ryuk | f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

Analysis

max time kernel
174s
max time network
84s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
Size

201KB
MD5

3f5da05d62a70eb1212db39d5d6cf45e
SHA1

369b0ba084ba65268d56019653d8edd37c4838f1
SHA256

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31
SHA512

7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exe

pid process

1116 bcdedit.exe
560 bcdedit.exe
1752 bcdedit.exe
Executes dropped EXE 1 IoCs

Processes:

IfedwYM.exe

pid process

584 IfedwYM.exe

pid	process
1116	bcdedit.exe
560	bcdedit.exe
1752	bcdedit.exe

pid	process
584	IfedwYM.exe

Loads dropped DLL 2 IoCs

Processes:

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe

pid	process
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1512 icacls.exe
1836 icacls.exe
800 icacls.exe
1536 icacls.exe
1952 icacls.exe
968 icacls.exe

pid	process
1512	icacls.exe
1836	icacls.exe
800	icacls.exe
1536	icacls.exe
1952	icacls.exe
968	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IfedwYM.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1120 vssadmin.exe
688 vssadmin.exe
976 vssadmin.exe
Runs net.exe

pid	process
1120	vssadmin.exe
688	vssadmin.exe
976	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exetaskhost.exeIfedwYM.exe

pid	process
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
584	IfedwYM.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
584	IfedwYM.exe
584	IfedwYM.exe
584	IfedwYM.exe
584	IfedwYM.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
584	IfedwYM.exe
584	IfedwYM.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exetaskhost.exeIfedwYM.exeWMIC.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
Token: SeBackupPrivilege	1228	taskhost.exe
Token: SeBackupPrivilege	584	IfedwYM.exe
Token: SeBackupPrivilege	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemProfilePrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeProfSingleProcessPrivilege	2888	WMIC.exe
Token: SeIncBasePriorityPrivilege	2888	WMIC.exe
Token: SeCreatePagefilePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeDebugPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeRemoteShutdownPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: 33	2888	WMIC.exe
Token: 34	2888	WMIC.exe
Token: 35	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe
Token: 35	2188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2196	WMIC.exe
Token: SeSecurityPrivilege	2196	WMIC.exe
Token: SeTakeOwnershipPrivilege	2196	WMIC.exe
Token: SeLoadDriverPrivilege	2196	WMIC.exe
Token: SeSystemProfilePrivilege	2196	WMIC.exe
Token: SeSystemtimePrivilege	2196	WMIC.exe
Token: SeProfSingleProcessPrivilege	2196	WMIC.exe
Token: SeIncBasePriorityPrivilege	2196	WMIC.exe
Token: SeCreatePagefilePrivilege	2196	WMIC.exe
Token: SeBackupPrivilege	2196	WMIC.exe
Token: SeRestorePrivilege	2196	WMIC.exe
Token: SeShutdownPrivilege	2196	WMIC.exe
Token: SeDebugPrivilege	2196	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2196	WMIC.exe
Token: SeRemoteShutdownPrivilege	2196	WMIC.exe
Token: SeUndockPrivilege	2196	WMIC.exe
Token: SeManageVolumePrivilege	2196	WMIC.exe
Token: 33	2196	WMIC.exe
Token: 34	2196	WMIC.exe
Token: 35	2196	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exenet.exenet.exetaskhost.exeIfedwYM.exe

description	pid	process	target process
PID 1940 wrote to memory of 584	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	IfedwYM.exe
PID 1940 wrote to memory of 584	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	IfedwYM.exe
PID 1940 wrote to memory of 584	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	IfedwYM.exe
PID 1940 wrote to memory of 1228	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	taskhost.exe
PID 1940 wrote to memory of 1300	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	net.exe
PID 1940 wrote to memory of 1300	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	net.exe
PID 1940 wrote to memory of 1300	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	net.exe
PID 1940 wrote to memory of 908	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	net.exe
PID 1940 wrote to memory of 908	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	net.exe
PID 1940 wrote to memory of 908	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	net.exe
PID 1300 wrote to memory of 1388	1300	net.exe	net1.exe
PID 1300 wrote to memory of 1388	1300	net.exe	net1.exe
PID 1300 wrote to memory of 1388	1300	net.exe	net1.exe
PID 908 wrote to memory of 304	908	net.exe	net1.exe
PID 908 wrote to memory of 304	908	net.exe	net1.exe
PID 908 wrote to memory of 304	908	net.exe	net1.exe
PID 1940 wrote to memory of 1344	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	Dwm.exe
PID 1228 wrote to memory of 1836	1228	taskhost.exe	icacls.exe
PID 1228 wrote to memory of 1836	1228	taskhost.exe	icacls.exe
PID 1228 wrote to memory of 1836	1228	taskhost.exe	icacls.exe
PID 1940 wrote to memory of 1512	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	icacls.exe
PID 1940 wrote to memory of 1512	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	icacls.exe
PID 1940 wrote to memory of 1512	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	icacls.exe
PID 1228 wrote to memory of 800	1228	taskhost.exe	icacls.exe
PID 1228 wrote to memory of 800	1228	taskhost.exe	icacls.exe
PID 1228 wrote to memory of 800	1228	taskhost.exe	icacls.exe
PID 1228 wrote to memory of 1068	1228	taskhost.exe	cmd.exe
PID 1228 wrote to memory of 1068	1228	taskhost.exe	cmd.exe
PID 1228 wrote to memory of 1068	1228	taskhost.exe	cmd.exe
PID 584 wrote to memory of 1536	584	IfedwYM.exe	icacls.exe
PID 584 wrote to memory of 1536	584	IfedwYM.exe	icacls.exe
PID 584 wrote to memory of 1536	584	IfedwYM.exe	icacls.exe
PID 584 wrote to memory of 1952	584	IfedwYM.exe	icacls.exe
PID 584 wrote to memory of 1952	584	IfedwYM.exe	icacls.exe
PID 584 wrote to memory of 1952	584	IfedwYM.exe	icacls.exe
PID 584 wrote to memory of 1844	584	IfedwYM.exe	cmd.exe
PID 584 wrote to memory of 1844	584	IfedwYM.exe	cmd.exe
PID 584 wrote to memory of 1844	584	IfedwYM.exe	cmd.exe
PID 584 wrote to memory of 1120	584	IfedwYM.exe	vssadmin.exe
PID 584 wrote to memory of 1120	584	IfedwYM.exe	vssadmin.exe
PID 584 wrote to memory of 1120	584	IfedwYM.exe	vssadmin.exe
PID 1228 wrote to memory of 976	1228	taskhost.exe	vssadmin.exe
PID 1228 wrote to memory of 976	1228	taskhost.exe	vssadmin.exe
PID 1228 wrote to memory of 976	1228	taskhost.exe	vssadmin.exe
PID 1940 wrote to memory of 968	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	icacls.exe
PID 1940 wrote to memory of 968	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	icacls.exe
PID 1940 wrote to memory of 968	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	icacls.exe
PID 1940 wrote to memory of 1720	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	cmd.exe
PID 1940 wrote to memory of 1720	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	cmd.exe
PID 1940 wrote to memory of 1720	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	cmd.exe
PID 1228 wrote to memory of 560	1228	taskhost.exe	bcdedit.exe
PID 1228 wrote to memory of 560	1228	taskhost.exe	bcdedit.exe
PID 1228 wrote to memory of 560	1228	taskhost.exe	bcdedit.exe
PID 584 wrote to memory of 1116	584	IfedwYM.exe	bcdedit.exe
PID 584 wrote to memory of 1116	584	IfedwYM.exe	bcdedit.exe
PID 584 wrote to memory of 1116	584	IfedwYM.exe	bcdedit.exe
PID 1228 wrote to memory of 912	1228	taskhost.exe	cmd.exe
PID 1228 wrote to memory of 912	1228	taskhost.exe	cmd.exe
PID 1228 wrote to memory of 912	1228	taskhost.exe	cmd.exe
PID 1228 wrote to memory of 1616	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 1616	1228	taskhost.exe	net.exe
PID 1228 wrote to memory of 1616	1228	taskhost.exe	net.exe
PID 1940 wrote to memory of 688	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	vssadmin.exe
PID 1940 wrote to memory of 688	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\system32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1836

C:\Windows\system32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:800

C:\Windows\system32\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:1068

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
2⤵
PID:912

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
3⤵
- Adds Run key to start application
PID:2896

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No & bcdedit /set {default}
2⤵
- Modifies boot configuration data using bcdedit
PID:560

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
"C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe
"C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1536

C:\Windows\system32\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
PID:1844

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1952

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1120

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No & bcdedit /set {default}
3⤵
- Modifies boot configuration data using bcdedit
PID:1116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:2872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe" /f
3⤵
PID:12684

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe" /f
4⤵
- Adds Run key to start application
PID:13200

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1388

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:304

C:\Windows\system32\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1512

C:\Windows\system32\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:968

C:\Windows\system32\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:1720

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe" /f
2⤵
PID:1028

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe" /f
3⤵
- Adds Run key to start application
PID:2988

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No & bcdedit /set {default}
2⤵
- Modifies boot configuration data using bcdedit
PID:1752

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2928

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:688

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:15908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:15932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
1⤵
PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5
da334c18d2a1951bca885d91bf598dfb

SHA1
29af073ca7c784c1e2870108cab6e88543490c2a

SHA256
1b0a1acb6cccf1e7b93f912f1ee8cdccdc5ddd596e5e5ad2e3ac6c119d5f3b09

SHA512
a3155e97460692d2c8db9a7fd34d3d1776bd46756e23b2c88d66a6bb841bfd599fa2921cfa78867254d271227c5111544db467cf89e8c6da393b37a5c7fdde81

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5
13baed4d9c3040c86e6229dee9e81471

SHA1
a9d7b735dcae5356dbf3bd8d8a6d26c7611bb790

SHA256
bcda476f5a1a9162a9a8f7809ce340a58d416aa3ad84bbb2caf457c1fede5d34

SHA512
4ca69cac5c0853e69edf785b016a2e2f3c350bc1f1c30ef5e5152af9a7cf96b8d4f3df6c0b70020022768a479228127e9c74faf24b8c13e51689306e1001a54a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
c43b951b81f96ccf3c1d18255b730786

SHA1
5abaac62235f95779e3abbc134fa946684843d25

SHA256
844cbaf5b2d259899ebb95390a05c893fe743e1665e18f0e07cfd18fc54c8304

SHA512
d49b9d4076694fc7ffa9dc19047d16574742f9f7ca7f6e0805cca20582f71930884ed62f50bb805e04550f1eb51ff202adf1d81920990b042d14d481817b2aa0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc

MD5
a3a67996a1abcaa7ca436beb6d245e89

SHA1
c2a4fc9741fa0f31cd3048bb6e51749e5a4be955

SHA256
4cd598c599bcf991422ce4df88a53bcc6d0f7153cf4e21dd32c814609fa913ce

SHA512
02d6e011182ff53bbe8cc39ace6c35ef1bfdb1ec4b0b22144ef348ed882c739f7c5928b97af7928ed28ea7ddf5a40ae5a776d7f7ba0df58b2b1e344fc8841bed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5
a3a67996a1abcaa7ca436beb6d245e89

SHA1
c2a4fc9741fa0f31cd3048bb6e51749e5a4be955

SHA256
4cd598c599bcf991422ce4df88a53bcc6d0f7153cf4e21dd32c814609fa913ce

SHA512
02d6e011182ff53bbe8cc39ace6c35ef1bfdb1ec4b0b22144ef348ed882c739f7c5928b97af7928ed28ea7ddf5a40ae5a776d7f7ba0df58b2b1e344fc8841bed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst

MD5
8a72810b9918d1ccb31fddec86fbae95

SHA1
d0938f8ac1bae2a4053bc9724b8d3502a206ab6e

SHA256
1e983f738cb0bdb98ba9beff4628cc5a544d7a0cc16f76704bfe45b6bd02dba2

SHA512
be5f516978c90978a9ee4ccade8fb892ecbebd49088d0d6c85a407a42a7b1217c52a7ada7b1fca6339b3f505b5e19e83f2d7bb14c68d1f39e7b1e8165e4fa4cb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5
cf1ecbf61a54139f45548bc9922f311e

SHA1
538cddca3f9863171fa334f560a21b7e4bf6e79e

SHA256
f19694dc7b124955cf18e147c1ff52bfa9b99139dac35a43b589fbca8f56f96c

SHA512
2230d6413b1e9dc27513b6a10ade5fa38e3d7841a27e85a5d94e41971b88635e6df5a021389ab31120464226c189fad49423b937ee8a4f3557b5fc5c0cc2b0c3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5
473673c258c1a7c4f09dd9e37c4b15fa

SHA1
0038f1fc950c39a3545ab9264a4d458d7d12798d

SHA256
786885b2d24ddcf54f74db532f73464c88547e5dc4a3c91843baf14028a7136d

SHA512
00e2848d78e79564b31e1f4a5b80ad8aba5df8db79fb9da2746ef1da8f0e5449251f8faab546ca31848405e2f29f434e4861ea20ed876ce523212147f7cef095

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp

MD5
8ca57d7a4f006841870f082c2b406d4c

SHA1
119171fe8660c97e4c832adeb85a31e3437e0e92

SHA256
b9c746eed0e04c50066438de2f4dbb98576a35ba324fb52bc30bf5d6bb5f7e34

SHA512
2fdaa55a7194b7f168e54cf02370c1c6d4fa1384a2457d6485dcb5555d80ea49096f6fbd4f352b2762bae4731681fedffbb095eec18b6a684f2579bc48c1edea

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5
ef361d48829a4b6808e655525befa646

SHA1
bb399e4d4bb4d151096917597ae190ecb20b4fe5

SHA256
299ed3f294479a5f6f44b4ea487946b5bb06324a5b293defd13393b692cb4514

SHA512
6b392729575c64c31a8201495e38b2627427dd3ece5e93458f2a16d996d77372c3408c40f587d947e2eb5c5176aae999be9037d06272597dd7d3fcfeb1662b74

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5
e3cf71cf1088776bf253c8db976cbe3d

SHA1
85b38d9963dd65f5b72649dc356af6868d67b38a

SHA256
ebe36a0575d82f0793097534ca70706de56447079151f335797954b1ab9855a7

SHA512
d7ce54bd2223dfbc2fee5b6e48593d09edc3ee0fd855bed916e57a7dd3925867eca0ba97f1d64dee900eeea9f079e08d91fe22465fdcdbe479e642dbb5cebf62

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt

MD5
197c810cfd1fdf61c9c67d3294801d8a

SHA1
46b660305d2c334374d35288efbaa3b2c498a708

SHA256
53cda510fc899efa3c7ded070ddad0eecab498468c91961ce0f8d72fdf7cb71c

SHA512
57f96345b19f12211c4d2c0ce6f3f10b385641b22b15c9a41fac56e7515130ef8397c8ef78e6e8e9611e0795a7b91b1d85120eb79cc7cc0a7cf85066d0629b97

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5
2d6960024276817a40f3eb2b6d81feac

SHA1
5eafe3b04eb32b2cd3b7f4f63e583ae2800274ec

SHA256
8b9d2bbf7a6d97598514bbd2cae1f70ddb5171849013816fe7d1345d2cab2715

SHA512
a49aee2d2f7a9b7f0c9bd4651799b38f56a44556f36b3ff7a90edc8bd6134b93bc50d25e4ef0e8f9333480abbc445025ed853882eea59a12d619cf49642e2fbd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5
5b8995972ecc3f2573ac6777372aca95

SHA1
d3ba7360e6c5b4ce4ff0385227d91a5521141675

SHA256
b8d4a146e503418fec17bc1141f18ea43e7f46856482103a5801d775b86e504c

SHA512
302e9ccc6cc758a94714e92800833537584849f128fb7dd0db3e650abe82408c3659665ed3bc3ef2b31c19b87391a60cb683488103dfca9ea254563454210589

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5
18d21303a85cd8827f704fc5ebf7d19b

SHA1
da906faedeead14b631a51c95f2888ae5931fba2

SHA256
7e08b69a7ee83b253727748085ffe8c99b0412bf0300094344f8db007fb8a508

SHA512
12dd097f2b23f2f4eff6c19c3a9d342e89b7f78cf9712c96bf0678e6c0968a4ea9ebcf5eb926aa0abb20426c1ea3ec3fc3814b353ae2d132dc1a622ea597dcae

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5
7f3e27a74bdbcca80bfc190d5c08b367

SHA1
aeb3ab95e695edca59905a12819107345c11464f

SHA256
c28bad872796e8f94913b8600b79cb2a37f14b934a884b16a9d2125752494af3

SHA512
aa53df8778bd05b3fb0f21a95c91564b9074cdf527facc85101d9ab6f222e8c56ed667f85eaffdc40cb533bae26ecf1479a2762cb370e9647f6a877c1de4be0f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf

MD5
ed5abb5b620f53a5898847040de4fe5f

SHA1
eeb1aa9e397c5ce6124ab8dec746019e00a74719

SHA256
7f02c5048f13949aa772e302c6acdb5d529f2950f710bdef8140975bea78effd

SHA512
0157ebfad20caf763ec421f830d744bf868e3a65cc23af294bd50936efb6b6155a480cac8c3ccac80309ff5a095b40401f65e6259b64f698848c867e1295aca7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Memo.emf

MD5
8fae3b233db15b291d84d415b14144d1

SHA1
ff1b8d9864dbb584dba41d533b8ce57211c3b683

SHA256
19764bb2a951693e2b9fd8227cbd05d2d5f391a4c0a46fd5197c144a0b620220

SHA512
3597771bddeda784adcfe5a5426853fc65b3da1f605c920ef66a8bedc85df8bb29d48a72c6b3bbaa7e027324ab36c1b5d27c4964e649a8213410f1c3b5b27dd4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg

MD5
38c989bdc4db82ea69663d7ff18c50db

SHA1
b900e95507449d94fb552d028f6bc6a3b6a50c0f

SHA256
f7b161f5967a5bf7960a7d064f069e6fd33fcfc87fcd8689a1ebdafeaf2e743f

SHA512
62ba31d75b768aab65fa093ac1c33074ee3f70d094863e28c6884721e51314f297c85152c83b7fcc43bc5debf8369b535eb9c3f3474e154bfc00a878093a9c66

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf

MD5
ddefdc215ffdc4b0bc5214b42532be18

SHA1
d9f1d37b0e42e1cdfdc88dce17d494c9efb6da31

SHA256
bed49555443420e8472e615e8b4944cfbc2ed9704bcb4d07c6656a9e37f7572b

SHA512
452a6536098c868a7a97f3b90136e63f4bd94f8af8686bd51305de5234aa1b295b9d4a3701aa92d3a2c56ac79e9de4c501ec7a90cdd712f25bb3eb87a5dca22e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5
4d983e3856c33ff13dba7c3856193d55

SHA1
aa75a5f09ce2a463d1f169cd494e086de66d004c

SHA256
56d04cbd5a7ebd7f3c9930bf3d8986b8095f8ffb2604b6ad69ec063b6b4b89a8

SHA512
17444156efbae7984a45b198d82c580c438f3912f8ef9c2e43e88e19bec7c34866387afa85391bb24b35cd02a6b46ce6ab1bc00fa0b2904ebfc38d1a0da4dd91

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg

MD5
eccb3544cb0dcf019bd5cf9cc5f95cbd

SHA1
b29442c162db3b07d2768e3f7f938aaa596fea4f

SHA256
a720bdf33f24de62761b51cb5130cf96f2463db094d28cfb94fb4e9163a7a9d8

SHA512
426168ed5b8f27cbcd5ae730d41af5f33d9f1f10bb1f8c590adf523bdd9e651ef83d23f0c597bb96119644c35a58550fa14aa2cc76f771e1a49fbe7b3cf25f52

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif

MD5
c428d0b4a67137519e2efbc9be245f66

SHA1
8e12ae01c6310e8341d0cef91721630ce6868a1e

SHA256
a6eda7b4dae91c8817a3986f16d0d6e7ff3241ee39ed6aeba01a5be317d2d4b5

SHA512
8da776179e2834c07cd940fe11fe44b3c149ffdd5528b38e2af9ddcb1a0089f057ac088c9d84d4cfe6a9150c08d51086538cf0e3974dd5abd7d8026ec5ab1b83

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log

MD5
b13bba1d7c4fc345380ea7771a7fc7e5

SHA1
0432ef209cae4156a8a4fc43ed25813f60934b0b

SHA256
eee98b1fb8c0d639cf163051152809074606fc57230c10e00ff2b105df50bcbc

SHA512
9304dbd8fc232405c16857efc068047eaaabff4685c65b8de4443c6547e654e7e238a7020681215a863e2ca8fb3e4eea4537903eae61841efbda6379d15dc935

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5
3014781ac542d3040d9c49bb29887479

SHA1
7373bb2cdea3ddac3a7227facea3525bdbd40081

SHA256
0b59ce76129c044b6319a2457bd72ef9c3571e11c74d19e7f3ce4791ecdcb374

SHA512
305f4e6390a20d418f1c61a373af54c432c8d58c1bef19e5e23e54d42b532e7079d774d9fd76434cdd46859629d01e99ce74e49b24625327d227a1525d58613b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5
a91c7bb02f38db2c0d7ac42126ae16be

SHA1
8e849b01367abcc9bc819ae4651c86a83d377559

SHA256
24ae8f8a2c6ed0202b42e46028058c6ca11b3ac3fd268ed731446aef5f52218b

SHA512
4a482f14203f5133d6eece92386b911f49b2d5928c2c52dad4afe4a5607d8f295d66e520acb92eb8a1e07b942b6bf4272fe120da8e4ad1aa5901489dc701781c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Documents and Settings\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe

MD5
3f5da05d62a70eb1212db39d5d6cf45e

SHA1
369b0ba084ba65268d56019653d8edd37c4838f1

SHA256
f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

SHA512
7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
88f5f8964527fb0fd6455ac3d4918764

SHA1
8911d44a862d2cb2ab14693e24603c24d3ddc790

SHA256
58a7fe409fc9b57f03827f8c26566161fabbc8d09c80e0f0416208028ac41d02

SHA512
4058a676e3688c2721bbe36b562bf34389a99ea65ac5defe029813ea6179f6166aba5378f627b979892213f8231922b64d5fb410fd6634f38643243c1beddedf

Download Submit
\Users\Admin\AppData\Local\Temp\IfedwYM.exe

MD5
3f5da05d62a70eb1212db39d5d6cf45e

SHA1
369b0ba084ba65268d56019653d8edd37c4838f1

SHA256
f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

SHA512
7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

Download Submit
\Users\Admin\AppData\Local\Temp\IfedwYM.exe

MD5
3f5da05d62a70eb1212db39d5d6cf45e

SHA1
369b0ba084ba65268d56019653d8edd37c4838f1

SHA256
f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

SHA512
7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

Download Submit
memory/1228-58-0x000000013F360000-0x000000013F4D4000-memory.dmp

Filesize
1.5MB

Download
memory/1228-60-0x000000013F360000-0x000000013F4D4000-memory.dmp

Filesize
1.5MB

Download
memory/1344-61-0x000000013F360000-0x000000013F4D4000-memory.dmp

Filesize
1.5MB

Download
memory/1940-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download