ryuk | 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

Analysis

max time kernel
190s
max time network
89s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
Size

202KB
MD5

c49c19e172c2c6f8390bd26258557b18
SHA1

641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA256

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512

a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

BwDVIKn.exe

pid process

1104 BwDVIKn.exe

pid	process
1104	BwDVIKn.exe

Loads dropped DLL 2 IoCs

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

pid	process
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BwDVIKn.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exeBwDVIKn.exetaskhost.exe

pid	process
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1104	BwDVIKn.exe
1260	taskhost.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exeBwDVIKn.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
Token: SeBackupPrivilege	1104	BwDVIKn.exe
Token: SeBackupPrivilege	1260	taskhost.exe
Token: SeBackupPrivilege	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exenet.exenet.exetaskhost.exeBwDVIKn.exenet.exenet.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 1104	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	BwDVIKn.exe
PID 1488 wrote to memory of 1104	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	BwDVIKn.exe
PID 1488 wrote to memory of 1104	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	BwDVIKn.exe
PID 1488 wrote to memory of 1260	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	taskhost.exe
PID 1488 wrote to memory of 1640	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1488 wrote to memory of 1640	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1488 wrote to memory of 1640	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1640 wrote to memory of 1568	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1568	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1568	1640	net.exe	net1.exe
PID 1488 wrote to memory of 1244	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1488 wrote to memory of 1244	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1488 wrote to memory of 1244	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1244 wrote to memory of 2000	1244	net.exe	net1.exe
PID 1244 wrote to memory of 2000	1244	net.exe	net1.exe
PID 1244 wrote to memory of 2000	1244	net.exe	net1.exe
PID 1488 wrote to memory of 1352	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	Dwm.exe
PID 1488 wrote to memory of 1104	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	BwDVIKn.exe
PID 1260 wrote to memory of 1484	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 1484	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 1484	1260	taskhost.exe	net.exe
PID 1260 wrote to memory of 1508	1260	taskhost.exe	cmd.exe
PID 1260 wrote to memory of 1508	1260	taskhost.exe	cmd.exe
PID 1260 wrote to memory of 1508	1260	taskhost.exe	cmd.exe
PID 1488 wrote to memory of 1300	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1488 wrote to memory of 1300	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1488 wrote to memory of 1300	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 1488 wrote to memory of 1132	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	cmd.exe
PID 1488 wrote to memory of 1132	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	cmd.exe
PID 1488 wrote to memory of 1132	1488	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	cmd.exe
PID 1104 wrote to memory of 2008	1104	BwDVIKn.exe	net.exe
PID 1104 wrote to memory of 2008	1104	BwDVIKn.exe	net.exe
PID 1104 wrote to memory of 2008	1104	BwDVIKn.exe	net.exe
PID 2008 wrote to memory of 1704	2008	net.exe	net1.exe
PID 2008 wrote to memory of 1704	2008	net.exe	net1.exe
PID 2008 wrote to memory of 1704	2008	net.exe	net1.exe
PID 1484 wrote to memory of 900	1484	net.exe	net1.exe
PID 1484 wrote to memory of 900	1484	net.exe	net1.exe
PID 1484 wrote to memory of 900	1484	net.exe	net1.exe
PID 1300 wrote to memory of 892	1300	net.exe	net1.exe
PID 1300 wrote to memory of 892	1300	net.exe	net1.exe
PID 1300 wrote to memory of 892	1300	net.exe	net1.exe
PID 1508 wrote to memory of 2316	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 2316	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 2316	1508	cmd.exe	reg.exe
PID 1132 wrote to memory of 2308	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 2308	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 2308	1132	cmd.exe	reg.exe
PID 1104 wrote to memory of 15504	1104	BwDVIKn.exe	cmd.exe
PID 1104 wrote to memory of 15504	1104	BwDVIKn.exe	cmd.exe
PID 1104 wrote to memory of 15504	1104	BwDVIKn.exe	cmd.exe
PID 15504 wrote to memory of 15532	15504	cmd.exe	reg.exe
PID 15504 wrote to memory of 15532	15504	cmd.exe	reg.exe
PID 15504 wrote to memory of 15532	15504	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
"C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:15504

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" /f
4⤵
- Adds Run key to start application
PID:15532

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1568

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" /f
3⤵
- Adds Run key to start application
PID:2308

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:892

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1352

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
3⤵
- Adds Run key to start application
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
19d0b3b89234480752ac8b513981ee05

