net.exe	net1.exe
PID 12648 wrote to memory of 16412	12648	net.exe	net1.exe
PID 1624 wrote to memory of 16996	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe
PID 1624 wrote to memory of 16996	1624	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1164

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:12476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:12888

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
"C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:1196

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1832

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1156

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1616

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1904

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5240

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:12648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16412

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:16996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17020

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1768

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
MD5
e2403d8a71e63b3177e51f3019d53c7a

SHA1
755c3bf73b5186f3ee10a6eba41d924a60597847

SHA256
ecb7ca612c75d48c113d60e4e1641363fe228a59a795c82e6533ba11cd1710e9

SHA512
181220e3f13606f7da40fa2a7b9916fb0d25408a2ca6af75c1f78b5f65faf782759b42ded5dcf5907b8501b44439e05550105e350cf397cb9e2208077aebbbef

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
MD5
32053aced789212e60c7d73a2fba3a8e

SHA1
cf6bf984632acfcf6b60317e142e1dc517c1bdf5

SHA256
5f1bc2eddde86732376970078c3bf450680aead06e9b14449aa083975f50398d

SHA512
7849c2b6eb3ef4639e201d7e05031f20727fe9f3b372d74d967a255e0ea98114ce3e05ddf928fbd3f387ecbf90833029cb4a907f5c1ef2ffea1087f8cbcae692

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5
39d1fb2ce162b38b8a75a8c8c6e38d32

SHA1
b8ba911c0c71a00106f1a328cf41c567594bad33

SHA256
b4f928b4fc7e59999a970e0c10028a02af3420a7402640b20965c0681978e344

SHA512
d9858f1edea76df63e62d05f0055e1b309cbede2819207741d3a1cb1d01f81ae9538c1fbfc38fe2e83054a8598222d5acc7bc0741f098be9c1c6a599dfc117f3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
4d014e49d3ff498d0ee31f4697b9def8

SHA1
e1aa9876f2ce3f1ec5269510f2335f113e54b780

SHA256
78b1b5895bd8ae9fc5c0d38c74490526c7df06fd521fef82cf52181b496e75f9

SHA512
3cd04be3e170d07f5b09ef4cf2671763556d56fc594d753c4af61595cbdc1c0520aabf5f4026f8fbca5117716e16c3c83c14789aa642ab2438ec8e701d58a799

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
6eb51fed22ed003209bb8fc4fe1c843a

SHA1
de342353f0337b7bc5f2c8d5de990972461a4966

SHA256
afd3feba4817ab5a289ada776d7e7eff73018315bc1eef4d94c1913b956083fd

SHA512
ee8b2caf65f29ad7a12022dde40941bf99d4fbdb1eab96b235b91d442426e96449aecf40361f3a4b56ef575132535d84f4b8c6994eb37f64e7c90d2e560c31e9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
25dcbf7befbd7cfdc523fa6c22629fce

SHA1
7b52428a8e13b62dd9483e09cacacf6b435e4545

SHA256
ca09597fcc482304730317c2afe7b0e02877256bd946f917c04d871ce3c8616c

SHA512
75a2c4dac0478ab726cc60cce7731eb9565757bfc4aa987d59a19b3d4415d36d50c85ec5fb3bac3efad3fabd02f59a2d447b15d9980d3d5480670209ef4ffa1e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
6015568417216c5640fb297503a8369b

SHA1
41b6e7603cf7c791b3831aaf7792c37ea218d1d2

SHA256
72ec845174bbaf6835a08bd15fa56c7fe6def292d78ae308ddc3546209fc4b81

SHA512
6deb909122647c7fd8c88e29106fb963f4e1a48fa78448a79054cf31a17172502c8cc67b5b24d52b4e93eb277b783347436dc638d0cb1065cbd2129dcbb99a2a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
554c8ea709dc506a9f3ad6a899af4fbb

SHA1
b952135bba60b108de4409d07f673acfbed8c259

SHA256
88e99b9ad9bd546fec84f290c6237ef40e72bbaab227cc54a97c9372b523398b

SHA512
0e89184ab304229befc528db0b4d15553f8470f2438d39b3c4810321aecadc47815e77fc221781eaddfe7c8399c2bf99289e3fb2101be7761c83ce6dad63efa1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
MD5
411064fd1804975db153ba5b0cbc231f

SHA1
6bf5353eabb192ad41039adde7a738b729b59475

SHA256
1b4f6552d842122281b1c2e879adfa771b803dbc12b832bccf61d0d46bb28de6

SHA512
982522f4ccdf2b5e80a07caa6bf81cc8d92a014ce9cd55604fd0170a06810afaf7b8c6ec240fb0f05c8a29af6103d0e3973534aaa963125630e2b1bb3663e227

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp
MD5
f1b81d53723b770f6df0283acebb1743

