ryuk | 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177

Analysis

max time kernel
172s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Size

202KB
MD5

ab390eb9f4302cb3ecfbf63027e177ca
SHA1

1b84a4c57c6e54a13db6cd49b7e1673b97d02d0f
SHA256

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177
SHA512

ce7152a2a844a7e2fc7134e5125823ebdcc355191f73d687af282b8f3b3f123a68990e51402d35d6ac6ebf44ac8abe54303cb381b946868316415b8caa1e2d77

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exetaskhost.exe

pid	process
1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
1228	taskhost.exe
1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
1228	taskhost.exe
1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
1228	taskhost.exe
1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Token: SeBackupPrivilege	1228	taskhost.exe
Token: SeBackupPrivilege	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1324 wrote to memory of 1228	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	taskhost.exe
PID 1324 wrote to memory of 1312	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	Dwm.exe
PID 1324 wrote to memory of 556	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 556	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 556	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1468	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1468	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1468	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1080	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1080	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1080	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 556 wrote to memory of 620	556	net.exe	net1.exe
PID 556 wrote to memory of 620	556	net.exe	net1.exe
PID 556 wrote to memory of 620	556	net.exe	net1.exe
PID 1080 wrote to memory of 756	1080	net.exe	net1.exe
PID 1080 wrote to memory of 756	1080	net.exe	net1.exe
PID 1080 wrote to memory of 756	1080	net.exe	net1.exe
PID 1468 wrote to memory of 360	1468	net.exe	net1.exe
PID 1468 wrote to memory of 360	1468	net.exe	net1.exe
PID 1468 wrote to memory of 360	1468	net.exe	net1.exe
PID 1324 wrote to memory of 1124	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1124	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 1124	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1228 wrote to memory of 1168	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 1168	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 1168	1228	taskhost.exe	net.exe
PID 1124 wrote to memory of 1624	1124	net.exe	net1.exe
PID 1124 wrote to memory of 1624	1124	net.exe	net1.exe
PID 1124 wrote to memory of 1624	1124	net.exe	net1.exe
PID 1324 wrote to memory of 2292	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 2292	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 2292	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1228 wrote to memory of 2308	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2308	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2308	1228	taskhost.exe	net.exe
PID 2292 wrote to memory of 2368	2292	net.exe	net1.exe
PID 2292 wrote to memory of 2368	2292	net.exe	net1.exe
PID 2292 wrote to memory of 2368	2292	net.exe	net1.exe
PID 2308 wrote to memory of 2380	2308	net.exe	net1.exe
PID 2308 wrote to memory of 2380	2308	net.exe	net1.exe
PID 2308 wrote to memory of 2380	2308	net.exe	net1.exe
PID 1228 wrote to memory of 2388	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2388	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 2388	1228	taskhost.exe	net.exe
PID 1168 wrote to memory of 2396	1168	net.exe	net1.exe
PID 1168 wrote to memory of 2396	1168	net.exe	net1.exe
PID 1168 wrote to memory of 2396	1168	net.exe	net1.exe
PID 2388 wrote to memory of 2440	2388	net.exe	net1.exe
PID 2388 wrote to memory of 2440	2388	net.exe	net1.exe
PID 2388 wrote to memory of 2440	2388	net.exe	net1.exe
PID 1324 wrote to memory of 7008	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 7008	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 7008	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 7008 wrote to memory of 7032	7008	net.exe	net1.exe
PID 7008 wrote to memory of 7032	7008	net.exe	net1.exe
PID 7008 wrote to memory of 7032	7008	net.exe	net1.exe
PID 1228 wrote to memory of 8204	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 8204	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 8204	1228	taskhost.exe	net.exe
PID 8204 wrote to memory of 8228	8204	net.exe	net1.exe
PID 8204 wrote to memory of 8228	8204	net.exe	net1.exe
PID 8204 wrote to memory of 8228	8204	net.exe	net1.exe
PID 1324 wrote to memory of 8288	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 1324 wrote to memory of 8288	1324	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:2396

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2380

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2440

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8228

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17060

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
"C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:360

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:756

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1624

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2368

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:7008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:7032

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:8288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8312

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:16948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16972

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1824

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst
MD5
819d3df671c04d00d6425fd6cf694115

SHA1
f4ef2841346cf50c631730c88f80c775d378078e

SHA256
d92875f53cd1071cd3c327962779932b84362223715b94c2f06fa6d33ec0ee56

SHA512
93decb1437ef34d38822a8a347b664f8171057d11d953696ecc7c72b0f22722b72f965fdbaaf0b47c82dfddaca30548dbe14328724bd0103d4a3a2bf1b0b626b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
MD5
77338449f6dfba3a3588019ffdcbb725

SHA1
12c2c2fae52428230583d7fa8aa870b721026359

SHA256
cba41b16ffe19aed381434e370cfb9090f61cb6a4fa54089b154bae3c39fc8a7

SHA512
5f83d283cc204dbb4c4e95f6b1e8c455676927935aaafae770d27ce08024e0d9ee1928421cc4738dc5782182b6d93fcebd60543a1999c6f057f398a304b333e0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
MD5
77338449f6dfba3a3588019ffdcbb725

SHA1
12c2c2fae52428230583d7fa8aa870b721026359

SHA256
cba41b16ffe19aed381434e370cfb9090f61cb6a4fa54089b154bae3c39fc8a7

SHA512
5f83d283cc204dbb4c4e95f6b1e8c455676927935aaafae770d27ce08024e0d9ee1928421cc4738dc5782182b6d93fcebd60543a1999c6f057f398a304b333e0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
0140ee6c253dc13fada054121259551f

SHA1
758a98b1c7cf060687ee3825ab3960462336531c

SHA256
3542dbefc1cf0d849084354a6989aa87a8f1c16f4d927b44fca9bb6721d55bcc

SHA512
5e7f84a6e8a588163d26166a17fee3c9bd1a166862a9007b7eb65587544418b3b60f2b6443b12f40879cf85266f60adfde63006423ec30aa05a73a964d2f8043

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5
819d3df671c04d00d6425fd6cf694115

SHA1
f4ef2841346cf50c631730c88f80c775d378078e

SHA256
d92875f53cd1071cd3c327962779932b84362223715b94c2f06fa6d33ec0ee56

SHA512
93decb1437ef34d38822a8a347b664f8171057d11d953696ecc7c72b0f22722b72f965fdbaaf0b47c82dfddaca30548dbe14328724bd0103d4a3a2bf1b0b626b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
d0b2b2be7725035919a4c0130238f7ef

SHA1
558d2b267c1c71e03fc4b5821ccf975c047dc913

SHA256
7591fb7c9deb540c9a8e8d02abbd24f0669fb7fb9f6bff95f1a988f9afe8916d

SHA512
a8cda2854d0decd4451481d83f1213a352e74144e78c77bc537abc0debe344b0b19fdd0f908d41c62cf8dff1c5dceb226f9478a0edc101b3e6aca9d3b2f122b5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
f80fea062b441502cadbf472a6766585

SHA1
21993d6144d21f38598644734c36aae2533da167

SHA256
8428b88002547f504f13373836dee9b4f0ff241e2a9b778022d5a1321a8e09f0

SHA512
9f9f66c5a2b7df9720d6463b0af5ca08ae0ed189968839804a53da58bb79f72a7701f698c8e728c20abec84a5fca736fa7fd3fd391d9b00a0f4c2d06d2dbb77c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
e91f11bc5f1cc1ca54c69a73f3dc3adf

SHA1
dc59a31727f99cdb6dd6ea9efeb1b521e3b84310

SHA256
b0f884f6ec0d71f80b07e1ce554c64221346947b155202d0f78e47e876309f9e

SHA512
0dade0dee7816da782681ae591db37715a9bddcb00c5654973145fc3a118fe06649da30eb711f3942c470748ee9ea96a9686ccf1eaf68af2dba743c002703a4f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
7c89e5d76efb1c0f706090dfbaf41ed6

