ryuk | 535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed

Analysis

max time kernel
169s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
Size

206KB
MD5

3f4ab625f691c1f68d23c9c59af56d50
SHA1

62a7d68740a3064948805f31137befa0d57207f7
SHA256

535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed
SHA512

ead89be0dd5d2b8417b5c375f1ed71ceb53558020b8652491ede416a6bf88fc094e1714bac1b0405a9c862ad10c31eff9dd9f1f814d977af17e86eb9ade52026

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.exe535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exetaskhost.exe

pid	process
792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
1120	taskhost.exe
792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
1120	taskhost.exe
792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
1120	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
Token: SeBackupPrivilege	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
Token: SeBackupPrivilege	1120	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exenet.exenet.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 792 wrote to memory of 1120	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	taskhost.exe
PID 792 wrote to memory of 660	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 660	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 660	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 660 wrote to memory of 872	660	net.exe	net1.exe
PID 660 wrote to memory of 872	660	net.exe	net1.exe
PID 660 wrote to memory of 872	660	net.exe	net1.exe
PID 792 wrote to memory of 272	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 272	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 272	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 1488	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 1488	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 1488	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 1180	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	Dwm.exe
PID 1488 wrote to memory of 1560	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1560	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1560	1488	net.exe	net1.exe
PID 272 wrote to memory of 1324	272	net.exe	net1.exe
PID 272 wrote to memory of 1324	272	net.exe	net1.exe
PID 272 wrote to memory of 1324	272	net.exe	net1.exe
PID 792 wrote to memory of 1072	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 1072	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 1072	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 1072 wrote to memory of 1564	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1564	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1564	1072	net.exe	net1.exe
PID 792 wrote to memory of 616	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 616	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 616	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 616 wrote to memory of 1500	616	net.exe	net1.exe
PID 616 wrote to memory of 1500	616	net.exe	net1.exe
PID 616 wrote to memory of 1500	616	net.exe	net1.exe
PID 1120 wrote to memory of 2380	1120	taskhost.exe	net.exe
PID 1120 wrote to memory of 2380	1120	taskhost.exe	net.exe
PID 1120 wrote to memory of 2380	1120	taskhost.exe	net.exe
PID 2380 wrote to memory of 2672	2380	net.exe	net1.exe
PID 2380 wrote to memory of 2672	2380	net.exe	net1.exe
PID 2380 wrote to memory of 2672	2380	net.exe	net1.exe
PID 792 wrote to memory of 16952	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 16952	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 16952	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 16952 wrote to memory of 17028	16952	net.exe	net1.exe
PID 16952 wrote to memory of 17028	16952	net.exe	net1.exe
PID 16952 wrote to memory of 17028	16952	net.exe	net1.exe
PID 792 wrote to memory of 32888	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 32888	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 32888	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 32888 wrote to memory of 32912	32888	net.exe	net1.exe
PID 32888 wrote to memory of 32912	32888	net.exe	net1.exe
PID 32888 wrote to memory of 32912	32888	net.exe	net1.exe
PID 1120 wrote to memory of 32924	1120	taskhost.exe	net.exe
PID 1120 wrote to memory of 32924	1120	taskhost.exe	net.exe
PID 1120 wrote to memory of 32924	1120	taskhost.exe	net.exe
PID 32924 wrote to memory of 32948	32924	net.exe	net1.exe
PID 32924 wrote to memory of 32948	32924	net.exe	net1.exe
PID 32924 wrote to memory of 32948	32924	net.exe	net1.exe
PID 792 wrote to memory of 34572	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 34572	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 34572	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 34572 wrote to memory of 34596	34572	net.exe	net1.exe
PID 34572 wrote to memory of 34596	34572	net.exe	net1.exe
PID 34572 wrote to memory of 34596	34572	net.exe	net1.exe
PID 792 wrote to memory of 34616	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe
PID 792 wrote to memory of 34616	792	535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2672