SHA1
d3aa022791bbed8626666ad04a1a2f94436b2b8b

SHA256
6e4130535ea042afd7bfd120ea0d099e9367f7b19a6a434f89b92c42bb772cbd

SHA512
59a84a4ce6c8cd8f1d106afe3d359b1b3f006741b7d9e38fcd300c9516ce8b50b0d6063c6ff258c6486656a89f874cb3e2fe13dcac963ab26e786b4f907d580a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
c11cac3c5c57ce49d8bd24886b67d096

SHA1
0c293f0ed269a99c1fa66316470eb2f0f40d603a

SHA256
83482ce4468d3c32dd20362423c6788b3ecd1766f4899e5563d2abe77282bc82

SHA512
f64b507d8c823d277fa889b6d5beb38e087b02977ffddabdcdec8fae28e5891c64c0ff7f70130083e519bcc22c7dedfb118dea0f870bb90e5a285de41f707a00

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
00fd75a331bd5c023da7bfbdbe306c30

SHA1
93d5b2939bbe845c7a60c50b54b687924999d559

SHA256
a5b6c88471cb6112b42070d07f2da8e72cce558c991a568c33926262059a35fa

SHA512
2bf50e61ec3fa7f0709d1c71aa4e3aae6953ab0c3f9abaf3414aff72215b8f99524f67931835b8f5de9b5aae36123ad7c622a68743fdaf16e3810735b8a976b1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
MD5
6a55bf19bf45a2a6e9fd131897287106

SHA1
616432943c3a1eb76b6b00fa12469248756f97ca

SHA256
f7e13f12137758e08215040a502e599a03b681ed1a3a5f8d4aa080310fdd7e59

SHA512
bb37dcaee836e99cca5aa9b74ca04f2df4180d7645dfd462c2d60c6f9ee1118bd451a53910e16a75d79c7825fa4225d554cab11c8ff1607ce0506afe3356bcbd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
MD5
7b4b480e49e92a7d884e072b6fb1172d

SHA1
15cc3f7698f7218785a4bd2da3da2ec0b9c5c240

SHA256
70d3fd087eb03f15bc4c0489d191b4d5618bd8ef9c3fb2bfc20b57667a95b973

SHA512
cf0a27728b2cbdf64ea77e67462b6318abc3081f7a0018aaec61d8c03332cc48553c9399339dca8fdf1b6b55feb8ca0e4ece9bffc79e0d182b718f78223cc979

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
fb0d87ceb8d2e4fd13feba583a2c4d9b

SHA1
6364e896b0f1977203eef36468f9660a3d52e02b

SHA256
cd085485f43b5518df96ffc36cc3d3dcec0c5a1a20d59eb80a3e4fb95b5eecd2

SHA512
0dbf5364ce089d4d767e3538704ba48558a2c7ef18836703c3d3cabb854c90f62a71f58e19a0c90a5f7f194940f2e89d5f9b42ad57f4db0500d69e4b7f971797

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
cbbd31b1e21a291071ee2537930f0d3e

SHA1
02c841ad72175af6013c72936ddc76de68f80678

SHA256
59de32e8f2cb01ff14194fba0e1a0ef83cf48df5e2ce0453743a8deab9a03027

SHA512
93985d96bb1f52277c760610bac5e31d5b582f0df1e50c4bf391baa27e5e378acb3fc9576bd1d171b586627792507321c94454c909deeac9e3e114688d23cdb6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
MD5
9ee81d8513b782ac647987f746bc3428

SHA1
9d0522f38d0b6201a9e67b25c228f4aee66bda5e

SHA256
2a14bdc0a15f23d3b889d42346b4a132c469dc6294300d29dc236c2812673870

SHA512
18c2ebc18e51a8f26c351c78f025672bb86cc23dc6880ddf054eda52562fa067521016ed5c6258ec1175c243882984c366b6a4774faea83433914560f330c91d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
MD5
4cd925daef68366ea7aa9c1069901427

SHA1
25e03e6a32ccf3a6f555ef7a7e06a261f974b7e6

SHA256
9f1cb188ffe09863ecd86deb565db2a600ada3c26f6d0a7fd3e1a633e2e5701d

SHA512
a8c7d7de942af6e19827670c6a79f8c6d4a37d1aa1def7359349e31f12921909384c3d74c77fedb184a8e0e2c001a54d3c03d558f3d29d6b3c75a4290a29d932

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
MD5
2695cbdb40198d09777bd05f35002687

SHA1
29699439b36401b96e75b7818cbc33ee4e2479e3

SHA256
b197d186db5fd4f6d9b437a0a33ce0e395dd072d9d702759b5ec75d62d58fc60

SHA512
bd48ba4928c6fe6c4cb1075e92be3a991422410048f8d8c19894e448fa23698fd19e84a0e557a1b1b2ae2c8d55d5bf0562589374bd92bc6cf3598359d8821b2a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
MD5
d7a078a5186c63e7992674c86919675f

SHA1
357d4d6b7c1e74e4fed51cac771b796109fcb822

SHA256
7613188f9373b8150b7fad3af6d1a9d0343b9d042429ee35dc729bfda03281de

SHA512
77280f33b39c7fa2c8c24b71bd170a3f36241fe0a270ad567c5d02982196fc7aeb4c09e92d0db3292d92f375b606a0930a13f9f28e9f522631a5c649b7e6e3eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
MD5
49b18a7abc22286165e3c7b3e1745c67

