ryuk | eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
Size

198KB
MD5

721204e947131cf3c04e506c4ec9dbf2
SHA1

e2e53a822b0731abfd9f8c503e70d62573f7aced
SHA256

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c
SHA512

5305069b9ba53fdb89487ac4b6f062bbd10f83300e8fd4562a18f140bc11055e960013550055b4e58148339596cc8d849b709e3c0b0ddc830e85d8f3d2405405

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
892	OkbMPNN.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome.RYK	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\RyukReadMe.html	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF	taskhost.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.RYK	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\RyukReadMe.html	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239973.WMF	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RyukReadMe.html	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00212_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\RyukReadMe.html	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\PREVIEW.GIF	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\RyukReadMe.html	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.RYK	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo.RYK	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\THMBNAIL.PNG.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00334_.WMF	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Menominee	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\RyukReadMe.html	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
892	OkbMPNN.exe
1104	taskhost.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe
892	OkbMPNN.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
Token: SeBackupPrivilege	892	OkbMPNN.exe
Token: SeBackupPrivilege	1104	taskhost.exe
Token: SeBackupPrivilege	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 892	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	28
PID 1348 wrote to memory of 892	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	28
PID 1348 wrote to memory of 892	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	28
PID 1348 wrote to memory of 1280	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	29
PID 1348 wrote to memory of 1280	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	29
PID 1348 wrote to memory of 1280	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	29
PID 1348 wrote to memory of 1104	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	18
PID 1280 wrote to memory of 1228	1280	net.exe	31
PID 1280 wrote to memory of 1228	1280	net.exe	31
PID 1280 wrote to memory of 1228	1280	net.exe	31
PID 1348 wrote to memory of 1908	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	32
PID 1348 wrote to memory of 1908	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	32
PID 1348 wrote to memory of 1908	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	32
PID 1908 wrote to memory of 1756	1908	net.exe	34
PID 1908 wrote to memory of 1756	1908	net.exe	34
PID 1908 wrote to memory of 1756	1908	net.exe	34
PID 1348 wrote to memory of 1164	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	17
PID 892 wrote to memory of 2012	892	OkbMPNN.exe	35
PID 892 wrote to memory of 2012	892	OkbMPNN.exe	35
PID 892 wrote to memory of 2012	892	OkbMPNN.exe	35
PID 2012 wrote to memory of 1504	2012	net.exe	37
PID 2012 wrote to memory of 1504	2012	net.exe	37
PID 2012 wrote to memory of 1504	2012	net.exe	37
PID 892 wrote to memory of 1556	892	OkbMPNN.exe	38
PID 892 wrote to memory of 1556	892	OkbMPNN.exe	38
PID 892 wrote to memory of 1556	892	OkbMPNN.exe	38
PID 1556 wrote to memory of 1484	1556	net.exe	40
PID 1556 wrote to memory of 1484	1556	net.exe	40
PID 1556 wrote to memory of 1484	1556	net.exe	40
PID 1348 wrote to memory of 892	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	28
PID 1104 wrote to memory of 1536	1104	taskhost.exe	42
PID 1104 wrote to memory of 1536	1104	taskhost.exe	42
PID 1104 wrote to memory of 1536	1104	taskhost.exe	42
PID 1536 wrote to memory of 1544	1536	net.exe	43
PID 1536 wrote to memory of 1544	1536	net.exe	43
PID 1536 wrote to memory of 1544	1536	net.exe	43
PID 1348 wrote to memory of 11728	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	44
PID 1348 wrote to memory of 11728	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	44
PID 1348 wrote to memory of 11728	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	44
PID 11728 wrote to memory of 11756	11728	net.exe	46
PID 11728 wrote to memory of 11756	11728	net.exe	46
PID 11728 wrote to memory of 11756	11728	net.exe	46
PID 1348 wrote to memory of 279336	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	49
PID 1348 wrote to memory of 279336	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	49
PID 1348 wrote to memory of 279336	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	49
PID 1104 wrote to memory of 279348	1104	taskhost.exe	48
PID 1104 wrote to memory of 279348	1104	taskhost.exe	48
PID 1104 wrote to memory of 279348	1104	taskhost.exe	48
PID 279348 wrote to memory of 288628	279348	net.exe	52
PID 279348 wrote to memory of 288628	279348	net.exe	52
PID 279348 wrote to memory of 288628	279348	net.exe	52
PID 279336 wrote to memory of 288620	279336	net.exe	53
PID 279336 wrote to memory of 288620	279336	net.exe	53
PID 279336 wrote to memory of 288620	279336	net.exe	53
PID 892 wrote to memory of 325692	892	OkbMPNN.exe	54
PID 892 wrote to memory of 325692	892	OkbMPNN.exe	54
PID 892 wrote to memory of 325692	892	OkbMPNN.exe	54
PID 325692 wrote to memory of 326900	325692	net.exe	56
PID 325692 wrote to memory of 326900	325692	net.exe	56
PID 325692 wrote to memory of 326900	325692	net.exe	56
PID 1348 wrote to memory of 369240	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	57
PID 1348 wrote to memory of 369240	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	57
PID 1348 wrote to memory of 369240	1348	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	57
PID 369240 wrote to memory of 369564	369240	net.exe	59

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1544
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:279348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:288628

C:\Users\Admin\AppData\Local\Temp\eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
"C:\Users\Admin\AppData\Local\Temp\eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\OkbMPNN.exe
  "C:\Users\Admin\AppData\Local\Temp\OkbMPNN.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:1504
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1484
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:325692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:326900
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1756
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:11728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:11756
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:279336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:288620
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:369240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:369564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

Filesize
8KB

MD5
54950ec11658ce5e21cc08c34461fe4e

SHA1
c6b6897b7eb9289aca1f884664adc98614994d67

SHA256
a68ff93dd2e0d8b23481ebecc07eac33e5588ca7cf02e650b2c7b48218ec6722

SHA512
62097927f9ce47fd1a55266e3e144337225f6e3cb80e5f9fa29ed798c943e24512c7ba01bcefa491c4d4ee29897949f10840029300379f8436a4d2d3d364dbdb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

Filesize
2KB

MD5
5c5e176d3b6b0a72a31ac4e27c32a042

SHA1
cf4dd8e996018eee4fd3c3965e958822497687c8

SHA256
f04e0030262b14949ad5ffc8c3345e4a6819037e91c3a37387b8b5e92d6406e1

SHA512
47caf9c52ed8ff4c933f12e842b8a8f43932fc114be94b21d68f7c91825836fc76f2cab428cfc8828f3f7f3b1aa70c2f9a59a010fd0de23a385e328ea0e0462d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
a0d525988b33781dad6cea2abbe4ab2f

SHA1
421c12e7bd198d2cbba520d73dbc020c21460d2c

SHA256
6f542e313f544cf8290060a45f9c1e296224e6d9e16e498f596d3b6e8838196e

SHA512
432918e617945287bdcbab1fb218a8c634e4257e85d9ffa4feb0fb848641a59843fdcf0d0a58eba8d79357e6f64df3f3e6bfc93534b62a645f9bae11de5474c8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
3909f0ba78a8f504ece4631830448888

SHA1
070fb9f4331020677a5df08806e03bfd95f8d758

SHA256
17fecc53769b26fa6de3c70f5e83828a0ce487e3c37c9059229e86f0e0890c56

SHA512
712d7c6197a3ad38ab1073f72a6e34a5d6ae10dff69b60357028c79eb3cadc66c704ffe9e421900e05e1eaed6bc2e27cc871767ca3efc4a622e584b642d8990d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

Filesize
48KB

MD5
6432bfe8a45d069e48865de00d9f84c5

SHA1
cd43373f7a71b1ddb2e957504e697fd35760e467

SHA256
d1520f0ae8b9d305cf287a112c9219014afd4354a66e03f54d37422d71c60cea

SHA512
b3bfe30aa80a339a3d3c173c75a76f1b53ebd6be0368ccdad84e204795a0b6571f0ed7a0442b07781f36b75642929aef47190229de08ba73062e46539b479fc8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

Filesize
5KB

MD5
77766d5b2f6f8a0b6076205e04f8db41

SHA1
612bf17ee04e687a12d000b0885d73c3aa01bdb9

SHA256
b0525c1497dfb09438f30ce6e3200da53b50ac496908ec6f2320c56cb4a5e447

SHA512
960b8604796f84632a0633cb002a0d302de36cfc4ff42ce75b778dca1f1e20a4f07057834463c5b6392b919532b55c1421d0d3af27ed917890d94090ef071146

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI167E.tmp-tmp.RYK

Filesize
9KB

MD5
b1945ab6cf6ba57ec1c54e42219fa272

SHA1
d7ca18faceaa796ea7e88c788d69e5f912923bd0

SHA256
9e8a99b3dc1461c958113ac285f2bbcd2fda5128dc32659182fa63b7c60738a6

SHA512
2118285d70772c138e816cf9e28e0f0a9c33e490d9d942970daaaf674eeda115586f1248d8df756bc0f58d427b6c74b575ae649c0f58a0cded3d9d287c4a193e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI167E.tmp.RYK

Filesize
10KB

MD5
bbddea8a506552e70fbdd8a9dd911625

SHA1
7228edb506307c8f475c06be03219d8f2e028aed

SHA256
4c455a65e3f2123e71896599751b20c3592324d7dd211cd7e5bd23f7a255f5f4

SHA512
d330b541994ecfdc8623344afbc6cd67585a0502f6028825ef8a89c5e8e75a2d905f34ec027492149c5b0b287b27411c54a4bd11ea939824aaaf2b0df7411510

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK

Filesize
170KB

MD5
208b7d0462e1ecdb063e2e48abc6bbe8

SHA1
424719e9632c81ea61800127afd7d09b4c5a86f5

SHA256
ee034eb25b6b12c2e46b0d39012bf8a620d6f51cf239479810883db3e0d9574d

SHA512
565007670e32632a8d49ff51b1d5fe48194991dfeab41dcb529354bb504f6552b45ad895dfe163ad0eb0507efadc02f5a4a54859ee04a125a4ee708515a5e0fe

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

Filesize
626B

MD5
3988a400e10393c851855e68e060cc3c

SHA1
eb8dd794930241aefd1f9f0674b790f98e2da09d

SHA256
e3811e693e05c9b087c67c6af82655b28d07a4054d0a8219f28a59d6b4378a1c

SHA512
d32911b117f6506076d17d1bf81adf6150a818b5199c3d997241252b32044f5fef4b09424f62ab314b343b91cfe4b13f1067051fc9babbad81faf817624e5b7c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

Filesize
763KB

MD5
e71fcbcf3e0aaae3bac69757e9f02463

SHA1
2eb3c1921d6181d4b9b33ea92be713f3080b98f3

SHA256
41b1b7f4349cbbabce39d2b340a48e13259fd907cbed2862b5ad3e8fa8665922

SHA512
9fee92ead5267138a6f25daccf33e94d44efbcd6985fa1780a099c64606d10f6837e04715d196718474b810cccd617367f3c2b492ba927db32027858e87bbbf8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

Filesize
12KB

MD5
31571e879f5c97a7f6fe37fa6c9e008b

SHA1
da41815a5ef0ac7afd92c78ad6bd32dc7ad1b57d

SHA256
423bb4c4f61572820c8f1e5137cf83d12b9416466eef6278d68aead8cdae8f9a

SHA512
874f55f6a6ca153dbeec0ac00abb6bccc24a3f116251b5900a81ece0a1d6cfee0b086e73a062aa560ec60efb65d7a677974af6562af3969de90e1f0f6e3a2951

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

Filesize
6KB

MD5
2d92f07ea9de4ddd2be0ed3bd264dfb4

SHA1
0427ba5e7a45d0c4863490f046e1b1873e8cf72a

SHA256
ecb7d86d97f4cb499a51b1b55a5584f587fb78b60272dde3010158b7a008593d

SHA512
7eb033379afe4210e6a27208060c631c5768d8a79fb2ac348d0d5442ffc66db3f7cfb8d34dbb8d170fb457926bdd8f51f64987f4a89491f819be441a331fbd6a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\3875841517\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hsperfdata_Admin\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\mozilla-temp-files\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\4DYKT2P1\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\4SXR972F\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\5BFT8L24\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\Feeds for United States~\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Documents and Settings\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_327f7753-eed3-43ec-871a-c7bcf65868ec

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkbMPNN.exe

Filesize
198KB

MD5
721204e947131cf3c04e506c4ec9dbf2

SHA1
e2e53a822b0731abfd9f8c503e70d62573f7aced

SHA256
eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c

SHA512
5305069b9ba53fdb89487ac4b6f062bbd10f83300e8fd4562a18f140bc11055e960013550055b4e58148339596cc8d849b709e3c0b0ddc830e85d8f3d2405405

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
627B

MD5
f6b56504973a7b54c93406b0ecdf150b

SHA1
6766e5fa9f06671ff0d415247605a83866bc85e8

SHA256
c55f9b0afadeaeab6bf1cd275015ed45b25affa61d61c10d56619ea437570bdb

SHA512
9798ffa1ee1973b2b84ef5c77cb86275b70496256c2edcd62ad2ec8a6ee7d8df41f3767ff710c654ce05091eb75222ebf79a867d374abe17aadf5a410043196c

Download Submit
\Users\Admin\AppData\Local\Temp\OkbMPNN.exe

Filesize
198KB

MD5
721204e947131cf3c04e506c4ec9dbf2

SHA1
e2e53a822b0731abfd9f8c503e70d62573f7aced

SHA256
eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c

SHA512
5305069b9ba53fdb89487ac4b6f062bbd10f83300e8fd4562a18f140bc11055e960013550055b4e58148339596cc8d849b709e3c0b0ddc830e85d8f3d2405405

Download Submit
\Users\Admin\AppData\Local\Temp\OkbMPNN.exe

Filesize
198KB

MD5
721204e947131cf3c04e506c4ec9dbf2

SHA1
e2e53a822b0731abfd9f8c503e70d62573f7aced

SHA256
eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c

SHA512
5305069b9ba53fdb89487ac4b6f062bbd10f83300e8fd4562a18f140bc11055e960013550055b4e58148339596cc8d849b709e3c0b0ddc830e85d8f3d2405405

Download Submit
memory/1104-63-0x000000013FDB0000-0x0000000140089000-memory.dmp

Filesize
2.8MB

Download
memory/1104-140-0x000000013FDB0000-0x0000000140089000-memory.dmp

Filesize
2.8MB

Download
memory/1104-59-0x000000013FDB0000-0x0000000140089000-memory.dmp

Filesize
2.8MB

Download
memory/1348-54-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download