ryuk | 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

Analysis

max time kernel
122s
max time network
171s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Size

132KB
MD5

ab3681a8456319f1330f7525ec6935c3
SHA1

244e178e2073247893025bd51eb7618173bbac29
SHA256

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA512

63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

orfhissipmay1970@protonmail.com balance of shadow universe Ryuk

Emails

orfhissipmay1970@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 6180 created 2324 6180 WerFault.exe svchost.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1840 bcdedit.exe
3556 bcdedit.exe
4832 bcdedit.exe
4904 bcdedit.exe
6400 bcdedit.exe
6448 bcdedit.exe
Executes dropped EXE 2 IoCs

Processes:

WVeYOuPhBlan.exeNVEVsJxmblan.exe

pid process

3048 WVeYOuPhBlan.exe
4060 NVEVsJxmblan.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

620 icacls.exe
3984 icacls.exe
2332 icacls.exe
64 icacls.exe
1540 icacls.exe
3704 icacls.exe

description	pid	process	target process
PID 6180 created 2324	6180	WerFault.exe	svchost.exe

pid	process
1840	bcdedit.exe
3556	bcdedit.exe
4832	bcdedit.exe
4904	bcdedit.exe
6400	bcdedit.exe
6448	bcdedit.exe

pid	process
3048	WVeYOuPhBlan.exe
4060	NVEVsJxmblan.exe

pid	process
620	icacls.exe
3984	icacls.exe
2332	icacls.exe
64	icacls.exe
1540	icacls.exe
3704	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5252 3708 WerFault.exe DllHost.exe
6180 2324 WerFault.exe svchost.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

pid	pid_target	process	target process
5252	3708	WerFault.exe	DllHost.exe
6180	2324	WerFault.exe	svchost.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

740 vssadmin.exe
4744 vssadmin.exe
6388 vssadmin.exe

pid	process
740	vssadmin.exe
4744	vssadmin.exe
6388	vssadmin.exe

Modifies registry class 16 IoCs

Processes:

explorer.exeSearchUI.exesihost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132623575947209929"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000c65afc3c3582d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e507070047007500720020004e006800710076006200200046007200650069007600700072002000760066002000610062006700200065006800610061007600610074002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000fec1a13c3582d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000f4fe5fd9702cd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exeWerFault.exeWerFault.exe

pid	process
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
5252	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
6180	WerFault.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3272 explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sihost.exeWMIC.exe1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2316	sihost.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeBackupPrivilege	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Token: SeIncreaseQuotaPrivilege	4732	WMIC.exe
Token: SeSecurityPrivilege	4732	WMIC.exe
Token: SeTakeOwnershipPrivilege	4732	WMIC.exe
Token: SeLoadDriverPrivilege	4732	WMIC.exe
Token: SeSystemProfilePrivilege	4732	WMIC.exe
Token: SeSystemtimePrivilege	4732	WMIC.exe
Token: SeProfSingleProcessPrivilege	4732	WMIC.exe
Token: SeIncBasePriorityPrivilege	4732	WMIC.exe
Token: SeCreatePagefilePrivilege	4732	WMIC.exe
Token: SeBackupPrivilege	4732	WMIC.exe
Token: SeRestorePrivilege	4732	WMIC.exe
Token: SeShutdownPrivilege	4732	WMIC.exe
Token: SeDebugPrivilege	4732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4732	WMIC.exe
Token: SeRemoteShutdownPrivilege	4732	WMIC.exe
Token: SeUndockPrivilege	4732	WMIC.exe
Token: SeManageVolumePrivilege	4732	WMIC.exe
Token: 33	4732	WMIC.exe
Token: 34	4732	WMIC.exe
Token: 35	4732	WMIC.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

sihost.exeexplorer.exe

pid	process
5412	sihost.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

explorer.exe

pid	process
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe
3272	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exe

pid process

8396 ShellExperienceHost.exe
8308 SearchUI.exe
8396 ShellExperienceHost.exe

pid	process
8396	ShellExperienceHost.exe
8308	SearchUI.exe
8396	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exenet.exenet.exesihost.execmd.execmd.execmd.exenet.exenet.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 3048	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	WVeYOuPhBlan.exe
PID 1612 wrote to memory of 3048	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	WVeYOuPhBlan.exe
PID 1612 wrote to memory of 4060	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	NVEVsJxmblan.exe
PID 1612 wrote to memory of 4060	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	NVEVsJxmblan.exe
PID 1612 wrote to memory of 2316	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	sihost.exe
PID 1612 wrote to memory of 2324	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	svchost.exe
PID 1612 wrote to memory of 2440	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	taskhostw.exe
PID 1612 wrote to memory of 3216	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	SearchUI.exe
PID 1612 wrote to memory of 1644	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1612 wrote to memory of 1644	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1612 wrote to memory of 3248	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1612 wrote to memory of 3248	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1612 wrote to memory of 3224	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	ShellExperienceHost.exe
PID 1644 wrote to memory of 892	1644	net.exe	net1.exe
PID 1644 wrote to memory of 892	1644	net.exe	net1.exe
PID 3248 wrote to memory of 2888	3248	net.exe	net1.exe
PID 3248 wrote to memory of 2888	3248	net.exe	net1.exe
PID 1612 wrote to memory of 3436	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	RuntimeBroker.exe
PID 1612 wrote to memory of 3708	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	DllHost.exe
PID 1612 wrote to memory of 3048	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	WVeYOuPhBlan.exe
PID 2316 wrote to memory of 564	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 564	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 636	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 636	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 976	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 976	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 4056	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 4056	2316	sihost.exe	cmd.exe
PID 2316 wrote to memory of 1540	2316	sihost.exe	icacls.exe
PID 2316 wrote to memory of 1540	2316	sihost.exe	icacls.exe
PID 2316 wrote to memory of 3704	2316	sihost.exe	icacls.exe
PID 2316 wrote to memory of 3704	2316	sihost.exe	icacls.exe
PID 976 wrote to memory of 1840	976	cmd.exe	bcdedit.exe
PID 976 wrote to memory of 1840	976	cmd.exe	bcdedit.exe
PID 636 wrote to memory of 740	636	cmd.exe	vssadmin.exe
PID 636 wrote to memory of 740	636	cmd.exe	vssadmin.exe
PID 564 wrote to memory of 3792	564	cmd.exe	WMIC.exe
PID 564 wrote to memory of 3792	564	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3556	976	cmd.exe	bcdedit.exe
PID 976 wrote to memory of 3556	976	cmd.exe	bcdedit.exe
PID 1612 wrote to memory of 2748	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 2748	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 2840	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 2840	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 980	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 980	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 3252	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 3252	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 620	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	icacls.exe
PID 1612 wrote to memory of 620	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	icacls.exe
PID 1612 wrote to memory of 3984	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	icacls.exe
PID 1612 wrote to memory of 3984	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	icacls.exe
PID 1612 wrote to memory of 672	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 672	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	cmd.exe
PID 1612 wrote to memory of 4040	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1612 wrote to memory of 4040	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1612 wrote to memory of 4304	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 1612 wrote to memory of 4304	1612	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	net.exe
PID 4040 wrote to memory of 4420	4040	net.exe	net1.exe
PID 4040 wrote to memory of 4420	4040	net.exe	net1.exe
PID 4304 wrote to memory of 4528	4304	net.exe	net1.exe
PID 4304 wrote to memory of 4528	4304	net.exe	net1.exe
PID 2748 wrote to memory of 4732	2748	cmd.exe	WMIC.exe
PID 2748 wrote to memory of 4732	2748	cmd.exe	WMIC.exe

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3708 -s 864
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5252

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3224

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2324

\??\c:\windows\system32\cmd.exe
cmd /c "WMIC.exe shadowcopy delete"
2⤵
PID:1764

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
PID:6368

\??\c:\windows\system32\cmd.exe
cmd /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
PID:3064

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:6388

\??\c:\windows\system32\cmd.exe
cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
PID:3240

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:6400

C:\Windows\system32\bcdedit.exe
bcdedit /set {default}
3⤵
- Modifies boot configuration data using bcdedit
PID:6448

\??\c:\windows\system32\cmd.exe
cmd /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:3416

\??\c:\windows\system32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2324 -s 508
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:6180

\??\c:\windows\system32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:64

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

\??\c:\windows\system32\cmd.exe
cmd /c "WMIC.exe shadowcopy delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

\??\c:\windows\system32\cmd.exe
cmd /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:740

\??\c:\windows\system32\cmd.exe
cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:1840

C:\Windows\system32\bcdedit.exe
bcdedit /set {default}
3⤵
- Modifies boot configuration data using bcdedit
PID:3556

\??\c:\windows\system32\cmd.exe
cmd /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:4056

\??\c:\windows\system32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1540

\??\c:\windows\system32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3704

C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe
"C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:3048

C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe
"C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:4060

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2888

C:\Windows\SYSTEM32\cmd.exe
cmd /c "WMIC.exe shadowcopy delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\SYSTEM32\cmd.exe
cmd /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
PID:2840

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4744

C:\Windows\SYSTEM32\cmd.exe
cmd /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:3252

C:\Windows\SYSTEM32\cmd.exe
cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
PID:980

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:4832

C:\Windows\system32\bcdedit.exe
bcdedit /set {default}
3⤵
- Modifies boot configuration data using bcdedit
PID:4904

C:\Windows\SYSTEM32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:620

C:\Windows\SYSTEM32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
2⤵
PID:672

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:4848

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4420

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:8596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8680

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:9896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:10128

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:29040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:29104

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:33644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:33944

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5412

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5584

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8308

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\Fonts\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\Resources\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\bg-BG\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\da-DK\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\de-DE\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\el-GR\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\en-GB\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\en-US\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\es-ES\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\es-MX\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\et-EE\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\fi-FI\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\fr-CA\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\fr-FR\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\hr-HR\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\hu-HU\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\it-IT\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\ja-JP\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\ko-KR\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\lt-LT\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\lv-LV\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\nb-NO\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\nl-NL\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\pl-PL\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\pt-BR\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\pt-PT\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\ro-RO\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\ru-RU\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\sk-SK\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\sl-SI\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\sv-SE\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\tr-TR\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\uk-UA\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\zh-CN\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Boot\zh-TW\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_cc51e87d-bda7-4ef7-80cf-c431fec6b805
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
eb03e0a20abeb9e4c5192a9a1316b074

SHA1
ca81fe65bfb3f4aa635890afe0aeb550d41c0a81

SHA256
2879027a5b91f482ddd3279ddac596526ed594ae997620550dcd967baefa3633

SHA512
64f7d0572fd45cc7071fd5d74f1836167b07373a3d51de6450cbc9d891f7e2a80b277717b2a37a9648e5a2cd227c140df6dca0f6219affca6ef5e34542660ce0

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
MD5
1cf8cbd50b4c2d7a41afafb8d13c4d33

SHA1
783aedfc65909f5c65110837d3f4ab70531d9a68

SHA256
d8cbb2ad8977efc9c1f90665abdcc6d637f9fcb1a7c0fed246efe0c54fe969d6

SHA512
68b999d52a06a946350c83db4bfe3848774ce2ea91690659dce70451fe78ec308fe222b434f54ddd0e7b67ee073cd82ab0031564de90a46344b6b481c565647b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
MD5
055466663f659333e351cd880aeea726

SHA1
08710e6c7661a9df6d133e3ff8e7f7b8dc003db1

SHA256
1a60b1df055df6baf73bfd6d9df23f3391f8eb298ec839f0e56e64b73b9f345f

SHA512
94c071f93620206c778c16d708716d01128cba0218541c4919e016213445f83926b2c7c0cc8932108caebb01d750f0964bc52afbe0b9fa56b6ef793b0c50b6ea

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
MD5
53e5825437fb29973ca91685e26199cf

SHA1
5d5af29fe7252fe7618be44cae1ffc75338bd856

SHA256
e2f1894b46246ee2b6a11c9858e1b9a6a33ec729a6dbe3e5092cb4d235ff7ccd

SHA512
586826487d85aca3e695e6681fd6dee734078721108952f6323f270a90c7d0488465e9d11533745839a8750ead7fd694011c5e8fb30ab12851e69885e63e5a54

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
MD5
5be16a62b1638680e00beada680a48ab

SHA1
c09e77f11ea9d14c4a1fefbde1f0f96e2292d31d

SHA256
067eab9901af6ef7c7dc295bb3e9c2ec834eb53228fd4e7865a81c16106f90cc

SHA512
f4b258a8adca4d63c61b25cf9a5dafc21e4bdf9eec85c0b44897daaa47d518891b88b7e20e6e50472794044d148fa51d1efce56e1f05d1c474789d6597abc25b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
ff7c883169c7adef164ff7127b73c0ff

SHA1
3ec21235ca30bfeb26e8b69de5f9c2603a856041

SHA256
fee2df24648087f5e536ec7739949c027b4046ff23cdb68ceae170e0b665c623

SHA512
6b33adce376932cfc51113c83e648c4dc05edebe480f863c677b721adc1e8abdc5020e69d012c14f9570dec08a764c3796a68e273fbd62103d96b07802cbe51e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
198e637a2227901c7e129ecc8bbf76aa

SHA1
9a0a2557dd440646d588d28ea48a425f0a0b175f

SHA256
3b1169f0dfbf682faea94816c5f64cf472928ee6daa497504ba24c892922eb03

SHA512
0e0264e0bfedc4e669fffe1c2b921bdb7e2bf88e17f3cb780c03c29206d943e63d6bc6706321217ba86a3dabd508fe414113cb9eb900d01a7113557c5472b2b0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
c697f75af8414f6c0e41a36dc3c1d89c

SHA1
624d6a79eb47d26baa4613ee444a05df8c4b43bb

SHA256
82277210494e83f31d060fe07ee023bdd0400a754fba4a43cda17f794524ab28

SHA512
894f170b6256729266e6d3c03e8362bba228d67eb0c0e1f5a3ff7ddbe549af284f34208dc3f290001e97d3b8cae43c4b51a5c7803f42790c4241ea24b450580b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
93eaadb674364db156de7a5a7e9c24e2

SHA1
d21d52de44727e471661cc37f45ee8bce7ceca7a

SHA256
d9cfb2034e698a22021bcdb52307ce465c82ff1d89b65d8dd69838d3efed79ed

SHA512
3f4dd3f0d7c0b9624ca7ac46ef5dc878a02d42eec2d04ca75db6d60a1844d1193024414d0ffe2fdf89b924618c9552569a81c42af22c4b232ac94d723d5f68a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVEVsJxmblan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVeYOuPhBlan.exe
MD5
ab3681a8456319f1330f7525ec6935c3

SHA1
244e178e2073247893025bd51eb7618173bbac29

SHA256
1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

SHA512
63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Download Submit
C:\Users\RyukReadMe.html
MD5
1b2f46ac9409aa473abd073633285531

SHA1
4accb2cefe1579d6d1193f067940bc3e20dce752

SHA256
13903f058aaaeb04dfe101ed7a0abe9f6d06dd0dd50d2f89f87b5a2618ac6c22

SHA512
69b17166ff5044fb549291b0d5d2570648d7a99bc13d708d9b0b1abfd47bdca7a6eea56af424a12adfd5c788a3185ae23b35e2d4e26a21dff0c9197f1dc3fe93

Download Submit
memory/64-221-0x0000000000000000-mapping.dmp

Download
memory/564-130-0x0000000000000000-mapping.dmp

Download
memory/620-145-0x0000000000000000-mapping.dmp

Download
memory/636-131-0x0000000000000000-mapping.dmp

Download
memory/672-147-0x0000000000000000-mapping.dmp

Download
memory/740-137-0x0000000000000000-mapping.dmp

Download
memory/892-127-0x0000000000000000-mapping.dmp

Download
memory/976-132-0x0000000000000000-mapping.dmp

Download
memory/980-143-0x0000000000000000-mapping.dmp

Download
memory/1540-134-0x0000000000000000-mapping.dmp

Download
memory/1644-125-0x0000000000000000-mapping.dmp

Download
memory/1764-217-0x0000000000000000-mapping.dmp

Download
memory/1840-136-0x0000000000000000-mapping.dmp

Download
memory/2316-123-0x00007FF686070000-0x00007FF6861D3000-memory.dmp

Filesize
1.4MB

Download
memory/2324-124-0x00007FF686070000-0x00007FF6861D3000-memory.dmp

Filesize
1.4MB

Download
memory/2332-222-0x0000000000000000-mapping.dmp

Download
memory/2748-141-0x0000000000000000-mapping.dmp

Download
memory/2840-142-0x0000000000000000-mapping.dmp

Download
memory/2888-128-0x0000000000000000-mapping.dmp

Download
memory/3048-117-0x0000000000000000-mapping.dmp

Download
memory/3064-218-0x0000000000000000-mapping.dmp

Download
memory/3240-219-0x0000000000000000-mapping.dmp

Download
memory/3248-126-0x0000000000000000-mapping.dmp

Download
memory/3252-144-0x0000000000000000-mapping.dmp

Download
memory/3272-227-0x0000000000000000-mapping.dmp

Download
memory/3272-230-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/3416-220-0x0000000000000000-mapping.dmp

Download
memory/3436-129-0x00007FF686070000-0x00007FF6861D3000-memory.dmp

Filesize
1.4MB

Download
memory/3556-139-0x0000000000000000-mapping.dmp

Download
memory/3704-135-0x0000000000000000-mapping.dmp

Download
memory/3792-138-0x0000000000000000-mapping.dmp

Download
memory/3984-146-0x0000000000000000-mapping.dmp

Download
memory/4040-148-0x0000000000000000-mapping.dmp

Download
memory/4056-133-0x0000000000000000-mapping.dmp

Download
memory/4060-120-0x0000000000000000-mapping.dmp

Download
memory/4304-150-0x0000000000000000-mapping.dmp

Download
memory/4420-151-0x0000000000000000-mapping.dmp

Download
memory/4528-152-0x0000000000000000-mapping.dmp

Download
memory/4732-153-0x0000000000000000-mapping.dmp

Download
memory/4744-154-0x0000000000000000-mapping.dmp

Download
memory/4832-155-0x0000000000000000-mapping.dmp

Download
memory/4848-156-0x0000000000000000-mapping.dmp

Download
memory/4904-159-0x0000000000000000-mapping.dmp

Download
memory/5252-216-0x0000000000000000-mapping.dmp

Download
memory/6368-223-0x0000000000000000-mapping.dmp

Download
memory/6388-224-0x0000000000000000-mapping.dmp

Download
memory/6400-225-0x0000000000000000-mapping.dmp

Download
memory/6448-226-0x0000000000000000-mapping.dmp

Download
memory/8596-228-0x0000000000000000-mapping.dmp

Download
memory/8680-229-0x0000000000000000-mapping.dmp

Download
memory/9896-231-0x0000000000000000-mapping.dmp

Download
memory/10128-232-0x0000000000000000-mapping.dmp

Download
memory/29040-233-0x0000000000000000-mapping.dmp

Download
memory/29104-234-0x0000000000000000-mapping.dmp

Download
memory/33644-235-0x0000000000000000-mapping.dmp

Download
memory/33944-236-0x0000000000000000-mapping.dmp

Download