SHA1
96cddeca9786edf07b33746c8c951ff58bee3b69

SHA256
ee515ddca44f4630748213142e359fad4d52c27899af7fdebfabe7365aac8e1f

SHA512
0d7679641f0aed10f840b0b37b5a6d71a0586a803c6bf4941c9e4fc5edc03b3c3fbf4b67256101a978b6c1d3c566c5880754cbf4e2039cd5f07994639c60607c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
MD5
ee7fdb1c8eb52b2cc74c372d3acc09c3

SHA1
46c1f9d7916a1f4afba677544a82feb2f4010c72

SHA256
eedda966f6383d9557b190da3a77833a36e0b3a4054b8aa6bbc156d5532da648

SHA512
0d195872cbdc980e2f6bf224d05bbfcd6ed0cb7ad609659c8bd2f58f998453716824e33c6fa89f12935547f6089812bd09c7730c0ebf8ceea7f01d389c95efcc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
MD5
d16df2c4bbe0523fe4fcc4c7ff3e01c5

SHA1
30730ca6b2deeafe80dd2c6b02670009ce1e034f

SHA256
24aa34d2b952e1e8feb5494f766a4949297426973da173e73c2bb128dafa466e

SHA512
67347cee66d5806b318402befad62ab2171be282b9e1fbc0c95f008cffeacc714f0efac5f4be83329f0e5b06f60d3c2bd111ecd4bfa1d3e4284581f97d13e3e0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
MD5
3f8cb560f0bf6bab6db24bd0fabf232b

SHA1
82c4a3823530af30059736a5867a03fde8c349aa

SHA256
19f9d5564e58976abe423b07d7e86af6f0668a753b957ce9bb1ac46848c51d2b

SHA512
eac5bce9298ee833d879ad130e5cc38120be5cfc6f9716a0a17f3dce752be0782be077fd50bd515bd1febb4fb11ddd0038bbef92707e56257a8f6a0060c58edd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf
MD5
cae562f1a44cd7245230dfc1adbe8451

SHA1
13c751f367ccd06a71df8b9d1db9e8aab1685644

SHA256
0729027a83d98d3d575e0f543a48b80be5c817424b5156ca74ab69225bbbed74

SHA512
b53548ef03f1ba19231cac4f2576d4f2fa6340714a0dac7e0a3ae0d1b7c1edef9bd9fb328b872c75ffc7d098f18c6b01171c83a39e38d1f760e9650a776b566e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
MD5
1d5aa1e3ebcf9158904bd9babdbd3ad2

SHA1
e8f48ca759873e09d284ca1b1b18493234406e35

SHA256
cfc2c640327e89411791d5e49c7817dfc30b176bcfca3c0e86602ac0f0b663ac

SHA512
bb94e4b0e12338352702c02573a6c03e8331db67374bc8e641fdc2ded88a484d4dea4083a626ea9b2ef98639d07fb68b4891cc31499a01471c1fe754f84016a5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
ef422cfba0b704705340eea4607b8831

SHA1
f2ab5d7f15bcd52d182b24068e39fd7428d677d9

SHA256
4dc1000524980835feb4a5dc8db43f14900a8e5abd761e23b7c1d1e0db9bd6c7

SHA512
1b38dba8c3c3b7c5b53d9d855402bd101107a5c74aa073c54fb6c82613b7aeb8354b465423c0aa48b1b5245985908cd45b1df2c033a55d09040b0fd994fd9cf9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
df41331edcaa97e488bcf1854449158c

SHA1
8ce06bbcccdf282b0dfb2f4ac79419eb776e66d9

SHA256
b37869b40dc0e25ecc553057646463df99964d6c17d84fc573a9b9b876dce623

SHA512
ee3460df8e4befd176b7c37118fa8f58717f27ef16c6ecb0f28501698396308ae34def69eb39ba7adf0511f45c0391cab1128fbc22acaf65cfa700329b1d5896

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
ebe9f99a3623fbdeeddc9e62cec32cb4

SHA1
5f69d348bf4d7abf187e9db73111ba87e94b6c40

SHA256
ab96a384e0752be9fee82db37559fd8acf5df91f5194c0664c431edc25fc8f50

SHA512
a92011deef442395787c719bfd912ff56dce7d8a6f09fafb044bc6a56fa96efcf3bc42a56887f93e4243eec11794b4e497963a7665e446f30c795a9038ded6fa

Download Submit
memory/1224-56-0x000000013FD50000-0x00000001400E6000-memory.dmp

Filesize
3.6MB

Download
memory/1224-57-0x000000013FD50000-0x00000001400E6000-memory.dmp

Filesize
3.6MB

Download
memory/1348-59-0x000000013FD50000-0x00000001400E6000-memory.dmp

Filesize
3.6MB

Download
memory/1624-55-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads