ryuk | b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2

Analysis

max time kernel
160s
max time network
83s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
Size

196KB
MD5

35fb90e465df48871ee78df492fe22de
SHA1

ddfba2e525968f6aedf050613f32b124b13f776a
SHA256

b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2
SHA512

60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

jrDvYvp.exe

pid process

1120 jrDvYvp.exe

pid	process
1120	jrDvYvp.exe

Loads dropped DLL 2 IoCs

Processes:

b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe

pid	process
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1540 icacls.exe
864 icacls.exe
1720 icacls.exe
2008 icacls.exe

pid	process
1540	icacls.exe
864	icacls.exe
1720	icacls.exe
2008	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jrDvYvp.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1356 vssadmin.exe
1000 vssadmin.exe
Runs net.exe

pid	process
1356	vssadmin.exe
1000	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exejrDvYvp.exe

pid	process
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1120	jrDvYvp.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1120	jrDvYvp.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
1120	jrDvYvp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exejrDvYvp.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
Token: SeBackupPrivilege	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
Token: SeBackupPrivilege	1120	jrDvYvp.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemProfilePrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeProfSingleProcessPrivilege	588	WMIC.exe
Token: SeIncBasePriorityPrivilege	588	WMIC.exe
Token: SeCreatePagefilePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeDebugPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeRemoteShutdownPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: 33	588	WMIC.exe
Token: 34	588	WMIC.exe
Token: 35	588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1136	WMIC.exe
Token: SeSecurityPrivilege	1136	WMIC.exe
Token: SeTakeOwnershipPrivilege	1136	WMIC.exe
Token: SeLoadDriverPrivilege	1136	WMIC.exe
Token: SeSystemProfilePrivilege	1136	WMIC.exe
Token: SeSystemtimePrivilege	1136	WMIC.exe
Token: SeProfSingleProcessPrivilege	1136	WMIC.exe
Token: SeIncBasePriorityPrivilege	1136	WMIC.exe
Token: SeCreatePagefilePrivilege	1136	WMIC.exe
Token: SeBackupPrivilege	1136	WMIC.exe
Token: SeRestorePrivilege	1136	WMIC.exe
Token: SeShutdownPrivilege	1136	WMIC.exe
Token: SeDebugPrivilege	1136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1136	WMIC.exe
Token: SeRemoteShutdownPrivilege	1136	WMIC.exe
Token: SeUndockPrivilege	1136	WMIC.exe
Token: SeManageVolumePrivilege	1136	WMIC.exe
Token: 33	1136	WMIC.exe
Token: 34	1136	WMIC.exe
Token: 35	1136	WMIC.exe
Token: SeBackupPrivilege	2212	vssvc.exe
Token: SeRestorePrivilege	2212	vssvc.exe
Token: SeAuditPrivilege	2212	vssvc.exe
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemProfilePrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeProfSingleProcessPrivilege	588	WMIC.exe
Token: SeIncBasePriorityPrivilege	588	WMIC.exe
Token: SeCreatePagefilePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeDebugPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeRemoteShutdownPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: 33	588	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exenet.exenet.exejrDvYvp.exenet.exe

description	pid	process	target process
PID 1664 wrote to memory of 1120	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	jrDvYvp.exe
PID 1664 wrote to memory of 1120	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	jrDvYvp.exe
PID 1664 wrote to memory of 1120	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	jrDvYvp.exe
PID 1664 wrote to memory of 1120	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	jrDvYvp.exe
PID 1664 wrote to memory of 1276	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	taskhost.exe
PID 1664 wrote to memory of 1372	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	Dwm.exe
PID 1664 wrote to memory of 276	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 276	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 276	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 276	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 1832	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 1832	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 1832	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 1832	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 276 wrote to memory of 1168	276	net.exe	net1.exe
PID 276 wrote to memory of 1168	276	net.exe	net1.exe
PID 276 wrote to memory of 1168	276	net.exe	net1.exe
PID 276 wrote to memory of 1168	276	net.exe	net1.exe
PID 1832 wrote to memory of 1132	1832	net.exe	net1.exe
PID 1832 wrote to memory of 1132	1832	net.exe	net1.exe
PID 1832 wrote to memory of 1132	1832	net.exe	net1.exe
PID 1832 wrote to memory of 1132	1832	net.exe	net1.exe
PID 1664 wrote to memory of 1540	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 1540	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 1540	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 1540	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 864	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 864	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 864	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 864	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	icacls.exe
PID 1664 wrote to memory of 1992	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1992	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1992	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1992	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1356	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	vssadmin.exe
PID 1664 wrote to memory of 1356	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	vssadmin.exe
PID 1664 wrote to memory of 1356	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	vssadmin.exe
PID 1664 wrote to memory of 1356	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	vssadmin.exe
PID 1120 wrote to memory of 1720	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 1720	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 1720	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 1720	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 2008	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 2008	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 2008	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 2008	1120	jrDvYvp.exe	icacls.exe
PID 1120 wrote to memory of 744	1120	jrDvYvp.exe	cmd.exe
PID 1120 wrote to memory of 744	1120	jrDvYvp.exe	cmd.exe
PID 1120 wrote to memory of 744	1120	jrDvYvp.exe	cmd.exe
PID 1120 wrote to memory of 744	1120	jrDvYvp.exe	cmd.exe
PID 1120 wrote to memory of 1000	1120	jrDvYvp.exe	vssadmin.exe
PID 1120 wrote to memory of 1000	1120	jrDvYvp.exe	vssadmin.exe
PID 1120 wrote to memory of 1000	1120	jrDvYvp.exe	vssadmin.exe
PID 1120 wrote to memory of 1000	1120	jrDvYvp.exe	vssadmin.exe
PID 1664 wrote to memory of 1080	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1080	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1080	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1080	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	cmd.exe
PID 1664 wrote to memory of 1736	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 1736	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 1736	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1664 wrote to memory of 1736	1664	b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe	net.exe
PID 1736 wrote to memory of 1484	1736	net.exe	net1.exe
PID 1736 wrote to memory of 1484	1736	net.exe	net1.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1276

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
"C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe
"C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
PID:744

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1000

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
PID:944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:1476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe" /f /reg:64
3⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:2188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:22244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:22272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:32888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:32912

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1168

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1132

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1540

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:1992

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:64
2⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:2024

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1484

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:19144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:19444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:22300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:22324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:22300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1728

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:28356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:28468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5
fcab6d3899815b9b2aa4836832421caf

SHA1
2356294d5003fc4a538cfa551ac8885b7dff5ed2

SHA256
2731d37b6d99c544f51be9cbe6807b36b41736724f0784b744369a649206bf50

SHA512
f348fc53a3940687d52c10d4630dbb077dd2d0105c96cfdefe747e6d732a0ffb5ab3f86eb87bf15a2cf56e0b4b20b240eb63443e2e3a0879693c584c150f919e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5
755adc051f2bf3530e33b73352de3672

SHA1
722971e253995ffd4974b7e54250c7701005353e

SHA256
45c92c30829c09c1de031f3653080db1b999c097231685de82756a7b8b62e878

SHA512
362831d6f4e42ffcb5ea422a081b230922f33df5f5d4f855d18ab85954e90a6487c106c53f642e9504ea89be3b848d33a5d4aeaa869d9bc76ab6d2316934deb5

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
92d3c949a9d49474e0e5ca95384720e0

SHA1
dd49bdddb17617acc2fa56fc41a5d33712488c08

SHA256
f5ee7a517bfb664b0934a7f66e368973f5ab29eac5332701afb0f01da013c7ea

SHA512
2c6974959a16b69aa9d12d84ee6744e9cbec0608a00ef09ba85d8608e765fc6040e19008f6306297a00c38d236970f41bb84a4114f6b72e8c034bb693b78bf0d

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
2dbbb45c79241dbbd6dc1d72f920a07a

SHA1
36bfd812668e7fa2840e909a75afa5937cb56a37

SHA256
52270db734d87bf3e3596e90e7de6245824c4046b83c59d495337aa5f108bd4b

SHA512
58bdf6698d21023e88d5bee8866b23f5c7020392dd4820bfcf4b31f0504cfc857fb0d980b1e48d31a783590753f70b2b54c898d9236f667c338884d061f9d2fc

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5
10631892bd78711262047b864fa11dbc

SHA1
6c4772224ca81d0f932562bbe2a527f9135c203e

SHA256
c6b24f944930b937dfb5defce511321d616ad7472cebac37c03708773298ac6e

SHA512
7ea084a425fb6dcd698eef576b15f64e7dbf781323b07db5794351a047a70b8cc526660c78642ede20e5009ba42e45997cde8a089d32b30619406290253fbfe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5
f5bddc913c09e460dc5265f6df3d0db8

SHA1
e78813256aacace35ee3ac763bc7b8edac1e7890

SHA256
56f27a0bc1b3d1ac8abbe8720a256d98758e4a5e9d4266ba5ce31071883fe7e3

SHA512
db6600cdb2ac8d0d40f6cc7546573074038d52810c0630b5c41e0696f6c905ceab4fb4f6c1c3f271283e52648cca85a674596d04497a5d3827aea601639597ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5
5f69b44173d70b3ea728cb4b8f645884

SHA1
831f912571cb87a97252b797b7071c0f49cc8c20

SHA256
d072da96964299ef1906e66e283a457ff2cb7e83b1192b0bc3611cdb7eecfa3a

SHA512
c0368e1e4b4973cddf369738162509942b40446aacdaf7eb4a5fc3bd318135134905a1bcfb8ac1f3ec9928a79fc33a639885f415b3e049a638ad091259cda523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5
9c2363913219c45ee65ecd51602890db

SHA1
070ca5882b572562bb864f980cf10f1f39cc2166

SHA256
a8dc90026b9ace713bd98061d44ac614628384f7ca52eaacd81866ed717da955

SHA512
b984d5401a9d2dae793a0ab898064eb9520bf5f0e1354ea0ab3e70569efa3ce961b52468a870839165bb9445cfa6a67a9413b5a1fd934ef51e02aa9db9696498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5
53cdf1b65b15ba43936a024cdd4886f9

SHA1
cab601076e50cf6b83940359eaead23b1f0a5770

SHA256
196328857a8e38702a0e0c277a65e16cfec006a63a95ae6038f516e51caffa3f

SHA512
8fa2ce6422ad15b342a62eabf1614388a9a1b5a79609fabdd2c667bdcb644d3b02ef96d6cf31747843c95ae0df1de0c5346b6de7e8393eb55ae0d48bc3d043b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm

MD5
0a6ab9d1ba6421f915111bff7b7e85d6

SHA1
b5a4cb7ef54bc718f395f82e6b511e25ed1d4dc8

SHA256
7e74af3f55d7c893eab30eba62dcc4f7ea0595b95a562b7e06822210ff167dad

SHA512
a35be901bc58cdb2a09bc1952de011aa4f96f0f0d6b661e26942e8a36ba16da0faaad1f81611de44dbc637e4a5774e6e4a85a27e2f5db4e28fb26630d8c24b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg

MD5
71736b74a662fab205b45f98999abb0d

SHA1
8e2a67e23cb160046c1945410b6e86ecde0f2ebd

SHA256
dfd800c33793dda429e9a6ba27fef41f0e0be6505f5f592942101af8d346e456

SHA512
f286786b51d3f5a47ceff32b941cfb7034bd2f9f639b2ce796a76b6f16f077e6c65179b4e0a06c8969e9da1596f4b5be1d319d571947ed5d966def5773fc7d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf

MD5
0dabbc311227b961e94b8d6a9dd7c4ed

SHA1
231c2fd243d305ee804a0b04a17b76c940e4f188

SHA256
ab243379ee90b15c7ec542a66f36810f3026332d611d16c1763b7f1e76aef3e6

SHA512
0bfa44d0b800a665d9eccf7d01da7878a09dbb9698138c2db9cb2d36baa15cb1f77978c27b1a8886009e26633060a29ed8d9acffb4f4c73a56d71b79f2549ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf

MD5
dacdcba79d955e68b084a3a39703a355

SHA1
0f4e82bcd7608e8e10e3826e4d76af83ee04b94e

SHA256
3f8049ab1fa4f623c4b5a543a944f53f9ed46fb1ed0f437a43097dfb887c5667

SHA512
877d566412999838780bff8a5aca727de5d3b1ef01b91be95559bdb566d06106e1139d62b35f7535e27d9652eebced7c26d7100dbed3eb47bbdfaee039977a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg

MD5
aee0ea13532917e43f50efd990b2b36a

SHA1
3add3be437e4db860a3ab9e6f03eff07ddf532c3

SHA256
cb8b3b0ef6cc9748d4835015a2a756efd096c34d30967752adc2037e34c2145a

SHA512
59f9abfc1adf43ed03a2a8a4b643f64c01e614f8ebc28ccdcf14b2229ddc77233af89d6861813244aadac30e585e7b589d5bd1b5301f5cc6185dd7a3550b95b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf

MD5
727106567c91e634d957a1f28c2e498c

SHA1
dd78c670fb227e9a538a19395a69f7e194efb7c2

SHA256
32278534c2e4cdb36d034f7c5a6d022d0ff756ebfe3dff8ad3ef5eae61b01131

SHA512
fb1c31dac6df3668cb36bb032fc5cde959aa386ad9e2c67b7dfc627a33b2cd2aa9513d41e95a6d829fcfb9162442b76b67adb297671cbf741a7fbc1c356e636e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm

MD5
8ed17089b5fdc16e16faf39bc5c7883a

SHA1
a5837103e2894278621e50d0c1643017adae8c59

SHA256
2026a9a54982d70fa4c397fce8df80e5d1243399a78d14ecd1e326777d37bf9d

SHA512
1dfa9d309f7599a504689164aedc62a4e2f7595193612daedd8ea8fcef383ea5109b670d7b8547a0f35cef68588e2fe3042428f9fa778624f0353ecbd176e7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg

MD5
b8d5cabd14144c91e85dcee122bc53ec

SHA1
3f3b295ad1174d2f288892ed361d1242d91a4564

SHA256
8b82aa336fe78ff8354b4e97a108049d1d21bd8fe0c6c8e121b4a5eaffaa15aa

SHA512
8fa81c00ac9e6a57eb86f7603cc2df04e8d14b3d4d48d347d1dad6006350799b3b41a14eeb6002f06ca2695fc933f5ce17e99b73fa41dbeb12db2971b8a67665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf

MD5
cbd10e4b69347a94f2e71b65f6362250

SHA1
f9c17aceea56bfe086878362e862ca933fe9857e

SHA256
93b8385d3e0dfc3e558bab1908e6a8c976605a4e10327592ad32d19628c38d87

SHA512
eb9a3cee2d1753417326ae5a393bf9cc5a38cff09503ddd6b7fdddc70bb045334d1ab0553e217e433a8d989cea8a6fa16d0834dd119d65c8111788b09d9cfb90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm

MD5
c2f4d4e5c554e7873fdcb93800340eb5

SHA1
c30fdcc534bb01d3e46819c1e355299bc00fc756

SHA256
f936ab3317edcd2bf02eb9746504f7ab21128690ebb16a86053a4d774cf9168a

SHA512
2eda88392b5f8c78f3615956c766cfdb4b201020ff279d3328858002d7d8bb0eeb09629023e60703eb83df0968e791615d72995fda86a3abc3cf4f5dd6f34137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg

MD5
951a7cef4d930022f4b7c27c88534b9c

SHA1
5eae8e2fa318c3572273cb309644e096ce0e42e4

SHA256
1a4f656afadf92891092ef2ce43fc7a2ea384addd86b0cf35cb78be245f1a50d

SHA512
2bf4c805f788aff0b4df52276a74a17e118ceb327ebf2cf446ed66ddc58dfc8cd6e8164ecea98545a72304c3f742d4b523a6dc9efdf289fed24664330313c488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif

MD5
c79dc652b6a93478e95f5428a75f804b

SHA1
4113eb83d1d87cbd8d422f690d6f8917d3c6705e

SHA256
e8c72f0fd675fbe3ea296ace68b4e3d518940106fb1d5930dc10b3453ce2129c

SHA512
0ce058f98e5a8bac8e96000fdd5d47265b1d9b1cbc276d4779b80791fa979d23129c72b45cb3e32c1ee9d503eb134d1d554ef375700d9f2bc03b4f7ad6926374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat.RYK

MD5
d89da2ff8f2a73b2f39eed832781727d

SHA1
75c727add2718933b9a4b363e092ec0a19879517

SHA256
2e5b4f3bdbeea6ab5412ac81dd4823844387a5598c519ce9e2e8efe12bd31bf3

SHA512
7d0cb10578b188c1843a979d20d81043df363821186397d5ff4152cf230d0cd6d3961c51cada07707f74c1d5f81ae2e74306eb5b9ba438f52a862c8a892e07d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK

MD5
2eaae995d7e5e1771f9cbd5e5a6234ed

SHA1
1788c38b466e4ca7dd87bdc6eebf816e270e54e0

SHA256
c1fc2c31c9d31c822aa4a6bc13283bf45121f12cd392aa6b01be2f11cba6b6b1

SHA512
44d7e27d5589d5867a88eda9ca55921cd65771342eb716e0f04d45bac96d4cb76ec6c811a99492feadb21583a4bcfdad665b29f856700795dca9b585a7b557b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK

MD5
1623e1fca1c6bdef3b9d56adda5df1b8

SHA1
d2e77bc33983b548aa8c433e682c4747d75d41a1

SHA256
705eb33bd6c11f55583e951a3f868b9d1879a4cef9a785bd822acb0f1ea9e551

SHA512
674b34d27194100ec697a9bd4a86a3bf45a099f3f8bf689cde8be72fd067b44289ab2f20664066fd8337d6be7fa2d3722aabbd7da07b5a2206c39a8298524c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK

MD5
146ac6f73d191be70c94197214dc96af

SHA1
1cef20d61d1656974b111e32f4618ed8cb859ccc

SHA256
0aca13d74c913eba74d63d5fb370728f2a589b1a7a0c1fe89f425612e734e079

SHA512
936e9a89b13be798fad6828bf8e4dee4846b8fb830e69cd62f16abc98e9319adbb5e2266d76d270371d580cf981e93f7db29fd80909dfd9428976ec23119534a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK

MD5
fb0dcf411373f68ebdd63a1f297b38b8

SHA1
a3f3e6ea5466d2421b9ec4d4421a1c51600dba34

SHA256
ea8b54f5358e399e98b075fe7a7e7c4e31800a1184658a4db98fa4571348071c

SHA512
7504edb3dae30be8e9333649b54f084a36908dd92433e7863a81b3256aeeee9f0e72858278efbb864256b351edd712c1df95a752bd16615823f3590e7e373f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5
f3ac534beff4ef5577eb7b5914bd4074

SHA1
952e125ac633923430c52d983847d3000017e624

SHA256
80e95fe7dd1e5fa8ca3fbe44d7db180db637dab2f11c3d072b26a14f285c810f

SHA512
b12128001d91d6afc3172db9ae9013f0b347af59774fab3888faa918677e10d52ee3a5b75d7116e6b4332dee8d7ec4bed3a983089b7097e4346ccd0100aab391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK

MD5
7f2be22b15310556ed5d483f806c9b52

SHA1
7df7bc92ec2f4d7e9dd6a690cd04258507abfa79

SHA256
63023a7f84803cf22fb435c49efdc29a5609aadc642fcfafa7ae79679e94d2d9

SHA512
a3286a9c6ed241de3419f964b2af5038031184b0cb42996384c59986369569b8af883c20cf53f634317d59bb7dc48f004c24da40be440d9e203f17004451f291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5
73a1b1ba783fb35c726ebe6cf61a212d

SHA1
c89c4303ec359e64e846e9e012a693f550db6cbc

SHA256
1d869eea17f10c8b1eb1199cc570db5d827c7717198689e4c996216a0a6a35a5

SHA512
644fb3428a5e027f645923ba1ddaae1f67be2945cdbc86fb95189635307d1cf6e26ec87edc2ff8d9fad97fc44e590af28ac8c4cb1721a71d87cb4eda75f105b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5
a8f8fe3731b2fe54f3994b34b379a4ff

SHA1
717b60c1bff4cb5b6d4d3010a33390c083de69bc

SHA256
e3bb06814d2bcd23dc19ab695ecc9d3b8067c9a61f62fef31434e2d6ac6ad6e1

SHA512
bd3d7d24fb321c807fda4db0fc0404a3a207635c7f581fd54f0f1d0e772b5bcff30c81283cc3fc349625e063115932ccac16cf20f6a62d20f6a3f758bce2b494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe

MD5
35fb90e465df48871ee78df492fe22de

SHA1
ddfba2e525968f6aedf050613f32b124b13f776a

SHA256
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2

SHA512
60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7

Download Submit
C:\Users\RyukReadMe.html

MD5
c41739852bd55bc696f12de5b67f888b

SHA1
bccf16bbd0a27888c11e4db5c0dc0da409935739

SHA256
ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9

SHA512
f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187

Download Submit
\Users\Admin\AppData\Local\Temp\jrDvYvp.exe

MD5
35fb90e465df48871ee78df492fe22de

SHA1
ddfba2e525968f6aedf050613f32b124b13f776a

SHA256
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2

SHA512
60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7

Download Submit
\Users\Admin\AppData\Local\Temp\jrDvYvp.exe

MD5
35fb90e465df48871ee78df492fe22de

SHA1
ddfba2e525968f6aedf050613f32b124b13f776a

SHA256
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2

SHA512
60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7

Download Submit
memory/1276-59-0x0000000030000000-0x0000000030171000-memory.dmp

Filesize
1.4MB

Download
memory/1664-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download