SHA1
e1438cf6e3a1b15781a45d11e232810e648af27d

SHA256
b305f71285e4826822e128673dfd691dfc10c3ccc47ce960c0ea76b79d678064

SHA512
7ab77214596fdf10bd0415e426f1298aeffc96ead6325d6e2248dd24936ad5506cbb9fa5c2c091183007e2bc6c1fe5274e00ea87180527d19a78635e5fb6e285

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
bf147c38968a8b9cca7c1b61f7f16c7a

SHA1
f137edfc635d6613a65a187957ba6af78ce880da

SHA256
443bd12d6194bbe04a80a58b2c0f2b15ee328c7869a132694ddcc60d99bdde43

SHA512
6b1630ce20da72092a62ad89a7381831fdaeec6700be67eaf5eb076dfeb7da54bbc1053d4f9a04511b85e09f3475a6d35579528b5c7d83d6eba9a5abf33297ac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
91320f70438e9131e80d45a1003f4b9a

SHA1
1134c1e4213924a1124b7f6700592837c7d23409

SHA256
08b3807fcd2bccfca9237b23b5fc265f188eba77b902bc28668b1a4d91fb0ab5

SHA512
ad322e682998cf0faa785baec15e0b614af576913ea8f964ce450e42eed519f0f3aa66f55a4c4e937504f3200e3d237dc93dcb9b8576e88465cd4e69274141fc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt
MD5
d3bd6b0df5910a96cefa9ca920aee866

SHA1
e2098b98b57e683ab01ba67c8b60f22e0dd663c7

SHA256
fb7cf89c829fefaab3c0835ee9ed56141971a0abf9e3f97f5e346e3a83dcae98

SHA512
09e715d0f81113265bbda5bdd5eb355f1348c4c9f86daad705b37f5029a14db4b03f71053c24cffecda6ade7c2db864adbe23c55709c07f7aaf9bc8b36c13a54

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
e8e60e0424e2bdab927438d5c0169e26

SHA1
e642f2ff891aa360b8d32488b459db0f8f0817d4

SHA256
dd52579d63c1fbe5d5ef4e9cde7be2e197ca4b62d59bb08c3c85247c4ab58320

SHA512
cc3c336640d7f44044d70ef681440d19f0319878f2900bfeaa05e8b0467412ba534dca0c5f18f4664e86ebe277742da2158415a4b7528483c8a95a8e7f27e3ba

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini
MD5
307233cbb47bbb13c281ca82c14d74f6

SHA1
a4bf44972d8893b18dbd10dde6a327fadcff8e5e

SHA256
105f94712fe5db93e064749a2683c407264e01c066ddc6f2dbe5f5219bd4b4c6

SHA512
756d9f3b75b9da0659be8aec33666484d784ad998591014b632cd8b9525af7c2ff69d4ea70c16118d8823b858757fa24774fa085e07b9d02c6b1141634ad9543

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini
MD5
ccd1a28012291dc26355d41c6246f8b2

SHA1
5ffbd01ed597be73fa3f771f0ed5400adcba2b94

SHA256
445b95a48b924ae25cadc45c047bf1a2309d54c557b7350b561590737cadae9b

SHA512
7c28f8ad46612e7ec4d56f09522cf32b28e53b79ca95039274179d1a1cd066829733c31907c79f9b42f074cff4a1b917bb24a9b4c1b765655d4e76b42d1fe576

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini
MD5
08075d12086bc1c7dd271852d932f452

SHA1
8dc78d9ca2007fd393f3927febd002c0d1847c21

SHA256
b60a2ff0fb65a5b20a24ba10a59a139a6e8c5d028d400421b8424098aa86756b

SHA512
c851b8d0a4224987bd94ac5b20ac7064c71cb7cc07e142dc8e0966647de8a794da6130746197cce69e15f37125ff0c338b40bee0bb3ca57dd258b31ce5b97d74

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini
MD5
6618759a92c7d02a62595c6623d3f191

SHA1
19bf69818d57944f0b40ff305ff3a382a89bca6a

SHA256
387d0573e4f75a399aa84ec246f1147d8c36a693dcf20094fea9b861f3a34199

SHA512
d921d7a97e29e20b77e854604bfeb356f2b10ea549bbe5b36c67c5803e311272b078a622420ebda3f27435f474e266ddda9513a9d614b94e6d37ff3c1ff36c42

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini
MD5
b06db4482dd501f2299fb63322a31745

SHA1
b1443e5d648a2f082126fee6fa94e45487ec08c0

SHA256
a96741548c53147efe4dfc097857083f7dc3c808d6a8ef446d6bc33a1c2b39bc

SHA512
313be610a787a844b2ea53b37668fe9cf73f86782c6999d41baffb8031c3a9ab4c90844ed8aee980fe1b263c5cb85b6fa1e7f6c9ca6fc31da5a96538bb2c33a8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
MD5
18db388771de4ab132a7a44415780362

SHA1
2770f8a7c5054a2a0c1d849e8fc5484437b32500

SHA256
2c945af482e50add6dc61c6872191a840945cb38bfe88e27fa5c6e14241a55b1

SHA512
7fffc39c4b8be570e12abc0224d6b586c587496a4369e885486fa1c2ddf0fc4aac56b808dbae7f6f89f5354a3a98c0ef631fceeea9f22849d213deac00dcb378

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
MD5
2d9048a5427529aac786c46a55bdb4ab

SHA1
c6f5bc9092c9a88d3f9fb814aef2d3c5fee68b7b

SHA256
24a17c45c563fd4fdeb30729e6c4338a5d0bf74941607266f0f72bcde32021dd

SHA512
51a4376d9b7a2b116c16fc6f3a78e893e968f5b915323e52df692f215fb323332e4b8c39723bbc4d12d0f0de5470ec4722b925e32792a3863effa19127b4253c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
MD5
b03560ac666be2af93c2c551a64b7ff9

SHA1
f14518b8420b399be9bbf0bdce9b5c650a8de5e0

SHA256
368e26fdc87e0e5fb3812e60668d75998f49dd529727b928334a8358e3864260

SHA512
4c398aa27ba4178d712ccf8eeab4a9d45eef73af4cae6a03e8a09ba91e0416e533ff9c47d1c869086265caaa08fc4700a36ab0fbb57dc41abc856bde756574ba

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf
MD5
2a127cb96b64d46ec99d5cb30fbd0256

SHA1
cbbbf50020cbbe530aaaec0211e8f0541c4c70c6

SHA256
e6f63edf578fe7937a7fd4868eac87a9797b5b8c45e02360d03d07b12deaed0d

SHA512
5ae348bc4e570844374a65fd0eb3fc7154f57f9801018af2e98503d2d87c516bedb6cb9ab417f2c864e7758e2706ccdce85e3ba08b4af06bf41068f5c438f9ac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Memo.emf
MD5
60ce71e8e51ae3e05b2aea188223b279

SHA1
20ab5119a5323d4b785cf5dcc88534099de8acf5

SHA256
c9c341524e22c099b8ae9e9b6f04b59d4ffc509687be77b996ef1d6beee4df41

SHA512
eb9482abbc0abf5b544940eab4c58db7b883fe6f4a68bfd18e6efdbb1ab8ea94f24c03197dc4f74bfa9d5486ad806e0ff561fb9a6690a01d6adcd0c08a530611

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg
MD5
24f598d26a5007118270fc10b25abe34

SHA1
be0b2e6cce4525a2c578e4ae10034faafeefe39c

SHA256
52680f7271b982a27e21d8541349880f1b435aff597d39d6d4eac8973914f52c

SHA512
2074261507efc9ec4c8c30e8a5c13ef86ab4dd990fe7cc39fd19855de9a8cd606202410bdcedfcfca840bf895c7b2f7928b12dc7141de5ac992a7a9a37d08f35