SHA1
54111398aa98c807387ced24931862f1cc9f8f13

SHA256
40c5656680a5bc6dffb48036eee94cddf64e5f7ce4e87fc4ca4b6050d98e0134

SHA512
d754157e59242b7bd21be06fc33c9a90dad256d6a5e9a09e5d105e18d01708e8460afeb830fe330f4cb0b568308a953c1c8940f26104d6401bbbc756c89eecfb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\ACECache10.lst.RYK
MD5
7d9e3486d198ffd148f67c73079fde58

SHA1
6f0017c90c6a3d79737bfca98f4d1ec860b7cfc2

SHA256
26b0d4609f05016bf0121fa0c19df53a2e4328cdd4dbf944fe9aa5fc7ca1cfc3

SHA512
fc0c2c3d803369ff9e696337c162b36d4fef0efb2b90b782492467b945820613c4c593b65aed0b3ea934d0bde691ca8e81a2f6f409a90703f361a04c64b10d4f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
MD5
e94cd1e32dc0417b33af58f5c89f33d4

SHA1
53eafcfdcebc9312177f84d892686006a3a6e72f

SHA256
966f6d081f5b89505023bdc9d1b3c14050ebb10e81fe8d9a3ad06743acbe24dd

SHA512
908ff97a11bbf978a417e82927f14015bd56c38d38b3acbf7063a327f2f6e3a52321ace98356708db7b2eb2c1d55e40499ad0acfd639a2eec0f1a296c9e90e83

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
MD5
e94cd1e32dc0417b33af58f5c89f33d4

SHA1
53eafcfdcebc9312177f84d892686006a3a6e72f

SHA256
966f6d081f5b89505023bdc9d1b3c14050ebb10e81fe8d9a3ad06743acbe24dd

SHA512
908ff97a11bbf978a417e82927f14015bd56c38d38b3acbf7063a327f2f6e3a52321ace98356708db7b2eb2c1d55e40499ad0acfd639a2eec0f1a296c9e90e83

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
91a1eb913ac6307e9c87bbf69b69e97a

SHA1
e46dbee2fc7a3fa60a4b1ae22c60a150feb29391

SHA256
c7595af9cd74daf9e46d23f65133bf117c8118c40813570f64081c7f5f339b51

SHA512
1d58c1e7070e337a8793ab3a16834420bdb44e2d7f948f06449c304f1ed66c84f64d820b3b2626d927e5eb3304966fd07972c3e3a5ef52410e0eaff2492e49ad

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
f1867c9548f5f0422eae73e1ae710d8f

SHA1
d5550b2b58fbfb6dd889f5e0c07510ec96bde8c7

SHA256
793a93ecb984c6a2a689e5797352be79822e33ae4865b77e77abd5332a7d2b1b

SHA512
2fc2245b782ca357ff634004ec51492486ea145eda63aec3f506a8d9c50623a1f09e0543cdd2f3e7aed9d0d4440af331b68777dee719328758773f931c60dede

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
c76bee51f4a7ce9764b4a11933d3dc54

SHA1
3ea952514ad5969d3e0c994936ca4a483352e070

SHA256
3a433c531c801a883d85a6b7184340ba4da8f8f03c9a124f4f49d43eadbd0ca1

SHA512
642b05bfb713efed3947bf1e9acd123aa04ce45d2a9574bce7898dca6a367bb0a85c9706f54475dfd1a27b371e24657b0d9bd236600119323276571765844791

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
d6d9ea261bdea3feb7e7df9f29e6a458

SHA1
1a4d0c1e09cdf5df576c55fb90b3483e76e395c3

SHA256
af960ef1352022038686eae69a592738ca2ae61a77b78597a7dd0326904f02ef

SHA512
84bc76e7bfc759855f78bc29161a2e035ecff6ea4fbc3ebb445df42d78bdf38f39960f73023620ec549bebed91f7e90d02cf5015558143ae3bfbe9fa6089c148

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp
MD5
331a524eabac175897f4c43f50cb7a2c

SHA1
72b621973793acd6309214f1fc342f88dc060239

SHA256
37ae99537b9078a0c274cf4680d5ead28cea74cd229ded2ad077ff59766be28a

SHA512
eb40018fdc953cb31eaf9c1ce0b4e9d3b4ad7a4ab04f5df04efaec2ab34fa799eb64a6dc164161082bd6367b446c746f090c30b58ddffb50f8d8f6b638312efe

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp
MD5
70742f35bf266ead9efaba36410aeda0

SHA1
00fafbfe805a98931ac10be2fe4b2d3225ff2fd6

SHA256
01fdfca19cb7a2309b432979a1a467e40935ae833ece0a7e2d67dbdfd2787c8c

SHA512
aeca60adbcce54e17077a00e3649f1687095e1084f07592bc1ac510e9c2954d31b19e303edec28f5f667bfdfe59673f984ca469c32441be154990d1e177c2322

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
09ddd83903b3550bd0a5db604268abd9

SHA1
85fccec4f05df0a7b74b2dcbbb8ce4e6f26fb327

SHA256
52b3bcd51e0ecfd4e5eddea77fd7c1147638500ec3b93f686e40ed047cb4d866

SHA512
a678fe5e99b509ef7296edc1fc035b5dbf4aa910f35e84be78d5bcce342c7f66d3512ab95db4846292c37f99fb9d14738d3483934526acb2dab2c9537e90e41f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
MD5
74ce4d44fcf9ac144908544af46a54be

SHA1
0eee2c0649fd41a6586d17b310b330771bdf604b

SHA256
b7aa3cd3eff5f5cc4bf0f9a29513934fbcbe6508032451fa704f82ece2cde695

SHA512
16e73573117f009805474d58e5bfcc290c8ec8bb08dfb34f6ddfe573e674225ba8bd2534950e444fda1182fff509c9688566e7c55902ad1cbe74b2dc82e3570d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
MD5
fecda2e7727aad12e1499782412b0e21

SHA1
78692bf123ac4eb5fcbe59e7bb47901c98839867

SHA256
fd096d9c2f7843c07240de833a5e16f6e224ea5bf4732c63d3bf377b478e99ab

SHA512
2e924ba5af65e65dcae6a34f42e1549d735ceefe79ad31a3d470a52b8667be9ed988830a2529f35a3826cc74b2f133536da3ead3594919e8a85e20ab1324252f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
MD5
ab7b69045f9151d8abf87a286ab381b0

SHA1
cdb1f385e27feabb1d735e401d013bb5ff822675

SHA256
1682fdd5ecf580ac40bed70ecc720ad6f7ebf74bf7a1be5184dc1e2b7c95eaf9

SHA512
ef211f4aeb298ddbe8234a0261b3a264ac3b187d2bd0f2b47e6cf29e1a13ab9af0cb090628db1ce5b57f966a5284a29ce4a8284495c1daf81acb3987ba68d52f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
1cb1fa6d5ce2f42fd429c3cbc2d24903

SHA1
80be16803f2780e2b04504dcdf70f5f6af44b2c3

SHA256
787e719df0dd0ae9861cbadae2d85b82ee54bc82dc4399642959d5300dc1c678

SHA512
d14e1a35abade9f2e05b6a1de26f3e1eee0cc792c4d19360efc868bc2a8e0ee3512a7558fd2a016686b49c4c00649032ce127a3a3d887d74fe322a19a7b2f1a1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
768bb1472937e6b129510bed855c9e34

SHA1
d97b989f6ee47e47901278a2c77012b91e3be4be

SHA256
95d631531d08559577554747d8a2d82111c6f12699c4533f2a180d01fae94732

SHA512
e9d02f9b752610291209704f02e697d1c9ef43022991cb48a5ad0f83f44cd1272eac2a9d4a53169b0c4d55d80b69b9bdf7fd9d240fa63d461db0177edb67a13a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
89656b5143edbd214f2b3a9237d8bd4d

SHA1
53b309709c4f51537dd4bcae4ccbb68a9558ecda

SHA256
5fc975cee9fdce794508050bdbc928a4f66c2f1f9501cdc8b06dd299da3c3cfa

SHA512
3619cbb171b2db99d1e0285305a05ca2f6cee828c14091b56c70c69b1b236c21e9dccebf9aae6af64137f0ccdb1410b0f60f8d823bcf1444f3e42cca46b55d3e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
658752e015378aa15a5410a51fde75a0

SHA1
e0424aa69de8b3118625f93533e63ae962cf4b79

SHA256
a164ec417cee5196ffe0f093ae52854e00b42fbf664d05d73eda8f7791c7a012

SHA512
d0d8d30acd8cc7b0890f8feb1bb401bc130fb48210701381c34132912e5ed39a7a36cf6dea7d5ec35ae3c3dfa1eac159504c1baa4f92b20a8a0b0a2f4b789986

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK
MD5
eba00c9dd9208b14869fcfdd6cc71522

SHA1
f7927c20b43ab4f2fa50770517d07c7f832b030f

SHA256
65857bae586ecb687047f9ce6d98e3a4dab7ecd08b71a574dccb851329cebb4d

SHA512
892c727ec97cd9cb5435ac4e1360d1a14b7be90dcf658ab91a488f9a3e8c1fdac48cfe5a8266f52bf7999397a8f3d20f0312c6650b972bc8c56b763270390b3e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
MD5
111f6c5a6972ddb596f9af525e3ffb98

SHA1
ed3719d62274c342e1a3f0870a3065959631184a

SHA256
a76c8ce21de9f18326597b8170d829871655dfdc23d9e9c4e773a6744ad2a6f5

SHA512
6881ede0a83b8bd09e022f8e6a7024effadc4457ac8dac727c90b05cff06f3b1065aff989c4e009f0851a7e65998455634e3602fd83ed7b88055cd6d2629c6ce

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat
MD5
43597a612d922202e6de38b8a555b569

SHA1
a8b8566d132f8814e74ca44db7c2a36817d67e52

SHA256
63afa6fe1a03ee6651b91f4c0c14b73830dc5e1fde2eeb9e25421c9350ecdc4f

SHA512
2eca45ad8c9b72a1b70b9741e91522a04a5e60939f5a2045853c5f1225e7c1edd0fa5449f9b7bd3d43a0e78069c5685bfd4ca8b380a5f826714540388b9acbf3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
MD5
1f3a542e0a6716a4050e24018e87be43

SHA1
ad06bd77b36f2985143fd2da9183193963b8a04f

SHA256
4e546fcce6d81d3944d7d31be784bfc510ea837f7c9916ab62eb500507ebfe1c

SHA512
0549c3ae2a8b4f7e21125b8d79416078191e5775881db5306318839fdaaeb03437a847e29484e47e00c36c26fc4a5bf9f07f524212481479c8bbe6b37bf7ab8a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
81f06adee36cff78baffa40278483df6

SHA1
ace6aaafcaad0fbe87a9c080c1c3b8d826b1bc1f

SHA256
25e52384ae3b9cee4e361d719b7d3a066b5c717ad5ffc724da9e9477a6f074d8

SHA512
fe7bc1449c3f23d74bd7e379724d93bbe5dd9860a2165e03edacd5c6e401603bac7b747f1228e7045d95c8f459c8570c8e7b8304f005058466b5dc72d0831170

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTD
MD5
d6ae4eb4a3f384a56b52c6110af40bfa

SHA1
019b40c3e94ebbdd9c120fa31a4a2695aa0e4409

SHA256
0bce0b98d4d2246dd8088d4c80b5ca4d6fa7216927f57b4180501c942bfb27c1

SHA512
ade41a40b0dffacd5b67c3777b556ab622c0c5545b4085a56be9fe588380de686fc57206c7bf070bd5e9849bfd6aeb7301681c285287c39bbd7a049db2cd01f6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\174997711\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
2d3b7c5a823586b6de170a4bca61b376

SHA1
f281d49b342f82378f170fe1e612d1106edb2625

SHA256
e59ba8a596ba9e56666e7699bdfd9ec0ce1045a83a41faf0cda936bb4e91b87c

SHA512
806c46210b2f4f81e824fee54e0319189b63da1b258ca372bf9f39d21fb7d9e20962ac9973bef6c67036a8cfc9e66d79c6b339f7b838a258b0690ac276f6eddf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
b77d8b04939d8bf78358996fa11ccc59

SHA1
5e2931781996e1c26eb2dab0915696ecdebc5909

SHA256
c43e54e8db49c679cd7a4d41e64986ecc72cbbe2cad90fe350cc82a7536771b5

SHA512
256efe9def79c4816a8e87db80ef224be7bc76db4ddb021f48d5e16bc4ef1244ae2245bfeb600db1ca9de2864c5702d32ef165608424b002488a41ddc5eca536

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hsperfdata_Admin\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
MD5
c49c19e172c2c6f8390bd26258557b18

SHA1
641d8da9c08060b04fc63b07c61e1c891d5d393a

SHA256
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

SHA512
a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
5cedf73dbf75099b8abcefc3f07e9975

SHA1
2ecabc828715573e9d7aefaf82bfb0e7379e92cc

SHA256
beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63

SHA512
dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

Download Submit
\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
MD5
c49c19e172c2c6f8390bd26258557b18

SHA1
641d8da9c08060b04fc63b07c61e1c891d5d393a

SHA256
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

SHA512
a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

Download Submit
\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
MD5
c49c19e172c2c6f8390bd26258557b18

SHA1
641d8da9c08060b04fc63b07c61e1c891d5d393a

SHA256
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

SHA512
a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

Download Submit
memory/1260-60-0x000000013FE70000-0x000000013FFE5000-memory.dmp

Filesize
1.5MB

Download
memory/1260-58-0x000000013FE70000-0x000000013FFE5000-memory.dmp

Filesize
1.5MB

Download
memory/1488-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download