Analysis
-
max time kernel
196s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 06:08
Static task
static1
Behavioral task
behavioral1
Sample
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe
Resource
win10v2004-en-20220113
General
-
Target
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe
-
Size
208KB
-
MD5
6616fdc6dc5e338db8acd5f70448a793
-
SHA1
f156ef44b780a5ad7d379b9efdbba83b94e9c9c9
-
SHA256
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827
-
SHA512
25d2fdb9c07a9031a87767e24b4f8a04b30d12e033152f7efe70edf2ed2be920ec78057630fc12821fe519ee25802a445695ed6186e81d3b404356714b00a601
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exetaskhost.exedescription ioc process File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini taskhost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exetaskhost.exepid process 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe 1240 taskhost.exe 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe 1240 taskhost.exe 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe 1240 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exetaskhost.exedescription pid process Token: SeDebugPrivilege 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe Token: SeBackupPrivilege 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe Token: SeBackupPrivilege 1240 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 832 wrote to memory of 1240 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe taskhost.exe PID 832 wrote to memory of 1328 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe Dwm.exe PID 832 wrote to memory of 1804 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1804 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1804 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 972 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 972 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 972 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1440 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1440 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1440 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 972 wrote to memory of 1140 972 net.exe net1.exe PID 972 wrote to memory of 1140 972 net.exe net1.exe PID 972 wrote to memory of 1140 972 net.exe net1.exe PID 1804 wrote to memory of 1304 1804 net.exe net1.exe PID 1804 wrote to memory of 1304 1804 net.exe net1.exe PID 1804 wrote to memory of 1304 1804 net.exe net1.exe PID 1440 wrote to memory of 1172 1440 net.exe net1.exe PID 1440 wrote to memory of 1172 1440 net.exe net1.exe PID 1440 wrote to memory of 1172 1440 net.exe net1.exe PID 832 wrote to memory of 1880 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1880 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1880 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1964 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1964 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1964 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1892 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1892 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 1892 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 1240 wrote to memory of 552 1240 taskhost.exe net.exe PID 1240 wrote to memory of 552 1240 taskhost.exe net.exe PID 1240 wrote to memory of 552 1240 taskhost.exe net.exe PID 1892 wrote to memory of 1180 1892 net.exe net1.exe PID 1892 wrote to memory of 1180 1892 net.exe net1.exe PID 1892 wrote to memory of 1180 1892 net.exe net1.exe PID 1880 wrote to memory of 624 1880 net.exe net1.exe PID 1880 wrote to memory of 624 1880 net.exe net1.exe PID 1880 wrote to memory of 624 1880 net.exe net1.exe PID 1964 wrote to memory of 1664 1964 net.exe net1.exe PID 1964 wrote to memory of 1664 1964 net.exe net1.exe PID 1964 wrote to memory of 1664 1964 net.exe net1.exe PID 552 wrote to memory of 960 552 net.exe net1.exe PID 552 wrote to memory of 960 552 net.exe net1.exe PID 552 wrote to memory of 960 552 net.exe net1.exe PID 1240 wrote to memory of 1172 1240 taskhost.exe net.exe PID 1240 wrote to memory of 1172 1240 taskhost.exe net.exe PID 1240 wrote to memory of 1172 1240 taskhost.exe net.exe PID 1172 wrote to memory of 580 1172 net.exe net1.exe PID 1172 wrote to memory of 580 1172 net.exe net1.exe PID 1172 wrote to memory of 580 1172 net.exe net1.exe PID 1240 wrote to memory of 1180 1240 taskhost.exe net.exe PID 1240 wrote to memory of 1180 1240 taskhost.exe net.exe PID 1240 wrote to memory of 1180 1240 taskhost.exe net.exe PID 1180 wrote to memory of 1212 1180 net.exe net1.exe PID 1180 wrote to memory of 1212 1180 net.exe net1.exe PID 1180 wrote to memory of 1212 1180 net.exe net1.exe PID 832 wrote to memory of 8880 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 8880 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 8880 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 8880 wrote to memory of 8904 8880 net.exe net1.exe PID 8880 wrote to memory of 8904 8880 net.exe net1.exe PID 8880 wrote to memory of 8904 8880 net.exe net1.exe PID 832 wrote to memory of 9108 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe PID 832 wrote to memory of 9108 832 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe"C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:1304
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1140
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1172
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:624
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1664
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1180
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:8880 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8904
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:9108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:9136
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:18732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:18756
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:18768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:18792
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1328
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:960
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:580
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1212
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:9148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:9172
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:18968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:18992
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵PID:1516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
f4e45b53ed6d35b527af06161d8a8bc8
SHA1c77ae1b739ea762cfd62541b70d3bace42ad967e
SHA2563665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6
SHA512ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc.RYK
MD57e0c04107b794551ac6f87fbdec1cea6
SHA1738ad8e4b2ec288605a68b9ed9623ad3c39d2e45
SHA256ff7dab225d0b811001be3b8777b95a8670bd570f584617de77324522a9b003b2
SHA512fc958fe515f7b367c52f1bb078f22fd728524572d85eda72d34094456933106912aa294a021fe5a94468c1b225adaf8cef4064b6236d0cfdde7a6f76aadd386f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD52aca90ec6646c87aae0f2240d88d9178
SHA1e1ae98126b93a28b7c37fa5ab707db83e975d47b
SHA256ffc152170692a942c81df5eb26e3ce1a48ee1be898d95495b669fcab31ad0f66
SHA5122399396744469fc0f5296da134d62b7adb415b5321cec8ea62df241a78c9aa1b533b1cc958dbb8c8263c65b91b2f9d0be00cd8fdad2fbc7a628f103ac7049f15
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5f4e45b53ed6d35b527af06161d8a8bc8
SHA1c77ae1b739ea762cfd62541b70d3bace42ad967e
SHA2563665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6
SHA512ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5f4e45b53ed6d35b527af06161d8a8bc8
SHA1c77ae1b739ea762cfd62541b70d3bace42ad967e
SHA2563665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6
SHA512ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD52525cd20fa7731e042053dc80ce370d5
SHA1305f51a24ba50684f306afc5fae6c4ff8a12c189
SHA256a4155a5c63acbe0975ab54ac44112421cd0e57e32efb4e6e45c87fb2442abcd7
SHA5120c5521a0d724af672ebee18a1476cfa99813d571fdcc4b38245281c599c7fe9cf443c6e0c84bf699452ddbe723d4e13f178a0586c5463979b055721dd4f4aee5
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD57f5e803954872aa8c4eda7025f659f49
SHA1c301cc10cd5e1ac684bb22007c050663a731ab99
SHA25692b87eed678e55ed0bacf12394cd400c82d91f7a412aa9aadcd980e9560ff98a
SHA5128f2bf2e78007442be91e48c8abedfb2014c5f1b8ed090a9729965031f3000c10090e0c96ad84de0786772d781624d223993c80251eb35b92dcc9cba6fc6abbb0
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5d9f39663a22c651ed238f601f37bbb21
SHA1142b7ec51c7db8dfefa399b1b8cb5d7ccc0a9608
SHA2566b23fab51ecb4269ca6e8a29e9683b44ce6e04ddf14b601c2bb006bada95436c
SHA512cc54b3ab4952fb566a9e5cf06201b5823a190c71b771c83704b5e823229e28bfe1939c50809922a758d45114a66384b60bd72b89d41a0c81e3c28e94f606676d
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
MD549506be9de92dc382046beedcaf42e3f
SHA1199203c9fccf463dc8ed12b089088b6c572f287e
SHA256bf67936cebe071f3e81cb16cebb1f9841f28ad3873838049f0d96f2d8891f87b
SHA5124e1605b2ad6731d4b7e05b435be569b8533d3cf2d8ed67c99b035074230d5f10fc90635b52b305ef6fd59687ab26d6fd40a2cce0823f74af3a575f00f17fd6dc
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp
MD5050003b56d5d16471ee8b851351e8d9c
SHA16d3a9a02dbab6811413de958cf82fe196c09e728
SHA2564c2d3b7b87b82f0490b6055d72d5ec8c56eee3a1561eff6b2dc71278c825b4dc
SHA512209229a637ea42008f7c22f8b55f2e347a597aace225389ea15ffb5e7c9d8cebb7f915d9482516e825116ac4a60f54aa80de04e965352033450cae834739a505
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp
MD51617ab2c26bb97aad3342c0ce5037c38
SHA1543914a4b4deaf746a593e758e65803cd829a750
SHA2560fc1bb56c0b4ab6d3a23f8b137640fc587e648edf25702b09e5b87a3b4b36086
SHA512efe5e13836dd6ab02ade314c393893c5f5c6d24abe1b9a9420554d70be8f812ba4b35437b9f79bcdfac7642d7523bdf7dd0a29216b41bf46b88be088e1b6a273
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD529008b3b4aed0f5e3575b253057ccfbc
SHA1003a2fc6f232d34e5370205b9a1168e91c870bb2
SHA2560f10776cdbe11cbe5bd9adec624e97a5f1bac5a253ef891241c6d84a0909c9e0
SHA512ae684b340e9813541fc1d788a4801781a85796e0d002ffb2c7a797852990694aa4ce30d79928b72594db25e05246095c03a3ee579758ca77645feed94aea07eb
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5a38d42eccc70c7a4ea260b9db44c4a9c
SHA17f987541e99a0d8c7d4f7f25f8f03d042ad04b6d
SHA2565af762377a400284c4ab0ee168a6f07f352a44df4137d17fce00eed977b37305
SHA5124acfc87d0b7784e61f7e62ebdd29757a2e39de9ca1fc0719de343aefc661705007c74f89b972a4f0f4f3829a1f96bb5ac32762fb6ef5fb403eb0405a02630884
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5046a97dea1f0a1beaea145724b8dec85
SHA10870bdcb8a736161f89d8446234c9f12b5acdcdf
SHA256aa67aad82b7ad2b5be92f970f730ea5fabaa76d6a730bc8c7148f7a19ae8a11b
SHA512e5007e46b8154422cbb4557c8112e5c2971c4df48d7b9a9631b4498004dcef3294755b28dea626b8407602e4165652ec383c0972e882345990dfd25e735dee04
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
MD560a156d6023e989bfcc9135da423fa7b
SHA141695f22487ade8db6d1ef05ebdae087081f5716
SHA2563887c5307f458cbe04e9a37f0efebea65c67d71fef81f594f6b515d0bdeecc06
SHA512a2acb3c0c36c2d5b7e960fdd9a934a4b5c32b74dd765ceffab0b295e9c0006d083d505b3b7dae4e993d1d4f52284f46767df885e121102187525ce170ebfaa34
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
MD50deafe4bb43f57fcafd7fd076b498995
SHA19d8ea3bdd09a13e6ab0983280ff2bc756171d4e1
SHA2560a6cafe59724bdf90eef0540ce3dfcd7875d2378c5b871fc3a01928b10fe8774
SHA5123372f13486228ad2dba79f2e873db7f15aa9084945f339830e6b4c98fe4f86779021c41eb7d15d158ec2cf64bcbee6127c74852b0fcb83e4335cc654771d389b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
MD5ca68d2961ee083d0e7888bd641b13b2a
SHA105176030955b19007f63dce494f6f97fde026ebe
SHA2566a9c60e41b940a676afd6d6f4be7bab62de764d74d12e1b43a2022c4cad92dc0
SHA5127d7e3fef50f20abbb02cea712e851b34a9a8cd5d592c9b676412060646327a6bcc1111dbf46cb54645e27e8142229d87f17fac02678c7d04e5e56acb9989f3bb
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
MD59dd72095334b0c4c6abe178ea6e12729
SHA15fc2de72a5a984393713e8b5ce6b7f71e772522a
SHA256449b834cc9981ed32fe6f808b700ea409ae9c6dfa8353c0e51b04ba82d55962d
SHA512b6e8787c9bb3d9013985ba16aad97fc1af750756a4e565ffc20e9bdb3c86c10a79d91e28783e771f6eb3408bc2ef0f811ea07a82c6ddd79f2b4e5b56ce44336e
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
MD597dd53805477b390b169b1f6958d01a0
SHA10c32b1bcee17b2bb603924e9877af9c3dc43aad1
SHA256293a56724d4bb69f40b9035722436f2087c91a9d68bdd77a4f25acfa8e3fc4f7
SHA512f41b7cfecaa26af15cc278d737ac4fa9b034b1d0a39d3aa756a5b663c4fdab9f549da3892132c3cd0c363ac105ed585ee20f58d5d0f61ecb3280304f8cc52387
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
MD5b20d1b9a56349935a520990c1ecce4bb
SHA16e2d4c397128dd8dfd62036797f31c53c0131b07
SHA2567584a918ca041fa78f6eb1424b57e768565f352d1799360a17443eeb6622b212
SHA512c28ba443774c29335e159e4d7175f24edc4f25a39873727b0263a2d64751257dd3fe3f7df965251279871bf64bc3eab8afed7ecfa3e32064b2a4b8538238d43d
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
MD545d2f0a70e5dd65a4d99f203b70b268f
SHA13d36fee8207ec3c4b3b2db154867668a08c5b78e
SHA2560a8f1a6bd9b5c4be5730cb744492f6a19d345b3d77c9d7f1cf2e4f2901a4a1db
SHA512d1c91a972278bffae4dc9d296d192cc0cfd16deb81911481a2cc651dd682189131ef55dab5af4dfdfe4dcde6e726d898d0bbe59b0582f82dfdd610bacd2dc465
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD531c995fe6426eec9c64eb27cc7017964
SHA1dfd147f36051e7cf8e80c0ffdcd590cf19dd95df
SHA2563c3203dd317bfee167085ce4eb65cc8ec31c2383477d01cdf4fb1a186f2074f3
SHA512b610a042a9e12bbf3b3eef4ba610fa3849c377357102c8a015ab3d51d931cb273fbbda2b910cd5e34c8c04cfd9c76dfc84132e5d2577798c8b9ca3723d77dc7e
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log
MD5c88a210068f4eadccdf864fcfdf37b9f
SHA108e2bc98d4c755cbee14b1cd526f1f1ceae5aa09
SHA256c50525b78a57b2040957be6beea27071cb27f3bb18dd00063d803361768f6a8f
SHA512d8ac961f6ea812abdc6bc7064e1e0a9d527e8dd7c863e5ebdd17d1c257fe8baceef0eec1e06e132d6ec8d76a639ed69a56ee38f4e99c75655a3015b0a6c08895
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs
MD5610bf49d25cc260097c3e026752d7d01
SHA1901ade7d129c40ad3537f1e497a9919093de91d0
SHA2560dd63552e9658ad8a5422cc8c4cca0d3a16cfec36375ad80f7a0f08ea3de2926
SHA5126f0bd38860d39b7ea1b4e8f93f38953ebdb53f24bd29b8f8a3b6fe9c29a0a7605e191150f88976344b718b2bc1d10d0cceb8775fc9448429dab68debedd68a1b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
MD55fb6de592ccbe40598754ca3d5797938
SHA1dd5aeaca54c5e42b017be404b3e141d1cdb97741
SHA256a62ca1c0c710ad308a25916e2b4ee2123cace24f24f7478160a312a71dcaa7ef
SHA5121824a0a36dab9f074162642f7425820a2fdec427af645c14ac44527f20ee57873ef8bd0af02fe1500d2d3db6af1a77d93fbf500d21adffb12786dd15c8048c92
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD553b5c4902a981f9469818d422fa9aab0
SHA1942de7923f25176f2f25d6ffca13af9c6b87bfb6
SHA256a5cf84407929b19948f45b6ff2445cc972c3693f82000ea09c2af8cf34fd0d1e
SHA512b2732ccaca8cd0b9ef30e6d5c1a977f4c8c49f6a2dc79340edb07ae46c68a9eeffa649f731d64cbf946166d3ae31d9a1020e8157896d46d7e3e87460d36bb580
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
MD5b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD593a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
MD5
b7a3cc912ef3a68406d1caeb94d35a13
SHA1b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA51297ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b