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:32924

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:32948

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:34624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:34664

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe
"C:\Users\Admin\AppData\Local\Temp\535cf4aae10b9beaae1893779cce05cfbd7767a854fa78401e1d9d46e8c212ed.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:872

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1560

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1564

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1500

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17028

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:32888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:32912

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:34572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:34596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:34616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:34672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1804

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
2944aa7729ced33b91c78615c18fd7d5

SHA1
37a7a4212a4183d5129e8d13a4ae82bb959e5b96

SHA256
88a28ac2729cdd03d93e542969270be88fbeb523166834226f8f52ffcde46aa3

SHA512
ce3d8fee5e476ac1019599ef760e63b53b5817a7c29546609ff44e1d1a8e7c1926f6eee9891da309735c2351ac6182ffb1d9151acc19e9fa7bd17b1c8b2dd292

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
MD5
4167797fcac4556ee924cb1e3cdb1738

SHA1
d123316a9e875f02576908405262716fe8231839

SHA256
077eac2743db5469ed47133780bde6b5f581158949e5488454866715c93342eb

SHA512
1a6e192a59c89b4b170ecfd43f3c457aba48642f78b8c8f4dc3ff8653df9316fe8850af12affd859817425764b07876af94a1910137c0c152619860b87b43802

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
0043ff8ab069588239c9704a5690aee8

SHA1
dda4f67439b11b9bd6a74cce663526fdfa81c74a

SHA256
192d0c671043806832b476eda784cb8c2ccd57a591f0077add97fdf061ee2ac7

SHA512
fcb47d529b7f51882e96e9495fc5a78bee3b1a274f33169e0fd6c125cedd68c00cfc2aa68137a2bd5e436f187029281381e8640c01eec46d33a93b0896603155

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
c49b18d88fc53f19bbfcda888fff9713

SHA1
5aeafa3393b93667ee757971fc3f80890394d194

SHA256
191f8a574e85f9d881d2a8334d7d5c89a257ce1e1454038cf4f8b4a1d19ef45f

SHA512
8e6f43c51422a8a4bfedf57868562d3566cfe82022e11afd5da8cbad0fabd7352361a1882197c51f6ba720d0d997e87ea983b8ad5c5a8e4ace38cb988e716eac

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
dfa49f5f8a321e4486b4263b5aca1def

SHA1
f64a9474d07b46e27cce6821e136f633762c8382

SHA256
0db5aa2997dec7704ae9f05608cb9bd31303282c0d23e68b0a6649a041ddea30

SHA512
8ffba918b4d052e0e91aab31d0db7e2ec880f7697e581b6b40214c268e6370f65a731584da379ec686510c0d941f30d14ca68ea31ca14791c899ac37ff928a71

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
522c17ffe9223b23e0222213511d855f

SHA1
175621c5a19eaae434cec3984041088a91dbe077

SHA256
6801f4111c6a2ecbbbac09343ac299df511983dcae069c6b8f54fc2c73501308

SHA512
108634a9a02800c71279cd8cad05ea9d965a5711cef28f2be9c1a22f51a9d4a7152d243f1a37fe088f1fcfcf215ace32924a78fdf4ff12f072367822a7bf2962

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
a0d75fab36415937b39771a95b0b1189

SHA1
2aec2d8273a90851ba1f2cbd944e5ff12b7f716e

SHA256
e904ce81072596ff67b3acf34d5765ecdc1ee9f5f2a78ecb40f76346df31d12f

SHA512
f31be64fff60b044d1a44319b9c33447d7ae65e6503a7c44ec323909cea0142ed81c8003b83632872283e6b8df09f01255c7bec45dd3a41378c5df637f4da0db

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
66a75313bdd5572c4494621a3b571519

SHA1
058841d4496d6441f44482f5fbcaee0207ff6b29

SHA256
eb41a3c70e1f374a64623a9988177bf94d7270366ba636f550fc7d1501814e1f

SHA512
dad95c1dbea0815720b5c3cdf0d212da42f6629a62774f5cf4ad3e9b9e6adce82e6dce8e65413ec1f82e0b9170eab0841296b6775a4cf7ff3cd81c103f1bea49

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK
MD5
99aa2075cd050b7dc38c8c839d87f3cd

SHA1
d26d17976ac1b1a81906a308dce935a40b6787f7

SHA256
333ce504200724f8cf0c3c4857fb99d3bb1c9762b0056f937dc246a7b7f8ba5f

SHA512
c84feedc385a806cc7eec280d73296fd96700955e3be9731b4726db9ee0af3c2adb0ceedefcbafb992edbe525d89f4000e4dee99329ee9ac6cabb999e70b847d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
MD5
f2904760ae27f6298a19cb2d602b5ee9

SHA1
75fa928c64285877fdc16c1bd16f2daa1f33ea03

SHA256
3eb5c16706cd0d95499cb5044550619824952eb6f44a2f21f3f5ad2134c76214

SHA512
085acc79a985dadf4fb5d86c36d9e939158ab10cc7bb85ee2bce5385e93330dcb518ccee7dc8ead41481db062fce660fa32a814c319e95623a0c78eaf497db91

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp.RYK
MD5
a4fac72d00564c19a1810cab3c33286d

SHA1
8f46bed9bffcff921ce26ea68f42d9cbc84c0f28

SHA256
c44f222f90f6fe9dcf5e80c7166a934d51f9ddd79fe02224821a9f0466fed261

SHA512
1c09f6b75449c6ed4435ec44c754ff406d35bc0e2a6ba697550820d52f2bc954d6b60e3fe1665f4b718a5770f4fca8e1b743a6b2e71bbfbeb9c59421c06c6219

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp.RYK
MD5
4091aa8d94f3cf22a9f89ac27975628a

SHA1
11223ae829946ac520eafff9ffb2a3bfe4a8f359

SHA256
c17b9b36747e662a72dcf12b2940d1b711e2b1faea8c3cc7f944557452e73227

SHA512
a3ec469ddf6b2859f63a1d509986e3e33d8281b0f641ec36a08e1ef3f275f63bd8cf8f9f1fc93f0cf3cfb81dc88b6640c50ba10de3f49d9ef17ee78db0496161

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
affddc38b44cb7810152e8aa21b092ff

SHA1
d2e1f44821ea0769b749439b6b4dc35c243a76c8

SHA256
3be58b582bd3121627b13c68465cd192911e031410dd92a015df4dd1182bb643

SHA512
861a4a3bb1104dfca46f5fbc30f9610be77c8b7c45a06580238d8dcff28e6f64f2b7cb9a2c800437a3ea633301e0c8fa37150d771d1c33a513355c0d634db6b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
c823d4de314683f40cafebd0ec1b39be

SHA1
068da7bdb3eb2552683a1f34fc1704e64cff34a3

SHA256
813f93b612bc6bf1fe815524a4c82800b6a38cdb67c765a9dc7e879d80ffbedb

SHA512
d03e2328a71f21d781f4780ab6ed5b2d5e3725d87d9cea77c126f57b758511618e2cb56ca5814b5e421d5de9368836e139ee28fec662ef33bb47a1bc43f89a7b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
MD5
547462d477359ad54daa96c0661f9ff2

SHA1
a03bdd7203271b927cc15538f14cc69293baab51

SHA256
249e42f6939f545108b803466c7ef3930e9b4bd4befcccbf69cb30428bf88aa6

SHA512
339de189e090e221b1460d2e59c15d79acaba537c801d30126b02ec0698ff24c25fd0b722474e2f26fdbb6d9d4f56a6117146b202daa903ee707b862d659c4ff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK
MD5
f2d0156bfb7fb6eaa2d9a32f4dd7670f

SHA1
d3815d7d5dee002db2ac0faf3f6e5655fbcacaac

SHA256
b48b86a72de7bcebb1c3f6660f66248e95d831452ed144f4f6bd57e38e9a0726

SHA512
245caed66036363d5f6e30d289f9bd0939ff076b51a5b766cb48fb65db5fcb75c586fa5ddb9d896f68d293786eff56908341ea20e95d3a37fcd80cebaef1e14b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
MD5
9f099f384b3565a615a31f9f68738693

SHA1
0551b1c3f2fb818c300e35a822a6c2a3bb7ec72c

SHA256
24e09f77dcf6f0c4f3d820ae2ffb3cec7c614ca39174537d477033349a1c60ee

SHA512
c57a8b80e25fa3aedbf7e354b6875292d4f73b10e36594cf7486377c28b1637aa2aa1888c372a3cf3c9f572a8195821f86a0c893f02548d9fe0efb2d3fbf321e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
MD5
3d3c9071bea2f8ee4886ce0fb55a72b2

SHA1
a613e1736228d5eb2c5a9cc6a84e973330be439f

SHA256
b3e13d0bf56593127c96564b9766f5546ceb871c8e06fadd46fbf8c40d679200

SHA512
8ed7004a23fd5c9dbb33b5db4ccb1462bbe92bea5b7f945d8775d94ac48a9882ad0c490c0b57e57708f323d9e11dc392e046e6041534c37356d090aa36273997

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
b1749dfdfe02cd9957b3ead95df5dd53

SHA1
ec35197b59946f91a5cb757e28df71c57566370f

SHA256
59a7f1f880faa7fc348b8e6cb5949aa9ae0e70a799f856a4633f7b3a266a7283

SHA512
30e4350850929db65bf0204ee7612df40e6e2d1d918d328df9acd1b0f93b2196b63c85d4925369030939f8429244d04ed24f956845c040b36bddca658cfc3ebe

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
MD5
61d8ab935fdd4a8b0e00bd4f5410a185

SHA1
e189799fc2281ec984d2c9f8ad408f5bda5940cd

SHA256
83f321085a96c718c963d34be34c08453c131c37999bd90a8e4311b0c4215a73

SHA512
5ca49194af83f122ab321c4221dc28a9ee3fda1fe324c9966001026adaf7b74cb40ac9f3c2bb1dd2f15c075f6bb43840ad3e015570ff2a9445debd54d46dd3fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
MD5
75a147bcfcffa37cacc0b25f92857b23

SHA1
7ed354fe6837b88867619573f2599c2d52bebdb9

SHA256
28aad42004cf836b56b113518d6fc6ef8d00f630960d251a5aa8f9bccdac58e6

SHA512
c2ae4ed62d69c89d980338b65c6d0d56fd26242716f42a8e033f5d4d922d67b618b3b70471046a0122b11a7351822548ca4f9cd2a7e369790c34f975cb97d595

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
MD5
8e5fb8aefa7529bc0f8b6dc02b42d3fe

SHA1
9eec0dc93d9ba900d23359f45c98d9469716a345

SHA256
36fe5e111cf5684f0ab206307447e2d2b97a871a8a149ed5e4e7fb62d5a81c62

SHA512
530a7a55b13108232ef55011ba8d6335099c725d73d8a85c091f01700fd3016da41ad549abbc79dbdc1de2cade1c10f7277d914990882fd94cce0a6b96f978ff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
MD5
3f4355b73f8a58f81af0c1dab1e52b47

SHA1
ad300dea3c6f7e7930811ba9eca0fcee72467839

SHA256
4215e12b4d2afad518271fe2b6e21e571c0dc666a952c1eeef393123eff49fc0

SHA512
30825c50bce72ea2ba4726fa20577692fe0962509bd35a7fd4e384eea21f9248e0051222579e36ee21b47d723df883d2dac2eeac06575a7c9c34ceff9edf2cde

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
MD5
9151023b83f992197fc6c3d9b92457a5

SHA1
8b8fb868bb7eb8e8f2a1e0e0bdb81817f30cfd43

SHA256
4af90fd52245ccefe6e6003a29550a1de26a4b67790725d429497164a1b1a652

SHA512
d5469a9fb4593bc889954d7a777ec04659f4ba5005c4325f085a903d3123e21210019929d84aa7b93fc877b4d06f5b39c706e90e45cb4f89b73cfb6d9ec6044e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK
MD5
9bd67227adbed128fb4d0492b3f52ff3

SHA1
ad89d9ecbdf49da08129ff8a80e1f2dc41a910d6

SHA256
2f2d9c322d9d0841fbb21894d4f51e6948aab2e6234d1e42c9452aba735a39dc

SHA512
f666bcf8fe20c234c463a584f5284c15affcdad292c98ca10d6812e399c85619afd39e5cc329023447916396d003ee30adbc33226db0741a0ce77632892b7d0d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
9a9cbfcf3e9da7be56eeae921dce4a67

SHA1
c91d91d26e3882c2eeada8257c604a2a58214eb7

SHA256
17e6a91ed71b3f352ec5c6ab606ef6d92a68c1cdfbbc8ea1ea03160415b177d5

SHA512
88e1d3519576d97b88bd85bda7321c5c2bda5aab70d4badd542e393f887ab51340a26d9db658ebb52f9b8d56edbcef31d53398d89bf6954dd861123a39a4cec3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
9ea265104bcc72ff7000dea44ce0648e

SHA1
72f739b32fe2155599e718a64283c9f269160d0a

SHA256
9614039004ba1e245622b7cca498757d38b475d25c4b89f5962d040fa9b0c22d

SHA512
ec9fe1b784c6a6cbb5f9ad99a474317c489cead51903d2e5310c2b0123cb8a2babb444e929f019dd6b8c4393307abed729e94ec4ed1b1252dc8c16e3de854bc7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK
MD5
785344d8269984a27b02c9ad42d3ad2f

SHA1
13fd00e036dd3f54ed8fe113e70158df23c8b688

SHA256
8b2f751b728cd3d38b2087915243479f1cae94772eb4b1ff5238d5e497aea35c

SHA512
979c57be5a72510000ea3568da251b2b48f6158df94547d22c68c45f5488cfef03c7b21a1145884b12a36d889d9853bc34c3fd5b57af3976a15d4da19ac96d0c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
afb8691473ac2fd53e8be7b77eee3bdf

SHA1
d4275ec4df6d8d720a6d3c45ec97e80237b3576b

SHA256
b972739c4696d0e0d9b6a58b4cfd3f8c548ccad31236346a2eb7998338fbfa08

SHA512
2011b37594c2e9d0b65a59ca802ab4a0153e7409f208c0c4a644d48616ae1c4ea6c10f6b630e870fc025a9b00ba4684aa912b7ae1674382d34e9c8e9eb66a0f7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
f10682cc496202a6480e1bad373b3d86

SHA1
ea7166a2103820f908fa213e1bf68e9f44cf6ff7

SHA256
8912eed2c0c77e18cbef9ecd26686b6d9e14560aac0503d44549a37d75c3c284

SHA512
45621d7ba4ac4c3c86a4c97f47af7c2907c25eda1c0fd63985e00145397a6e181bdf72437f524b93daa2538532dd922f354cf9d036665ff87ae7a31fefc739b2

Download Submit
memory/792-55-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

Filesize
8KB

Download
memory/1120-54-0x000000013F0A0000-0x000000013F437000-memory.dmp

Filesize
3.6MB

Download
memory/1120-56-0x000000013F0A0000-0x000000013F437000-memory.dmp

Filesize
3.6MB

Download
memory/1180-58-0x000000013F0A0000-0x000000013F437000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads