ryuk | 40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

860e50.exe
Size

196KB
MD5

484a2bcb1335ac97ee91194f4c0964bc
SHA1

ad11ed52ab33ad05eb9b1e9ade134ca1348acc81
SHA256

40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
SHA512

6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

vcBafeT.exe

pid process

652 vcBafeT.exe
Loads dropped DLL 2 IoCs

Processes:

860e50.exe

pid process

1632 860e50.exe
1632 860e50.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

988 icacls.exe
1032 icacls.exe
1772 icacls.exe
552 icacls.exe

pid	process
652	vcBafeT.exe

pid	process
988	icacls.exe
1032	icacls.exe
1772	icacls.exe
552	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\860e50.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vcBafeT.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

860e50.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01186_.WMF	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106572.WMF	860e50.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png	860e50.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00247_.WMF	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105266.WMF	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\PREVIEW.GIF	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\THMBNAIL.PNG	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF	860e50.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_QuickLaunch.png	860e50.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico	860e50.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099174.WMF	860e50.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	860e50.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	860e50.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js	860e50.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	860e50.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado25.tlb	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	860e50.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00438_.WMF	860e50.exe
File opened for modification	C:\Program Files\RepairExport.jpg	860e50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css	860e50.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	860e50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00790_.WMF	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\RyukReadMe.html	860e50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG	860e50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00248_.WMF	860e50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1544 vssadmin.exe
2024 vssadmin.exe
Runs net.exe

pid	process
1544	vssadmin.exe
2024	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

860e50.exevcBafeT.exe

pid	process
1632	860e50.exe
1632	860e50.exe
652	vcBafeT.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
652	vcBafeT.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
1632	860e50.exe
652	vcBafeT.exe
1632	860e50.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

860e50.exevcBafeT.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1632	860e50.exe
Token: SeBackupPrivilege	652	vcBafeT.exe
Token: SeBackupPrivilege	1632	860e50.exe
Token: SeIncreaseQuotaPrivilege	1724	WMIC.exe
Token: SeSecurityPrivilege	1724	WMIC.exe
Token: SeTakeOwnershipPrivilege	1724	WMIC.exe
Token: SeLoadDriverPrivilege	1724	WMIC.exe
Token: SeSystemProfilePrivilege	1724	WMIC.exe
Token: SeSystemtimePrivilege	1724	WMIC.exe
Token: SeProfSingleProcessPrivilege	1724	WMIC.exe
Token: SeIncBasePriorityPrivilege	1724	WMIC.exe
Token: SeCreatePagefilePrivilege	1724	WMIC.exe
Token: SeBackupPrivilege	1724	WMIC.exe
Token: SeRestorePrivilege	1724	WMIC.exe
Token: SeShutdownPrivilege	1724	WMIC.exe
Token: SeDebugPrivilege	1724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1724	WMIC.exe
Token: SeRemoteShutdownPrivilege	1724	WMIC.exe
Token: SeUndockPrivilege	1724	WMIC.exe
Token: SeManageVolumePrivilege	1724	WMIC.exe
Token: 33	1724	WMIC.exe
Token: 34	1724	WMIC.exe
Token: 35	1724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeSecurityPrivilege	1884	WMIC.exe
Token: SeTakeOwnershipPrivilege	1884	WMIC.exe
Token: SeLoadDriverPrivilege	1884	WMIC.exe
Token: SeSystemProfilePrivilege	1884	WMIC.exe
Token: SeSystemtimePrivilege	1884	WMIC.exe
Token: SeProfSingleProcessPrivilege	1884	WMIC.exe
Token: SeIncBasePriorityPrivilege	1884	WMIC.exe
Token: SeCreatePagefilePrivilege	1884	WMIC.exe
Token: SeBackupPrivilege	1884	WMIC.exe
Token: SeRestorePrivilege	1884	WMIC.exe
Token: SeShutdownPrivilege	1884	WMIC.exe
Token: SeDebugPrivilege	1884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1884	WMIC.exe
Token: SeRemoteShutdownPrivilege	1884	WMIC.exe
Token: SeUndockPrivilege	1884	WMIC.exe
Token: SeManageVolumePrivilege	1884	WMIC.exe
Token: 33	1884	WMIC.exe
Token: 34	1884	WMIC.exe
Token: 35	1884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeSecurityPrivilege	1884	WMIC.exe
Token: SeTakeOwnershipPrivilege	1884	WMIC.exe
Token: SeLoadDriverPrivilege	1884	WMIC.exe
Token: SeSystemProfilePrivilege	1884	WMIC.exe
Token: SeSystemtimePrivilege	1884	WMIC.exe
Token: SeProfSingleProcessPrivilege	1884	WMIC.exe
Token: SeIncBasePriorityPrivilege	1884	WMIC.exe
Token: SeCreatePagefilePrivilege	1884	WMIC.exe
Token: SeBackupPrivilege	1884	WMIC.exe
Token: SeRestorePrivilege	1884	WMIC.exe
Token: SeShutdownPrivilege	1884	WMIC.exe
Token: SeDebugPrivilege	1884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1884	WMIC.exe
Token: SeRemoteShutdownPrivilege	1884	WMIC.exe
Token: SeUndockPrivilege	1884	WMIC.exe
Token: SeManageVolumePrivilege	1884	WMIC.exe
Token: 33	1884	WMIC.exe
Token: 34	1884	WMIC.exe
Token: 35	1884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1724	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

860e50.exenet.exenet.exevcBafeT.exenet.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 652	1632	860e50.exe	vcBafeT.exe
PID 1632 wrote to memory of 652	1632	860e50.exe	vcBafeT.exe
PID 1632 wrote to memory of 652	1632	860e50.exe	vcBafeT.exe
PID 1632 wrote to memory of 652	1632	860e50.exe	vcBafeT.exe
PID 1632 wrote to memory of 1220	1632	860e50.exe	taskhost.exe
PID 1632 wrote to memory of 856	1632	860e50.exe	net.exe
PID 1632 wrote to memory of 856	1632	860e50.exe	net.exe
PID 1632 wrote to memory of 856	1632	860e50.exe	net.exe
PID 1632 wrote to memory of 856	1632	860e50.exe	net.exe
PID 1632 wrote to memory of 1468	1632	860e50.exe	net.exe
PID 1632 wrote to memory of 1468	1632	860e50.exe	net.exe
PID 1632 wrote to memory of 1468	1632	860e50.exe	net.exe
PID 1632 wrote to memory of 1468	1632	860e50.exe	net.exe
PID 856 wrote to memory of 1400	856	net.exe	net1.exe
PID 856 wrote to memory of 1400	856	net.exe	net1.exe
PID 856 wrote to memory of 1400	856	net.exe	net1.exe
PID 856 wrote to memory of 1400	856	net.exe	net1.exe
PID 1468 wrote to memory of 816	1468	net.exe	net1.exe
PID 1468 wrote to memory of 816	1468	net.exe	net1.exe
PID 1468 wrote to memory of 816	1468	net.exe	net1.exe
PID 1468 wrote to memory of 816	1468	net.exe	net1.exe
PID 1632 wrote to memory of 1312	1632	860e50.exe	Dwm.exe
PID 652 wrote to memory of 988	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 988	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 988	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 988	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 1032	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 1032	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 1032	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 1032	652	vcBafeT.exe	icacls.exe
PID 652 wrote to memory of 1680	652	vcBafeT.exe	cmd.exe
PID 652 wrote to memory of 1680	652	vcBafeT.exe	cmd.exe
PID 652 wrote to memory of 1680	652	vcBafeT.exe	cmd.exe
PID 652 wrote to memory of 1680	652	vcBafeT.exe	cmd.exe
PID 652 wrote to memory of 1544	652	vcBafeT.exe	vssadmin.exe
PID 652 wrote to memory of 1544	652	vcBafeT.exe	vssadmin.exe
PID 652 wrote to memory of 1544	652	vcBafeT.exe	vssadmin.exe
PID 652 wrote to memory of 1544	652	vcBafeT.exe	vssadmin.exe
PID 652 wrote to memory of 852	652	vcBafeT.exe	net.exe
PID 652 wrote to memory of 852	652	vcBafeT.exe	net.exe
PID 652 wrote to memory of 852	652	vcBafeT.exe	net.exe
PID 652 wrote to memory of 852	652	vcBafeT.exe	net.exe
PID 852 wrote to memory of 1912	852	net.exe	net1.exe
PID 852 wrote to memory of 1912	852	net.exe	net1.exe
PID 852 wrote to memory of 1912	852	net.exe	net1.exe
PID 852 wrote to memory of 1912	852	net.exe	net1.exe
PID 1680 wrote to memory of 1884	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1884	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1884	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1884	1680	cmd.exe	WMIC.exe
PID 1632 wrote to memory of 1772	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 1772	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 1772	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 1772	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 552	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 552	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 552	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 552	1632	860e50.exe	icacls.exe
PID 1632 wrote to memory of 2016	1632	860e50.exe	cmd.exe
PID 1632 wrote to memory of 2016	1632	860e50.exe	cmd.exe
PID 1632 wrote to memory of 2016	1632	860e50.exe	cmd.exe
PID 1632 wrote to memory of 2016	1632	860e50.exe	cmd.exe
PID 1632 wrote to memory of 2024	1632	860e50.exe	vssadmin.exe
PID 1632 wrote to memory of 2024	1632	860e50.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\860e50.exe
"C:\Users\Admin\AppData\Local\Temp\860e50.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\vcBafeT.exe
"C:\Users\Admin\AppData\Local\Temp\vcBafeT.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:988

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1544

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vcBafeT.exe" /f /reg:64
3⤵
PID:17420

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vcBafeT.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:17444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:63008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:63040

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1772

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:2016

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2024

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.exe" /f /reg:64
2⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:1676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:37724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:37828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:50884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:50568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:60860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:60900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:63420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:63444

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5
ea1c49c6b6b3f9de8702ed296d60bbc0

SHA1
3ad233df4b7fdbf6ee6236dc62d96f5e7dfea870

SHA256
9d2692da252579a2a419cc99c430f5d725c8471d162a1487c44014f768a10873

SHA512
a16bd277c25dca1f38d35346ec12cde39f3037583b93d588e111480c4ac61d9360be0ed868d1f81d842253474d7f9e96b744ef637876c61aa332d1f512f6f243

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5
9bceb461fc740403caeb5b608db38dd8

SHA1
31d5e8f35d4a2fc66064f84987c2f94b1711c45b

SHA256
1fbdd0f4ae0c5e9d9c83602dcda91667177eba0c77bf73b9dd4173806d23d6f3

SHA512
3542e55507f65ca81eb5bc852c350a9f04978e5b4e5542f8df514f8e09dab93634f43e939889741e7abb2794a4ea7a704aa3eb3056231e51781fd674e35a2073

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
2d9adbeb30c6ac25fdaf17843e24c1f2

SHA1
1041922f648323a1c0434fd79a79580e983c8374

SHA256
617ed2ab2e96cdba512b87ca24611fa0ae775636f8faef2754f7d207e70b53c5

SHA512
1bf300bf0bf56d610e36f0e2a6308635adb908ce2e909131bcfb02da69d88bc571f80b9225dde786157b3030f31633cf739cc6da4338a8cf9dde08ccbd3c7779

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
3c0828aa14e54b576d063865eb67fb59

SHA1
0c2eac99d5ae983f57f582f4c23eed458ccb03dd

SHA256
7d73bde4fbba65df0758c7869e8fbc9e4be4043cb09d8fb95cf9e0796fb45cbb

SHA512
e81317766f47defa10edd1e155743554ee8052ce0185ecf7b080810c968ba459a3089b440bc8f534cc3d4c50d68b19aba971063ab4b16aa025455c1bf4863724

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5
02f780aaa88b1045e162d7896ded0d3a

SHA1
90beed237eda6006c323eaf80c67161bf8d1e65a

SHA256
c6eafcc806fe4fffa197d5bdf1ab2ce5d6085d6e4d2256bafa196d41301f2c55

SHA512
bfda946bcde4012006d21b0335ce2a82a02dd534d0116ad7185a42490fb8d7d3a90d903359761aad53482ae40f9ed987f7d2538dd3de22e8afa47026f8dfda9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5
de80e1b5ee6812c12076bf7740b4e6f3

SHA1
7fdb64c12ee4525fff4d49d0c5970f78d89a61fc

SHA256
2ff98b2b107dd2056b9f04e8d730ac286e9684218cd5b6a86e18e00cc798349c

SHA512
59e6da58f1d4c86973140ebfcece0c9720da4259482f1cc73ab9318216f7e63f4fde944b4eb4176665f173ac711f7b3df7f86ef31736df873d4a2c2d741f48a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5
ab8d81ce373b5c49c6bf9b5e26e21b9d

SHA1
4adcfd43e8feb2ace7fc11494ccf9d7af1c6a4bb

SHA256
820a9f7120fbd172ae79beaa27c7f08c1a1ce278bbc44f455f4d9f002f77b8bd

SHA512
11c0cd4fb360193f6b64586197dc4d266792185eccd0f2a88c64fb8bfab403ad6bf314e941eafe500c9890c4b47266e05de5ca96239f31bf238d23291c22e6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5
5060dc55f33fc12b9b64d194221a5c70

SHA1
97e939b1138ecad1bfeb02fab16704c9f406e725

SHA256
db804ad2c0c2a24c73e421a9dcfb0b523470815c3b1cf2bc43d09c51cfcafeed

SHA512
038f432a722ccfdd8e5b958a04f081b18936344a269389689d1157c0f8ab875b7bb7db553bace35f48223345db374854cab10a9a4294a1d391ce677214d16dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5
7d2876eb1777d2d1ad8679b9b0f1f859

SHA1
d42c051bc19e6c21fa71512a1aa55b227cf2aee7

SHA256
84300c9f2e84e7aba10a813b58e736550a4b3b4ead5c7f74608aeb6102a16732

SHA512
cb701ec8c3a14bccf5ae90f2d1f36b1612c59318b409cbf63f1505f94f410ee72a174f318f097e7df17e31a0c2dfcd9674ef27d249cebb303cecca4da7f68d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm

MD5
cdae2746c213cac9f2cc41ed561d24e2

SHA1
fe767b6610ec2cf8f6f0ed6f6c04197f0a6dcec2

SHA256
56ae82f622f70457a25cc52ec2fe68c9c6a12b6652dd54d0503e924afbe7a16e

SHA512
c0d55c393c9da9c9ae25a03006a219fe7e6e8e3617c9d5e38e1b90606c7b390489e724b57b9117a4d4f904b620eecc2eafd47bacdef8f0a26a0ad706302568d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg

MD5
aa05a36a826042e563c83a98b15a47ea

SHA1
d9390dad3d534c80887bf7b0fef67ab08c7b7c81

SHA256
628afa39023e927c52afe8236e1f82dd3279b4fb0b86783b484cdcd298a6ba0f

SHA512
ae22ea563185f05502c06d763d51ee61dfa15baa0541334ff6ffe11e9786feb24f348b5d08e1fefecb01a5ffed9607e9fbe1f0f18cb47b0e4fb4b0706f7eef3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.RYK

MD5
7b3512f730c3a0204b4b29b146799ce4

SHA1
0bf1b230bdff12e69a4e70e0afb19f5dc6c56de1

SHA256
2889ca019fc9692ea4933328f4a96b957ab5f4b6f4ab2572107876cdcd33d066

SHA512
cf1f03ad386ee25808e06fbfdb7fcc0785a9b65d82fc7ec52a2730c753ad882f050a13e0ead149073233be41e10af31bbdab86f78447c4f55331dfdd562b0ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.RYK

MD5
930e966c1f77bc1876f122ed2cca3095

SHA1
803b11843ab034f145f1f69f35b4fb3c9b247bf6

SHA256
13041358711be3ce33fb66d7a7ea5ef57ab23d2d5539ec04f8ba4ad1d56398a1

SHA512
b4c1ee345e98cb2d76111729e692e5fbb7c2e350966797784193b297b3f697d7121fd5b233c639c6f662346f70fdaba380020d907940cd2fb894478010669c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.RYK

MD5
fc981ef4a78242b295afc623613b919b

SHA1
de1fe600d5c7bf8125d693ff6338ade08c70a6fb

SHA256
1444605525b57f2b66efe9cf3853c6299375af8d331aa190f4008c2892443b0a

SHA512
cc00426e328fb3ff51917bf5a1713066974458fb9a77ed94949dd3c0f86149275589128d6c48879cc7501d02725df9e369fc462257e4f8ca2c0c58d582da2e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf

MD5
3482d42ec251efb13bc28a61ba8e269b

SHA1
4bbedf1a382099a01f68b6d8af3e3ee55947c7bf

SHA256
4759f985c9c168bfd2380311a6bcd539970186bfed543c438d07261ee8cd3517

SHA512
06995e5097e487b0f03ff4670146297928dcbe363c8809d9c93590c5afe1efc14ec31dbb7c1a5c4967ac34eddd82e8ad3effd02ceb3c4bb20464bf1906f8a335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.RYK

MD5
c92ec3e5e8e4811d2ad8e0d904cfde56

SHA1
7a9347fb1d7f2efe75d9d05da3bd4bcec3004dcb

SHA256
14140a8c7ea0cdfc33b7a61ff618d53b2a8b169ab2219a2fcd0175854aa00a5e

SHA512
82c24e52698a4bbdeadcfbf3cd420acf5059eff078796269e5eabdbe19c1aafaac45b8aa065855a86b235a4ae68afaebdf4843fd8d9c3926343a64517bd2a227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf.RYK

MD5
9898eadc3b8716c56cb9cca4318ec914

SHA1
b2476fdbecf2e5fdeadd71ef8c0b5b5e42ed85e6

SHA256
4d36458389415fd18b1442b9ceb4fc8bb9959b8a3573c12a76eb78956f6b7442

SHA512
2e2224d3404d2b7199d55c4b0ea91faa624876885d18b70eb625a34719fb473352e5fafcf6b1669990e3c6ec77c970cdc3dfb8b9e4fa23deaa6402710fe21724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf.RYK

MD5
da3120658847cc09a453c47042a4de99

SHA1
85237d81af1ecce0d2df497f27b28b5add2b7aa0

SHA256
c646225c188dbb6151d943ab9ac0925276800a663fcf4a18353e019719bca2a7

SHA512
35550b16cb2e92a2e3f72bea019f6e831d8d8ae8349cfcf4880125542dcb962aef42412b4f58ef6624bb8ed406620843a2f8923bea50dff6b2346c5110ee8f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf.RYK

MD5
2fbe4135b2d5087f1ab3f3aeab75824d

SHA1
51f890c8c13a722265b607d8bd3a5f4346700d21

SHA256
f6cbd1c48dc453fa17e433d9477659f80066c3d6447b97acc40d51d229c86de9

SHA512
77ecdd4b0104caca4c6b0581b754daa747d759aa35934c993037d9730b760c2a14f649f0a5fc5e6dad75ed3c3c1a913b6a135f9bba9584effff006a1fd314398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm.RYK

MD5
7bdc0a688b53c6b8d4069a92c49853bf

SHA1
99bffa930848a7f9343a1207ff104dfda0f85f3a

SHA256
2f61e9d71ad7aa002d821d32c1ebd5135f82b4d14ede97663c4830d53a40f676

SHA512
fbd267ef2cb9a67feeb2844c8d38096eeecc6f580ee4ec3ce4db304f324bab2f83349d91687987e79ff208931ae76a795cb55f646cf902daffce8b33a6837e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.RYK

MD5
6db0b5a5e3645a333c64f6e9b1030dfa

SHA1
4813503b23ea5292f8b3b5d41ea099cbd12226b2

SHA256
fcd186e39b50082de37580707227cb347e5d5a1427dad6432ca0d2948eb272fb

SHA512
015b80c6590b77689c1ba129cd6f2caeaf34d6579d3da3bfb4eab054ab5d65eb677a40414d292ddb35135ad6f0d93850b7c5de47f70e1449572b9408298c87b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf.RYK

MD5
7417acf1f084618fbfa6ea66be6ab2fb

SHA1
4da2553681988db742906e930c9db3446219185d

SHA256
c94aab8bb3b7d1f4f35b5356b9d64a5b5886182f35a80c09c7f663d925a39972

SHA512
1d4badeb97a17d6c6ed1804e7babf264c930d77ac7a2c5f3bca92404cee6ec5fab129ab269cad645c6b67145b545d20a8c799fa73928bec66f22a0414824c8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf.RYK

MD5
858e22f18c7a4057a361f0f721b56215

SHA1
f3bf53675a788bca985470d0e08779a4853e4ede

SHA256
64489524a8a1a6f0435c0f98dc40954708335a3772be207b762e34c06219097a

SHA512
2bbe288fe5e405c9e9ed0f4d4fa8558de89891b4343f3fb45a769f06b37d7a5027a9d663c7f5c6e220a703d22ab373dad20532663243a7ab1368a6333a919fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK

MD5
07610782036323e448d2c7b96da7fef8

SHA1
78f816d963d59620ff72a361193e0499dfd53458

SHA256
d928d310452fb9f8f89bb23306afdab3b2d6799cd4f943c5fb7e8723969a0587

SHA512
e6b8fc036eafebd37ffbc528a68c2c025315a0c4d61c2b1399db21ed50190625bda2aae3f196b5a32032345cab99139692937f7dece8ed9774edbc289c549f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK

MD5
0973700219431c5bc3935c27e2edb4bd

SHA1
6f9b0790d1869fa4ab4826d9038b3a72bea55a69

SHA256
94bdbd8be2f2769c5f6038c9c0b1602e931c2ca85172b11428aa9484e339b306

SHA512
dc47af0cb3df6c514b3e60f4d5ff8a95f3395c6098353cc55baa6eff699c853134a010642955ac9a63ed1138215ecca66270a8915c3b7d3e2127e884307dae86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK

MD5
9d607625d06e63b016f8dbfd5d6a7807

SHA1
ecec4e53f97df4b2436efa03f0c4382f81ff0acb

SHA256
f4369a3c2c9367123cc2e01a3f8cf4545f54c339ede3865d9d84113e06cc4bae

SHA512
3cfe915fd815ee973ffea913c4e5d07e5e77e365b57aadccb967e5daf4acea6c3af4a47cab76952bf8f54cf2fd218b6e04f045fa4d75a58146a41c8572c2b34b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK

MD5
1aa103a41871c7c448bebb948c67d700

SHA1
272177bcbb9464e90c953a2a2f57a00710391d7d

SHA256
45380bb96fb9affafd5c0878ded8c431671ad9dffb02ac8893c5ee3a66acc04e

SHA512
6e3957214e531ed8e163302d690591de56fa94ac90174d8a525e3ab7b2d3b8f23f888001ffc021958b2e8f8efeb32e5c8e1c0ba9fc150241883a0c00db30572b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5
6a6a237841ebcc22b225172dabd6400a

SHA1
50ac46237259d876cda979a04696c6903ea74c39

SHA256
80d919d3914666f24dd9d8ff86db9902b2912a3a658c373e84a81275b484caf6

SHA512
5d0b88620f204f4876b8c02a8d2fd2302a5a7a6c9f4a81cd969335fc83c44066cc024970f2a9f3ffa96cd2c953cdf01fdb38ce55a1b2be0bee253d9a486c14f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK

MD5
4881ca7d1ac94738674bab734067f9d6

SHA1
75d692cc2d87386ffe5fc4bf53af740b5a889b9a

SHA256
58d1a6e2c06548a9004ec90768e2aecdd9d1b76d1eeaaaaaa2e544e5c2f3dc7c

SHA512
d34d2d9acf78994ea52bc12cd9857d9d6c2e2a3e60198cd6cbc0a8feb5e61c0bc7cc414c0f4868971ad45841346e41f984c585d27a73c9b3a0c3561a44c72d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcBafeT.exe

MD5
484a2bcb1335ac97ee91194f4c0964bc

SHA1
ad11ed52ab33ad05eb9b1e9ade134ca1348acc81

SHA256
40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

SHA512
6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Download Submit
C:\Users\RyukReadMe.html

MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
\Users\Admin\AppData\Local\Temp\vcBafeT.exe

MD5
484a2bcb1335ac97ee91194f4c0964bc

SHA1
ad11ed52ab33ad05eb9b1e9ade134ca1348acc81

SHA256
40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

SHA512
6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Download Submit
\Users\Admin\AppData\Local\Temp\vcBafeT.exe

MD5
484a2bcb1335ac97ee91194f4c0964bc

SHA1
ad11ed52ab33ad05eb9b1e9ade134ca1348acc81

SHA256
40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

SHA512
6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Download Submit
memory/652-121-0x000000000E140000-0x000000000E264000-memory.dmp

Filesize
1.1MB

Download
memory/1220-59-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1632-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download