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
MD5
91fc2af5dd020b806dfc92f51318fcdd

SHA1
74a9e6941fbe17354481d980b08e46c3ebbd160b

SHA256
bf1704c6d3c4b2de23dd632fdbf859336083ac1c49639fedad8539668b4ef01d

SHA512
2553c47639796f82b0660dcc5df77eaec401fe1b2f0d6b3d554e97a388eec9b9d1c2ada84de4f7eeb70092c164d4979d741670a1f56e142e87e7523d7b3a85a0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
8dde0442b6863e9fca49681b1712225a

SHA1
659f0ffab3635265f1bd797aee3e7979a9b0c265

SHA256
d5fe5f4e52cd0de2d6a2757c7c15c722fc2be61b36d87cba939a311327466b62

SHA512
5f2542362a429f832fc91472e0bff2371650b45c3875c93209cdf44e608bd34b33dd7a40ac6ba3dc33006397188df9728ffc7458b740aefa01a9700eeb4f8909

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
MD5
4d9366b024976de1fd23d19cf4d2134a

SHA1
2b6019d396f1e5e97d3e6e1b522f3c6aec9339b1

SHA256
ed9cae9819817a973f8443e6d221a18b173c3161d34aba74bc193c7106d2231c

SHA512
cb66abd5382d9d79cb80ad2dcae0dca737132bf42bed4219f647e99b7282540808c8b27f5dc61a3e25b3aaaf325a75170032e6afc9760fb4af02d89851a13166

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg
MD5
1fae4126a23c25a378394deb84719da9

SHA1
b40b5b7071805ff4d2c11a55d9d3fda71a60ccba

SHA256
a4243d97c8eec8c6645733139ef072605ac0fc0069f7ee4b8f1a580521787224

SHA512
9eb887798afb07b941e7b1a6393263b5f0ca9b34059c7ae349e8b6903416fd9de4e841e296a3b54668eaa3f33e5bb3379aef696d706562c8ebcf490b221b1bbf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif
MD5
9609f3d727a76bdd16c98a34d2bf9e96

SHA1
aac42cd62fa5aefac72261d3c45eb79294be4d62

SHA256
c0d9cf61d307cbe91eb3fbd26d2d95627cd0d4c2c39d7ae38707847d5ef2203c

SHA512
8a8cc1f864e3d6d141e0286e278afcd72efefd7c5c26310a2bcb59e58c0781784021cacd59425ac7bad37908ee7d074845118db110ffe9b08e86328fe5466f36

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat
MD5
9c97b715e01138dc7b45fde27f82926f

SHA1
a6d29949b6fc38043594953fb1f1c48c76b32153

SHA256
0db35c10d23045c8701488f7bc3b8b16d8a3d1634322b6f7c2cc8845c971b0d7

SHA512
0ecbf1c8aec9622c596c303e9c977ed7b7b720d7b78f3722759c0c024db7b2266fa5ba55084dfa78ac05e2312122a71f93c87a6d32d85a3feed72165c21f2f16

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
8acbddd1fce78800d627ff783464875e

SHA1
849f4e3fcfe9eaee41a7ffe1d4f0eaf91d03fd3f

SHA256
5720479b4021f9e89c0a263c2176514c6c911b1d7f5237b74875d12b9de41365

SHA512
9eb22d1e3713ed6f277b9f72610eb026d9307d6ddb73a18661898beee5b88e1f7e19a6a7c64487ee2d9a34eb134e91462de3aacdfc1a4bff23f87b1f9778fab8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
memory/1228-55-0x000000013FAF0000-0x000000013FE85000-memory.dmp

Filesize
3.6MB

Download
memory/1228-58-0x000000013FAF0000-0x000000013FE85000-memory.dmp

Filesize
3.6MB

Download
memory/1324-56-0x000007FEFB791000-0x000007FEFB793000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads