Analysis
-
max time kernel
122s -
max time network
171s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Resource
win10v20210408
General
-
Target
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
-
Size
132KB
-
MD5
ab3681a8456319f1330f7525ec6935c3
-
SHA1
244e178e2073247893025bd51eb7618173bbac29
-
SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
-
SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
Malware Config
Extracted
C:\$Recycle.Bin\RyukReadMe.html
ryuk
orfhissipmay1970@protonmail.com
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 6180 created 2324 6180 WerFault.exe svchost.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1840 bcdedit.exe 3556 bcdedit.exe 4832 bcdedit.exe 4904 bcdedit.exe 6400 bcdedit.exe 6448 bcdedit.exe -
Executes dropped EXE 2 IoCs
Processes:
WVeYOuPhBlan.exeNVEVsJxmblan.exepid process 3048 WVeYOuPhBlan.exe 4060 NVEVsJxmblan.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies file permissions 1 TTPs 6 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 620 icacls.exe 3984 icacls.exe 2332 icacls.exe 64 icacls.exe 1540 icacls.exe 3704 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5252 3708 WerFault.exe DllHost.exe 6180 2324 WerFault.exe svchost.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 740 vssadmin.exe 4744 vssadmin.exe 6388 vssadmin.exe -
Modifies registry class 16 IoCs
Processes:
explorer.exeSearchUI.exesihost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132623575947209929" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000c65afc3c3582d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e507070047007500720020004e006800710076006200200046007200650069007600700072002000760066002000610062006700200065006800610061007600610074002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000fec1a13c3582d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000f4fe5fd9702cd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exeWerFault.exeWerFault.exepid process 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 5252 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 6180 WerFault.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3272 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sihost.exeWMIC.exe1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2316 sihost.exe Token: SeIncreaseQuotaPrivilege 3792 WMIC.exe Token: SeSecurityPrivilege 3792 WMIC.exe Token: SeTakeOwnershipPrivilege 3792 WMIC.exe Token: SeLoadDriverPrivilege 3792 WMIC.exe Token: SeSystemProfilePrivilege 3792 WMIC.exe Token: SeSystemtimePrivilege 3792 WMIC.exe Token: SeProfSingleProcessPrivilege 3792 WMIC.exe Token: SeIncBasePriorityPrivilege 3792 WMIC.exe Token: SeCreatePagefilePrivilege 3792 WMIC.exe Token: SeBackupPrivilege 3792 WMIC.exe Token: SeRestorePrivilege 3792 WMIC.exe Token: SeShutdownPrivilege 3792 WMIC.exe Token: SeDebugPrivilege 3792 WMIC.exe Token: SeSystemEnvironmentPrivilege 3792 WMIC.exe Token: SeRemoteShutdownPrivilege 3792 WMIC.exe Token: SeUndockPrivilege 3792 WMIC.exe Token: SeManageVolumePrivilege 3792 WMIC.exe Token: 33 3792 WMIC.exe Token: 34 3792 WMIC.exe Token: 35 3792 WMIC.exe Token: 36 3792 WMIC.exe Token: SeIncreaseQuotaPrivilege 3792 WMIC.exe Token: SeSecurityPrivilege 3792 WMIC.exe Token: SeTakeOwnershipPrivilege 3792 WMIC.exe Token: SeLoadDriverPrivilege 3792 WMIC.exe Token: SeSystemProfilePrivilege 3792 WMIC.exe Token: SeSystemtimePrivilege 3792 WMIC.exe Token: SeProfSingleProcessPrivilege 3792 WMIC.exe Token: SeIncBasePriorityPrivilege 3792 WMIC.exe Token: SeCreatePagefilePrivilege 3792 WMIC.exe Token: SeBackupPrivilege 3792 WMIC.exe Token: SeRestorePrivilege 3792 WMIC.exe Token: SeShutdownPrivilege 3792 WMIC.exe Token: SeDebugPrivilege 3792 WMIC.exe Token: SeSystemEnvironmentPrivilege 3792 WMIC.exe Token: SeRemoteShutdownPrivilege 3792 WMIC.exe Token: SeUndockPrivilege 3792 WMIC.exe Token: SeManageVolumePrivilege 3792 WMIC.exe Token: 33 3792 WMIC.exe Token: 34 3792 WMIC.exe Token: 35 3792 WMIC.exe Token: 36 3792 WMIC.exe Token: SeBackupPrivilege 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe Token: SeIncreaseQuotaPrivilege 4732 WMIC.exe Token: SeSecurityPrivilege 4732 WMIC.exe Token: SeTakeOwnershipPrivilege 4732 WMIC.exe Token: SeLoadDriverPrivilege 4732 WMIC.exe Token: SeSystemProfilePrivilege 4732 WMIC.exe Token: SeSystemtimePrivilege 4732 WMIC.exe Token: SeProfSingleProcessPrivilege 4732 WMIC.exe Token: SeIncBasePriorityPrivilege 4732 WMIC.exe Token: SeCreatePagefilePrivilege 4732 WMIC.exe Token: SeBackupPrivilege 4732 WMIC.exe Token: SeRestorePrivilege 4732 WMIC.exe Token: SeShutdownPrivilege 4732 WMIC.exe Token: SeDebugPrivilege 4732 WMIC.exe Token: SeSystemEnvironmentPrivilege 4732 WMIC.exe Token: SeRemoteShutdownPrivilege 4732 WMIC.exe Token: SeUndockPrivilege 4732 WMIC.exe Token: SeManageVolumePrivilege 4732 WMIC.exe Token: 33 4732 WMIC.exe Token: 34 4732 WMIC.exe Token: 35 4732 WMIC.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
sihost.exeexplorer.exepid process 5412 sihost.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
explorer.exepid process 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
ShellExperienceHost.exeSearchUI.exepid process 8396 ShellExperienceHost.exe 8308 SearchUI.exe 8396 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exenet.exenet.exesihost.execmd.execmd.execmd.exenet.exenet.execmd.exedescription pid process target process PID 1612 wrote to memory of 3048 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe WVeYOuPhBlan.exe PID 1612 wrote to memory of 3048 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe WVeYOuPhBlan.exe PID 1612 wrote to memory of 4060 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe NVEVsJxmblan.exe PID 1612 wrote to memory of 4060 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe NVEVsJxmblan.exe PID 1612 wrote to memory of 2316 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe sihost.exe PID 1612 wrote to memory of 2324 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe svchost.exe PID 1612 wrote to memory of 2440 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe taskhostw.exe PID 1612 wrote to memory of 3216 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe SearchUI.exe PID 1612 wrote to memory of 1644 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1612 wrote to memory of 1644 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1612 wrote to memory of 3248 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1612 wrote to memory of 3248 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1612 wrote to memory of 3224 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe ShellExperienceHost.exe PID 1644 wrote to memory of 892 1644 net.exe net1.exe PID 1644 wrote to memory of 892 1644 net.exe net1.exe PID 3248 wrote to memory of 2888 3248 net.exe net1.exe PID 3248 wrote to memory of 2888 3248 net.exe net1.exe PID 1612 wrote to memory of 3436 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe RuntimeBroker.exe PID 1612 wrote to memory of 3708 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe DllHost.exe PID 1612 wrote to memory of 3048 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe WVeYOuPhBlan.exe PID 2316 wrote to memory of 564 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 564 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 636 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 636 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 976 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 976 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 4056 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 4056 2316 sihost.exe cmd.exe PID 2316 wrote to memory of 1540 2316 sihost.exe icacls.exe PID 2316 wrote to memory of 1540 2316 sihost.exe icacls.exe PID 2316 wrote to memory of 3704 2316 sihost.exe icacls.exe PID 2316 wrote to memory of 3704 2316 sihost.exe icacls.exe PID 976 wrote to memory of 1840 976 cmd.exe bcdedit.exe PID 976 wrote to memory of 1840 976 cmd.exe bcdedit.exe PID 636 wrote to memory of 740 636 cmd.exe vssadmin.exe PID 636 wrote to memory of 740 636 cmd.exe vssadmin.exe PID 564 wrote to memory of 3792 564 cmd.exe WMIC.exe PID 564 wrote to memory of 3792 564 cmd.exe WMIC.exe PID 976 wrote to memory of 3556 976 cmd.exe bcdedit.exe PID 976 wrote to memory of 3556 976 cmd.exe bcdedit.exe PID 1612 wrote to memory of 2748 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 2748 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 2840 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 2840 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 980 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 980 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 3252 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 3252 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 620 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe icacls.exe PID 1612 wrote to memory of 620 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe icacls.exe PID 1612 wrote to memory of 3984 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe icacls.exe PID 1612 wrote to memory of 3984 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe icacls.exe PID 1612 wrote to memory of 672 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 672 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe cmd.exe PID 1612 wrote to memory of 4040 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1612 wrote to memory of 4040 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1612 wrote to memory of 4304 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 1612 wrote to memory of 4304 1612 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe net.exe PID 4040 wrote to memory of 4420 4040 net.exe net1.exe PID 4040 wrote to memory of 4420 4040 net.exe net1.exe PID 4304 wrote to memory of 4528 4304 net.exe net1.exe PID 4304 wrote to memory of 4528 4304 net.exe net1.exe PID 2748 wrote to memory of 4732 2748 cmd.exe WMIC.exe PID 2748 wrote to memory of 4732 2748 cmd.exe WMIC.exe
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3708 -s 8642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
\??\c:\windows\system32\cmd.execmd /c "WMIC.exe shadowcopy delete"2⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC.exe shadowcopy delete3⤵
-
\??\c:\windows\system32\cmd.execmd /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
\??\c:\windows\system32\cmd.execmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
-
\??\c:\windows\system32\cmd.execmd /c "bootstatuspolicy ignoreallfailures"2⤵
-
\??\c:\windows\system32\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2324 -s 5082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
\??\c:\windows\system32\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
c:\windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmd.execmd /c "WMIC.exe shadowcopy delete"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\cmd.execmd /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
\??\c:\windows\system32\cmd.execmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
-
\??\c:\windows\system32\cmd.execmd /c "bootstatuspolicy ignoreallfailures"2⤵
-
\??\c:\windows\system32\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
\??\c:\windows\system32\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe"C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe"C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "WMIC.exe shadowcopy delete"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c "bootstatuspolicy ignoreallfailures"2⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:642⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\Fonts\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\Resources\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\Resources\en-US\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\bg-BG\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\cs-CZ\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\da-DK\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\de-DE\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\el-GR\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\en-GB\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\en-US\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\es-ES\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\es-MX\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\et-EE\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\fi-FI\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\fr-CA\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\fr-FR\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\hr-HR\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\hu-HU\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\it-IT\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\ja-JP\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\ko-KR\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\lt-LT\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\lv-LV\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\nb-NO\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\nl-NL\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\pl-PL\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\pt-BR\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\pt-PT\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\qps-ploc\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\ro-RO\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\ru-RU\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\sk-SK\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\sl-SI\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\sr-Latn-RS\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\sv-SE\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\tr-TR\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\uk-UA\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\zh-CN\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Boot\zh-TW\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_cc51e87d-bda7-4ef7-80cf-c431fec6b805MD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYKMD5
eb03e0a20abeb9e4c5192a9a1316b074
SHA1ca81fe65bfb3f4aa635890afe0aeb550d41c0a81
SHA2562879027a5b91f482ddd3279ddac596526ed594ae997620550dcd967baefa3633
SHA51264f7d0572fd45cc7071fd5d74f1836167b07373a3d51de6450cbc9d891f7e2a80b277717b2a37a9648e5a2cd227c140df6dca0f6219affca6ef5e34542660ce0
-
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYKMD5
1cf8cbd50b4c2d7a41afafb8d13c4d33
SHA1783aedfc65909f5c65110837d3f4ab70531d9a68
SHA256d8cbb2ad8977efc9c1f90665abdcc6d637f9fcb1a7c0fed246efe0c54fe969d6
SHA51268b999d52a06a946350c83db4bfe3848774ce2ea91690659dce70451fe78ec308fe222b434f54ddd0e7b67ee073cd82ab0031564de90a46344b6b481c565647b
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYKMD5
055466663f659333e351cd880aeea726
SHA108710e6c7661a9df6d133e3ff8e7f7b8dc003db1
SHA2561a60b1df055df6baf73bfd6d9df23f3391f8eb298ec839f0e56e64b73b9f345f
SHA51294c071f93620206c778c16d708716d01128cba0218541c4919e016213445f83926b2c7c0cc8932108caebb01d750f0964bc52afbe0b9fa56b6ef793b0c50b6ea
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYKMD5
53e5825437fb29973ca91685e26199cf
SHA15d5af29fe7252fe7618be44cae1ffc75338bd856
SHA256e2f1894b46246ee2b6a11c9858e1b9a6a33ec729a6dbe3e5092cb4d235ff7ccd
SHA512586826487d85aca3e695e6681fd6dee734078721108952f6323f270a90c7d0488465e9d11533745839a8750ead7fd694011c5e8fb30ab12851e69885e63e5a54
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYKMD5
5be16a62b1638680e00beada680a48ab
SHA1c09e77f11ea9d14c4a1fefbde1f0f96e2292d31d
SHA256067eab9901af6ef7c7dc295bb3e9c2ec834eb53228fd4e7865a81c16106f90cc
SHA512f4b258a8adca4d63c61b25cf9a5dafc21e4bdf9eec85c0b44897daaa47d518891b88b7e20e6e50472794044d148fa51d1efce56e1f05d1c474789d6597abc25b
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYKMD5
ff7c883169c7adef164ff7127b73c0ff
SHA13ec21235ca30bfeb26e8b69de5f9c2603a856041
SHA256fee2df24648087f5e536ec7739949c027b4046ff23cdb68ceae170e0b665c623
SHA5126b33adce376932cfc51113c83e648c4dc05edebe480f863c677b721adc1e8abdc5020e69d012c14f9570dec08a764c3796a68e273fbd62103d96b07802cbe51e
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYKMD5
198e637a2227901c7e129ecc8bbf76aa
SHA19a0a2557dd440646d588d28ea48a425f0a0b175f
SHA2563b1169f0dfbf682faea94816c5f64cf472928ee6daa497504ba24c892922eb03
SHA5120e0264e0bfedc4e669fffe1c2b921bdb7e2bf88e17f3cb780c03c29206d943e63d6bc6706321217ba86a3dabd508fe414113cb9eb900d01a7113557c5472b2b0
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYKMD5
c697f75af8414f6c0e41a36dc3c1d89c
SHA1624d6a79eb47d26baa4613ee444a05df8c4b43bb
SHA25682277210494e83f31d060fe07ee023bdd0400a754fba4a43cda17f794524ab28
SHA512894f170b6256729266e6d3c03e8362bba228d67eb0c0e1f5a3ff7ddbe549af284f34208dc3f290001e97d3b8cae43c4b51a5c7803f42790c4241ea24b450580b
-
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYKMD5
93eaadb674364db156de7a5a7e9c24e2
SHA1d21d52de44727e471661cc37f45ee8bce7ceca7a
SHA256d9cfb2034e698a22021bcdb52307ce465c82ff1d89b65d8dd69838d3efed79ed
SHA5123f4dd3f0d7c0b9624ca7ac46ef5dc878a02d42eec2d04ca75db6d60a1844d1193024414d0ffe2fdf89b924618c9552569a81c42af22c4b232ac94d723d5f68a2
-
C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exeMD5
ab3681a8456319f1330f7525ec6935c3
SHA1244e178e2073247893025bd51eb7618173bbac29
SHA2561328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA51263e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
-
C:\Users\RyukReadMe.htmlMD5
1b2f46ac9409aa473abd073633285531
SHA14accb2cefe1579d6d1193f067940bc3e20dce752
SHA25613903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22
SHA51269b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93
-
memory/64-221-0x0000000000000000-mapping.dmp
-
memory/564-130-0x0000000000000000-mapping.dmp
-
memory/620-145-0x0000000000000000-mapping.dmp
-
memory/636-131-0x0000000000000000-mapping.dmp
-
memory/672-147-0x0000000000000000-mapping.dmp
-
memory/740-137-0x0000000000000000-mapping.dmp
-
memory/892-127-0x0000000000000000-mapping.dmp
-
memory/976-132-0x0000000000000000-mapping.dmp
-
memory/980-143-0x0000000000000000-mapping.dmp
-
memory/1540-134-0x0000000000000000-mapping.dmp
-
memory/1644-125-0x0000000000000000-mapping.dmp
-
memory/1764-217-0x0000000000000000-mapping.dmp
-
memory/1840-136-0x0000000000000000-mapping.dmp
-
memory/2316-123-0x00007FF686070000-0x00007FF6861D3000-memory.dmpFilesize
1.4MB
-
memory/2324-124-0x00007FF686070000-0x00007FF6861D3000-memory.dmpFilesize
1.4MB
-
memory/2332-222-0x0000000000000000-mapping.dmp
-
memory/2748-141-0x0000000000000000-mapping.dmp
-
memory/2840-142-0x0000000000000000-mapping.dmp
-
memory/2888-128-0x0000000000000000-mapping.dmp
-
memory/3048-117-0x0000000000000000-mapping.dmp
-
memory/3064-218-0x0000000000000000-mapping.dmp
-
memory/3240-219-0x0000000000000000-mapping.dmp
-
memory/3248-126-0x0000000000000000-mapping.dmp
-
memory/3252-144-0x0000000000000000-mapping.dmp
-
memory/3272-227-0x0000000000000000-mapping.dmp
-
memory/3272-230-0x0000000003170000-0x0000000003171000-memory.dmpFilesize
4KB
-
memory/3416-220-0x0000000000000000-mapping.dmp
-
memory/3436-129-0x00007FF686070000-0x00007FF6861D3000-memory.dmpFilesize
1.4MB
-
memory/3556-139-0x0000000000000000-mapping.dmp
-
memory/3704-135-0x0000000000000000-mapping.dmp
-
memory/3792-138-0x0000000000000000-mapping.dmp
-
memory/3984-146-0x0000000000000000-mapping.dmp
-
memory/4040-148-0x0000000000000000-mapping.dmp
-
memory/4056-133-0x0000000000000000-mapping.dmp
-
memory/4060-120-0x0000000000000000-mapping.dmp
-
memory/4304-150-0x0000000000000000-mapping.dmp
-
memory/4420-151-0x0000000000000000-mapping.dmp
-
memory/4528-152-0x0000000000000000-mapping.dmp
-
memory/4732-153-0x0000000000000000-mapping.dmp
-
memory/4744-154-0x0000000000000000-mapping.dmp
-
memory/4832-155-0x0000000000000000-mapping.dmp
-
memory/4848-156-0x0000000000000000-mapping.dmp
-
memory/4904-159-0x0000000000000000-mapping.dmp
-
memory/5252-216-0x0000000000000000-mapping.dmp
-
memory/6368-223-0x0000000000000000-mapping.dmp
-
memory/6388-224-0x0000000000000000-mapping.dmp
-
memory/6400-225-0x0000000000000000-mapping.dmp
-
memory/6448-226-0x0000000000000000-mapping.dmp
-
memory/8596-228-0x0000000000000000-mapping.dmp
-
memory/8680-229-0x0000000000000000-mapping.dmp
-
memory/9896-231-0x0000000000000000-mapping.dmp
-
memory/10128-232-0x0000000000000000-mapping.dmp
-
memory/29040-233-0x0000000000000000-mapping.dmp
-
memory/29104-234-0x0000000000000000-mapping.dmp
-
memory/33644-235-0x0000000000000000-mapping.dmp
-
memory/33944-236-0x0000000000000000-mapping.dmp