ryuk | c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

Analysis

max time kernel
170s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Size

192KB
MD5

ac4845378d6e9585c758efeffe713857
SHA1

4febb67955fa4743db70dad7481702bb46f60d69
SHA256

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10
SHA512

6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

nVwfPDf.exe

pid process

884 nVwfPDf.exe

pid	process
884	nVwfPDf.exe

Loads dropped DLL 2 IoCs

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe

pid	process
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

384 icacls.exe
1528 icacls.exe
1820 icacls.exe
1824 icacls.exe

pid	process
384	icacls.exe
1528	icacls.exe
1820	icacls.exe
1824	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nVwfPDf.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1476 vssadmin.exe
1328 vssadmin.exe
Runs net.exe

pid	process
1476	vssadmin.exe
1328	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exenVwfPDf.exe

pid	process
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
884	nVwfPDf.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
884	nVwfPDf.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
884	nVwfPDf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exenVwfPDf.exevssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeBackupPrivilege	884	nVwfPDf.exe
Token: SeBackupPrivilege	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exenVwfPDf.execmd.exe

description	pid	process	target process
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	nVwfPDf.exe
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	nVwfPDf.exe
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	nVwfPDf.exe
PID 820 wrote to memory of 884	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	nVwfPDf.exe
PID 820 wrote to memory of 1112	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	taskhost.exe
PID 820 wrote to memory of 1176	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	Dwm.exe
PID 884 wrote to memory of 384	884	nVwfPDf.exe	icacls.exe
PID 884 wrote to memory of 384	884	nVwfPDf.exe	icacls.exe
PID 884 wrote to memory of 384	884	nVwfPDf.exe	icacls.exe
PID 884 wrote to memory of 384	884	nVwfPDf.exe	icacls.exe
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	icacls.exe
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	icacls.exe
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	icacls.exe
PID 884 wrote to memory of 1528	884	nVwfPDf.exe	icacls.exe
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 1904	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 392	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	cmd.exe
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	cmd.exe
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	cmd.exe
PID 884 wrote to memory of 1064	884	nVwfPDf.exe	cmd.exe
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	vssadmin.exe
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	vssadmin.exe
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	vssadmin.exe
PID 884 wrote to memory of 1476	884	nVwfPDf.exe	vssadmin.exe
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1820	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1824	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 1944	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	vssadmin.exe
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	vssadmin.exe
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	vssadmin.exe
PID 820 wrote to memory of 1328	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	vssadmin.exe
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	net.exe
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	net.exe
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	net.exe
PID 884 wrote to memory of 1160	884	nVwfPDf.exe	net.exe
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 1704	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 1416	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 820 wrote to memory of 612	820	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 1416 wrote to memory of 1480	1416	cmd.exe	reg.exe
PID 1416 wrote to memory of 1480	1416	cmd.exe	reg.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
"C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe
"C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:384

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
PID:1064

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
PID:1160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2140

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe" /f /reg:64
3⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:2700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:36804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:36828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:1904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2124

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2116

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1820

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1824

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:1944

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:1704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:1480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:24564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:23688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:26756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:27452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:36684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:36708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:36724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:36748

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5
0891dd48043b76a3ad7ef805a1904829

SHA1
6fd36cf2d0f173b822fe4669807d9889ba432e3b

SHA256
0d8a83a9b71146b1689e4ded7d7aa0dcf5ac6d8eb93e7abe4ab323c8eb0e8904

SHA512
eb2ab9b740ae9e23019058c13dfd36e8996926fc4cc8a960ad6a65bd8c5507d56631ef5255b4f6cbf133d7b33c3515f37e165cc107dd2f72b64d18055ae282b9

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5
221482412d2fc194eac70922377d2952

SHA1
8f8a10d074bd406e8a292d8bdb90634792f14c25

SHA256
7ba548d4389dbe240b5dec32b2fcd4683b2d67c7b5f43f7a4b07d87e203ebfe1

SHA512
031788fe7877cfd8e7fcb1c7425e541ae6b8bb178100e24a1ca72d9f550a5927ff936f4d642d9ee6a15f5835e9df251cd13556e79f74eb067736881eacb18a36

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
6459f1a710cddc4e412ccf7370be1c59

SHA1
1e14c8f75d0fc5784235ce1ef137566156078307

SHA256
b8356d739162d75132c5e052bec803f3bc926861761b161cea39de20f49391a3

SHA512
33d572c2c0bb7e239f3441fdc0cde669892e314796b4a6206901ac0c4c1fb0662d2c31694f1b6f4edeae2f24664cb17f8598aee7234dac91ad87884a57fe45d2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
a35a115f86682b854fef6aa1d5be5988

SHA1
6d3f5c08d3eec6f3b048573d604cffe3e7b9b30f

SHA256
3ceb79d47ee950b41220277389a0dea3573740fab185ec25c25bbd3ccb5e3525

SHA512
034b344e84ea27837015a5a2b788616677bb1c28a36549d58841845af079fe2556b08dd8947b56f68fae8fb13387cbfbe36f76a6cf3f0bd71903fd886e5bf185

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5
8c2dd1ad1a8df5f533eab0fa38392d1b

SHA1
1820b4ebb015a1398f5b59c1578fa89fdf33fd38

SHA256
2c7095e4bee43886230081492eb6851f3d58690db8f2dd826c23dfeedf3fdcfa

SHA512
24e5771af2f7801041d2bdeca85a81bdae24ee14475d16944b98405a3ad926b79895e5fbbb81647541e387ac440d0dcdccb7725a452e52b8576be7451e4cf6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5
5a11a50c9d9b004829209effb2b0d2d4

SHA1
526e229a712319f3dfcabb1a28a24fcd85cb2b5e

SHA256
bbd94fb6e7c748bebb95838d7fc51be637cbe374f52c4788a88cec0481773a71

SHA512
55a76e8ae17e20e17d324b4d62f34a746749e85c0414f9e9956abe2aa8c3726e013ab8c64d20a839dab73fc92ca4f780dff819a2594f95bb39b1153242c7abdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5
76ab151470d1cd16c90cb32fc3888730

SHA1
4c9cc0d9b026ec14dc3dfba08f21a1f9a96ca01e

SHA256
927ae924cfc00b05a57ec670f72841b64988cd875b472df4c9118aa56beedc6a

SHA512
b9502850cef8e6d2c788de5582df8e07584d8e6f04beeadfe3c11a9a5a138cac3b1202a3b143fe5f41fcfd30b92636d68ce284cc151ba394623413fe70db5874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5
9afde4afe901fd46f71401451bda5a49

SHA1
bdefc8d4b2d14855870a5aeec08829d2622d8872

SHA256
1dee48caeebade1829f4989addf77a04d244d91b0aa849bf7db1bab0887b0e87

SHA512
838dfb537343ff19b37c8839c9a0b3d3b7f294ae2b0919c7944780043b27792c91cdd43564abc9c383290cd6a99f88dfb2550964ee0b382549ece068b1a4075a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5
021352316e53a0d15e324b85a205c36b

SHA1
c7d46f40810206a75a21bf53f5584dc4ad3bd7c1

SHA256
d7f2e03641babb376ea0ffadb506a65a3cf7a3b75ccda1c55b2cd8207a66d334

SHA512
903e592c09f2afafc6cc8c22a945348a80368bd3ee276a54f6df0ea34d98959483cd482484e699593db54e91479a95f944df265e526ff13bde987b6d9ae95bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore

MD5
32373406e2cd388cc6da573fff82b3e3

SHA1
0cab3e8ea8a122a4f1b33ba633f7d5471dc142a9

SHA256
150108125a8b35adee0f588958be3b5a1955c24ed43e9cf88739806cdb58f71b

SHA512
fa7d08f207af40f78ff0fe025aa682852a07aaec4d17b6c91abfc7854c4818065d983c76002373bf3e407d872e882b29f248d183a0d4c2c4c31a288fe1ff397a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.RYK

MD5
043d29a2f983ec2d6c9212a64cd7ce83

SHA1
76727fecc933bc3b3b9c0e7c402730f716a889b7

SHA256
d1049c9923310eca18922353472929df8250f295b1f0920791dbc3b7745477c9

SHA512
b5b03f987cc4d39b1318efc1ff07665dfa283c34d3656196538da002825909d431d115b7fdaf158980f1e47fd3ca662d8d401543fff9761ca4550789bf4aab3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log

MD5
8173e011bd61b17b39b9b6029e975223

SHA1
7d648ac2007faec8dad4bc298c0cfc5a0861ff05

SHA256
b1cdf6becbffd202f4766e4e4b3f55d5a3bfda2ee2f98af972b7f05d11b2ad93

SHA512
4ecafe2e332b809a63891e202a4c69d71f15a4275e0ea06b6dc0de7c8ee81e1eba02ee82e67252f2099b6e603caa656935ff317ce01106dd9778144f4a5d38a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.RYK

MD5
8fcadd8b34ac3107508145e922cca0ce

SHA1
6d0b8b540103f2d768b8ea37582e679512e69ce0

SHA256
724ee0683a2556f5f2479aec3abad6c8b01a3814173bf0c53d6f5735aec2d578

SHA512
35b5cf0759b9f341f39462548e227bd7f4dce40fa1df2e35432a76e1fabb50149638935f771090a1651f94dc2ae078e4c540d83070526ba4ca6f27dd3bf4097c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.RYK

MD5
f49b0cdfa14cab61b1c802acbd10943b

SHA1
214773b4361ce9296938d316c20bb1b96d3cb3f6

SHA256
078d8c2d4872221b59cbe0b5eca6bf39b595706eb455acf38f928af8379e130f

SHA512
94bee864d89a3bb263f3171eea1bef58ba76975c86bc37564b3ae7bfb85172c4b72a215f669ee977ab304a65cb841e46aed2beb224c91120d9e08e90c7573386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.RYK

MD5
fc579381b6f5dae089f52bbfd42d4502

SHA1
1b99083103d4d454d3da02594e76981e7f41f2b6

SHA256
01911e81e7b36e59a5d875d713e8b4788bde94a66b2b8673f4cfb10b12da6a18

SHA512
a37e9744f13c132d39ac02201792556a587f5f91fb70cf4ba7f5dcf191eb33efcbe730b200d52b04fc53db84cdb39bf759fe926d031256e6f2af5e320927371f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.RYK

MD5
e1d0194a46ffc46cd22c5f854c5ef7ca

SHA1
8c1fa28640cd759bf1f4699c62a5747c55814410

SHA256
09e96e03cc4cb5fb0abe966513551bdd811272dda840e7cddad20b8ee9278bfa

SHA512
5930840734e339bf86b1990a8e531f422567c953bb9c444d37b8e858dac07f99c5113a8f603a7f6648f8545754427a9db31085abeb469cecf85c054c062d874c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.RYK

MD5
8126aec5194728941f0ef93d75685fdb

SHA1
3b544297f4945f467e855b645a6a443f4c4a92c7

SHA256
de9701aeab21b2ce53bac14b9370aeffa5d054318f3bf7b8062b6cccd1151a4e

SHA512
395da478f427372a23c2feac516c52077514de592b12162cf33139fc5aaddf99306e6537f60900363c5ede1324d1b6c2b71220fa65edf440d11b6fc418e57cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.RYK

MD5
9f47663cef20e54d150b64d5072a0411

SHA1
e4f882f04acb44ef8e08171edd2627b8eaa72941

SHA256
a9116e4ecffcb4372c392ea92492aca34cac274de91f420ac2a2c66b3c11f5b9

SHA512
9c278c72b07a51adb3e7561e4e0a09d33137f5d2251175b1cbcec4785eac36d6d09dab885a56d43de03fef5402b9fd0df9dda5218ffc6f0fe4c405d4cd91f70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.RYK

MD5
5025c32d06c816657ff123da794eefcb

SHA1
a636db2677764530e7e219d6be7810ea33f0fc8a

SHA256
93e21e2ab71378e06b83e7e8b61d329ae8e69b006d6e6fce5a8b453e48d96b57

SHA512
2de944e6a47cb2dc80738a487a3b2f8a9a1b46a7ddde9789fa1c15dc533fe80322991ddee614148b4b5866fe9674a74302d09c8c971642207ae28cb377aa8639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.RYK

MD5
70c2d38aff2cd65aa27eea8c1bf62e49

SHA1
71e072a6aeef93b594fabbcd251a66591ab90f89

SHA256
d4c9c34af7e71ead2af21f21dc4508aafedce834aa939912a333561a057848b2

SHA512
5d5af6cccbfb2155902cd1c1da5332742c9131edf20fd15dc97d856a40273d50ef79eafeb17d9db2157106d015d134852546e95a11a8e469c6f68c699474b0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf.RYK

MD5
a2ac5f34ea6852b65137e4410e366305

SHA1
7c97478a8556d787aaa9a63207267aa5fec14027

SHA256
c472dcd7438d7f58aa3951cd7e1dcbd7bb1c8816933eb38ec30493e8c1215226

SHA512
2edb25688146ead086773590b4fe6a9ca3941354b0a089c8eb79b3995550cc7703262857ed23e4cc896393dd0d3b5d61e8356dbe4cb77633c664c06531af7f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK

MD5
3700556f6f9a87447526206795b4b542

SHA1
1d9a63259b86fa8833148f363f1d2955128992a9

SHA256
308b21aebfe94cf06c0e38f2f405b7d2d7c0956a8a64cff7d6570a8411903b8d

SHA512
0d008d57993aac101c217e5e41ac1ed6628c093938fe7095b0b0364a0d9f66bc951595b6e25f7ab21fadb073a11adcd98a2061bde0ae5d4478d9e4b6e5582f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK

MD5
6180ae1a383d29c67276598e557e667d

SHA1
570c15c23eb4eb322979c24b7cb80c7611dcf7b4

SHA256
e86bfd347acd9deb43dbc67b518878421bb8577dc7d6567f799b3a527c183643

SHA512
b85bae3bc3ac124cfe72a8d1de2c787249ae3762ed35c8db239c0e39b2e6fb8828f3c9380d226345233ef72af5fe6e445cd4d78cfcfb0ed58b513ed70bd28d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK

MD5
1e7b4f68bc50ebc4effc466d26adcc6a

SHA1
b038ee5e3dfdf6d6fc75fec98bf6b565c4d72afd

SHA256
b3e42ec59a3db76af833ecee15b855db0529e6e813ad83fdffcf67502ba98493

SHA512
601f91c12ae571e31b2257bb7bad2533be2a15f959bd5b0251faad9fac9bc89fa49eb17b4c20fa596ef67406e0667b338034461edac5fe903bc5dd0c80c19e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK

MD5
b915ac4207427e47b499258ae10a40ad

SHA1
d2c5fd06c8b47ab18c1093d7da12a425d3a047c8

SHA256
de8a1cffbd7f4c4890cf02ceaf36012f4a43933d627f3a8021334bbd115e6225

SHA512
8fe92e28f7841cf04b0f8a7ab0947803f1793578fa3f12551a81dc2377ef2a603a73b9ad3c551a99b217078355c913aabb2ee859f2f923690d1ed715d1e51262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5
3bd85c9607ff554650707838032dff03

SHA1
413511028bab7b855e449007c0c868dfdcd7f18b

SHA256
9f6e9b87475f07957d389f09035642b9954ce3100ac757e68be1d0777a5515c6

SHA512
c9bb7d175ff839ca3a3917666ff0eee18943d976e7e1664f7500a31bc8689b770365acedf27548979abdcd1451b3eb9476c630515632af3db015e6301e7d8977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK

MD5
3e9d36fea73b6c811f7a6f128c12fa7c

SHA1
29906cf87bc1a878b7aeac9d4371a626afbf3c23

SHA256
39d823b99b676549e682037de98deb30aac57f5e3b94484bd8313fe100e40505

SHA512
819e02ba4bcc64ef09bf39291ec1d14ba3f4ba98ec5749e29c62885d25ed8cb0f545a759844610fc3acdf9c6581f74b697b47206f0005e10104c42310a7a1e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK

MD5
78b2a090fa87981abc43a3cece1184c8

SHA1
c0d2b3de296ad185912368ae3dc712f98570426e

SHA256
ae4121928d86448bbc6fd65a2b5f42f5e387b3249c65f460248b0e3660bc0645

SHA512
bd5e9a554b0c6fdc9132a956173b20a4fb92d01beff9d6238da02aa90929ef97ee2516a12c8ddfdfd31836455aa6e8da8b78801d7a25732910e6caa98ffe06ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Temp\nVwfPDf.exe

MD5
ac4845378d6e9585c758efeffe713857

SHA1
4febb67955fa4743db70dad7481702bb46f60d69

SHA256
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

SHA512
6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Download Submit
C:\Users\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
\Users\Admin\AppData\Local\Temp\nVwfPDf.exe

MD5
ac4845378d6e9585c758efeffe713857

SHA1
4febb67955fa4743db70dad7481702bb46f60d69

SHA256
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

SHA512
6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Download Submit
\Users\Admin\AppData\Local\Temp\nVwfPDf.exe

MD5
ac4845378d6e9585c758efeffe713857

SHA1
4febb67955fa4743db70dad7481702bb46f60d69

SHA256
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

SHA512
6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Download Submit
memory/820-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1112-60-0x0000000030000000-0x000000003016F000-memory.dmp

Filesize
1.4MB

Download