Analysis Overview
SHA256
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2
Threat Level: Known bad
The file b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Adds Run key to start application
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 02:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 02:55
Reported
2022-02-20 03:23
Platform
win7-en-20211208
Max time kernel
160s
Max time network
83s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jrDvYvp.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
"C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe"
C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe
"C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1664-54-0x0000000075D61000-0x0000000075D63000-memory.dmp
\Users\Admin\AppData\Local\Temp\jrDvYvp.exe
| MD5 | 35fb90e465df48871ee78df492fe22de |
| SHA1 | ddfba2e525968f6aedf050613f32b124b13f776a |
| SHA256 | b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2 |
| SHA512 | 60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7 |
\Users\Admin\AppData\Local\Temp\jrDvYvp.exe
| MD5 | 35fb90e465df48871ee78df492fe22de |
| SHA1 | ddfba2e525968f6aedf050613f32b124b13f776a |
| SHA256 | b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2 |
| SHA512 | 60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7 |
C:\Users\Admin\AppData\Local\Temp\jrDvYvp.exe
| MD5 | 35fb90e465df48871ee78df492fe22de |
| SHA1 | ddfba2e525968f6aedf050613f32b124b13f776a |
| SHA256 | b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2 |
| SHA512 | 60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7 |
memory/1276-59-0x0000000030000000-0x0000000030171000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | fcab6d3899815b9b2aa4836832421caf |
| SHA1 | 2356294d5003fc4a538cfa551ac8885b7dff5ed2 |
| SHA256 | 2731d37b6d99c544f51be9cbe6807b36b41736724f0784b744369a649206bf50 |
| SHA512 | f348fc53a3940687d52c10d4630dbb077dd2d0105c96cfdefe747e6d732a0ffb5ab3f86eb87bf15a2cf56e0b4b20b240eb63443e2e3a0879693c584c150f919e |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 92d3c949a9d49474e0e5ca95384720e0 |
| SHA1 | dd49bdddb17617acc2fa56fc41a5d33712488c08 |
| SHA256 | f5ee7a517bfb664b0934a7f66e368973f5ab29eac5332701afb0f01da013c7ea |
| SHA512 | 2c6974959a16b69aa9d12d84ee6744e9cbec0608a00ef09ba85d8608e765fc6040e19008f6306297a00c38d236970f41bb84a4114f6b72e8c034bb693b78bf0d |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 2dbbb45c79241dbbd6dc1d72f920a07a |
| SHA1 | 36bfd812668e7fa2840e909a75afa5937cb56a37 |
| SHA256 | 52270db734d87bf3e3596e90e7de6245824c4046b83c59d495337aa5f108bd4b |
| SHA512 | 58bdf6698d21023e88d5bee8866b23f5c7020392dd4820bfcf4b31f0504cfc857fb0d980b1e48d31a783590753f70b2b54c898d9236f667c338884d061f9d2fc |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | 755adc051f2bf3530e33b73352de3672 |
| SHA1 | 722971e253995ffd4974b7e54250c7701005353e |
| SHA256 | 45c92c30829c09c1de031f3653080db1b999c097231685de82756a7b8b62e878 |
| SHA512 | 362831d6f4e42ffcb5ea422a081b230922f33df5f5d4f855d18ab85954e90a6487c106c53f642e9504ea89be3b848d33a5d4aeaa869d9bc76ab6d2316934deb5 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 10631892bd78711262047b864fa11dbc |
| SHA1 | 6c4772224ca81d0f932562bbe2a527f9135c203e |
| SHA256 | c6b24f944930b937dfb5defce511321d616ad7472cebac37c03708773298ac6e |
| SHA512 | 7ea084a425fb6dcd698eef576b15f64e7dbf781323b07db5794351a047a70b8cc526660c78642ede20e5009ba42e45997cde8a089d32b30619406290253fbfe1 |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | f5bddc913c09e460dc5265f6df3d0db8 |
| SHA1 | e78813256aacace35ee3ac763bc7b8edac1e7890 |
| SHA256 | 56f27a0bc1b3d1ac8abbe8720a256d98758e4a5e9d4266ba5ce31071883fe7e3 |
| SHA512 | db6600cdb2ac8d0d40f6cc7546573074038d52810c0630b5c41e0696f6c905ceab4fb4f6c1c3f271283e52648cca85a674596d04497a5d3827aea601639597ff |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | 9c2363913219c45ee65ecd51602890db |
| SHA1 | 070ca5882b572562bb864f980cf10f1f39cc2166 |
| SHA256 | a8dc90026b9ace713bd98061d44ac614628384f7ca52eaacd81866ed717da955 |
| SHA512 | b984d5401a9d2dae793a0ab898064eb9520bf5f0e1354ea0ab3e70569efa3ce961b52468a870839165bb9445cfa6a67a9413b5a1fd934ef51e02aa9db9696498 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | 5f69b44173d70b3ea728cb4b8f645884 |
| SHA1 | 831f912571cb87a97252b797b7071c0f49cc8c20 |
| SHA256 | d072da96964299ef1906e66e283a457ff2cb7e83b1192b0bc3611cdb7eecfa3a |
| SHA512 | c0368e1e4b4973cddf369738162509942b40446aacdaf7eb4a5fc3bd318135134905a1bcfb8ac1f3ec9928a79fc33a639885f415b3e049a638ad091259cda523 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | 53cdf1b65b15ba43936a024cdd4886f9 |
| SHA1 | cab601076e50cf6b83940359eaead23b1f0a5770 |
| SHA256 | 196328857a8e38702a0e0c277a65e16cfec006a63a95ae6038f516e51caffa3f |
| SHA512 | 8fa2ce6422ad15b342a62eabf1614388a9a1b5a79609fabdd2c667bdcb644d3b02ef96d6cf31747843c95ae0df1de0c5346b6de7e8393eb55ae0d48bc3d043b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK
| MD5 | 7f2be22b15310556ed5d483f806c9b52 |
| SHA1 | 7df7bc92ec2f4d7e9dd6a690cd04258507abfa79 |
| SHA256 | 63023a7f84803cf22fb435c49efdc29a5609aadc642fcfafa7ae79679e94d2d9 |
| SHA512 | a3286a9c6ed241de3419f964b2af5038031184b0cb42996384c59986369569b8af883c20cf53f634317d59bb7dc48f004c24da40be440d9e203f17004451f291 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK
| MD5 | f3ac534beff4ef5577eb7b5914bd4074 |
| SHA1 | 952e125ac633923430c52d983847d3000017e624 |
| SHA256 | 80e95fe7dd1e5fa8ca3fbe44d7db180db637dab2f11c3d072b26a14f285c810f |
| SHA512 | b12128001d91d6afc3172db9ae9013f0b347af59774fab3888faa918677e10d52ee3a5b75d7116e6b4332dee8d7ec4bed3a983089b7097e4346ccd0100aab391 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK
| MD5 | fb0dcf411373f68ebdd63a1f297b38b8 |
| SHA1 | a3f3e6ea5466d2421b9ec4d4421a1c51600dba34 |
| SHA256 | ea8b54f5358e399e98b075fe7a7e7c4e31800a1184658a4db98fa4571348071c |
| SHA512 | 7504edb3dae30be8e9333649b54f084a36908dd92433e7863a81b3256aeeee9f0e72858278efbb864256b351edd712c1df95a752bd16615823f3590e7e373f1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK
| MD5 | 146ac6f73d191be70c94197214dc96af |
| SHA1 | 1cef20d61d1656974b111e32f4618ed8cb859ccc |
| SHA256 | 0aca13d74c913eba74d63d5fb370728f2a589b1a7a0c1fe89f425612e734e079 |
| SHA512 | 936e9a89b13be798fad6828bf8e4dee4846b8fb830e69cd62f16abc98e9319adbb5e2266d76d270371d580cf981e93f7db29fd80909dfd9428976ec23119534a |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK
| MD5 | 1623e1fca1c6bdef3b9d56adda5df1b8 |
| SHA1 | d2e77bc33983b548aa8c433e682c4747d75d41a1 |
| SHA256 | 705eb33bd6c11f55583e951a3f868b9d1879a4cef9a785bd822acb0f1ea9e551 |
| SHA512 | 674b34d27194100ec697a9bd4a86a3bf45a099f3f8bf689cde8be72fd067b44289ab2f20664066fd8337d6be7fa2d3722aabbd7da07b5a2206c39a8298524c0a |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK
| MD5 | 2eaae995d7e5e1771f9cbd5e5a6234ed |
| SHA1 | 1788c38b466e4ca7dd87bdc6eebf816e270e54e0 |
| SHA256 | c1fc2c31c9d31c822aa4a6bc13283bf45121f12cd392aa6b01be2f11cba6b6b1 |
| SHA512 | 44d7e27d5589d5867a88eda9ca55921cd65771342eb716e0f04d45bac96d4cb76ec6c811a99492feadb21583a4bcfdad665b29f856700795dca9b585a7b557b2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf
| MD5 | 0dabbc311227b961e94b8d6a9dd7c4ed |
| SHA1 | 231c2fd243d305ee804a0b04a17b76c940e4f188 |
| SHA256 | ab243379ee90b15c7ec542a66f36810f3026332d611d16c1763b7f1e76aef3e6 |
| SHA512 | 0bfa44d0b800a665d9eccf7d01da7878a09dbb9698138c2db9cb2d36baa15cb1f77978c27b1a8886009e26633060a29ed8d9acffb4f4c73a56d71b79f2549ebe |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf
| MD5 | 727106567c91e634d957a1f28c2e498c |
| SHA1 | dd78c670fb227e9a538a19395a69f7e194efb7c2 |
| SHA256 | 32278534c2e4cdb36d034f7c5a6d022d0ff756ebfe3dff8ad3ef5eae61b01131 |
| SHA512 | fb1c31dac6df3668cb36bb032fc5cde959aa386ad9e2c67b7dfc627a33b2cd2aa9513d41e95a6d829fcfb9162442b76b67adb297671cbf741a7fbc1c356e636e |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg
| MD5 | aee0ea13532917e43f50efd990b2b36a |
| SHA1 | 3add3be437e4db860a3ab9e6f03eff07ddf532c3 |
| SHA256 | cb8b3b0ef6cc9748d4835015a2a756efd096c34d30967752adc2037e34c2145a |
| SHA512 | 59f9abfc1adf43ed03a2a8a4b643f64c01e614f8ebc28ccdcf14b2229ddc77233af89d6861813244aadac30e585e7b589d5bd1b5301f5cc6185dd7a3550b95b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf
| MD5 | dacdcba79d955e68b084a3a39703a355 |
| SHA1 | 0f4e82bcd7608e8e10e3826e4d76af83ee04b94e |
| SHA256 | 3f8049ab1fa4f623c4b5a543a944f53f9ed46fb1ed0f437a43097dfb887c5667 |
| SHA512 | 877d566412999838780bff8a5aca727de5d3b1ef01b91be95559bdb566d06106e1139d62b35f7535e27d9652eebced7c26d7100dbed3eb47bbdfaee039977a59 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg
| MD5 | 71736b74a662fab205b45f98999abb0d |
| SHA1 | 8e2a67e23cb160046c1945410b6e86ecde0f2ebd |
| SHA256 | dfd800c33793dda429e9a6ba27fef41f0e0be6505f5f592942101af8d346e456 |
| SHA512 | f286786b51d3f5a47ceff32b941cfb7034bd2f9f639b2ce796a76b6f16f077e6c65179b4e0a06c8969e9da1596f4b5be1d319d571947ed5d966def5773fc7d67 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm
| MD5 | 0a6ab9d1ba6421f915111bff7b7e85d6 |
| SHA1 | b5a4cb7ef54bc718f395f82e6b511e25ed1d4dc8 |
| SHA256 | 7e74af3f55d7c893eab30eba62dcc4f7ea0595b95a562b7e06822210ff167dad |
| SHA512 | a35be901bc58cdb2a09bc1952de011aa4f96f0f0d6b661e26942e8a36ba16da0faaad1f81611de44dbc637e4a5774e6e4a85a27e2f5db4e28fb26630d8c24b2d |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm
| MD5 | 8ed17089b5fdc16e16faf39bc5c7883a |
| SHA1 | a5837103e2894278621e50d0c1643017adae8c59 |
| SHA256 | 2026a9a54982d70fa4c397fce8df80e5d1243399a78d14ecd1e326777d37bf9d |
| SHA512 | 1dfa9d309f7599a504689164aedc62a4e2f7595193612daedd8ea8fcef383ea5109b670d7b8547a0f35cef68588e2fe3042428f9fa778624f0353ecbd176e7d7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg
| MD5 | b8d5cabd14144c91e85dcee122bc53ec |
| SHA1 | 3f3b295ad1174d2f288892ed361d1242d91a4564 |
| SHA256 | 8b82aa336fe78ff8354b4e97a108049d1d21bd8fe0c6c8e121b4a5eaffaa15aa |
| SHA512 | 8fa81c00ac9e6a57eb86f7603cc2df04e8d14b3d4d48d347d1dad6006350799b3b41a14eeb6002f06ca2695fc933f5ce17e99b73fa41dbeb12db2971b8a67665 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf
| MD5 | cbd10e4b69347a94f2e71b65f6362250 |
| SHA1 | f9c17aceea56bfe086878362e862ca933fe9857e |
| SHA256 | 93b8385d3e0dfc3e558bab1908e6a8c976605a4e10327592ad32d19628c38d87 |
| SHA512 | eb9a3cee2d1753417326ae5a393bf9cc5a38cff09503ddd6b7fdddc70bb045334d1ab0553e217e433a8d989cea8a6fa16d0834dd119d65c8111788b09d9cfb90 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm
| MD5 | c2f4d4e5c554e7873fdcb93800340eb5 |
| SHA1 | c30fdcc534bb01d3e46819c1e355299bc00fc756 |
| SHA256 | f936ab3317edcd2bf02eb9746504f7ab21128690ebb16a86053a4d774cf9168a |
| SHA512 | 2eda88392b5f8c78f3615956c766cfdb4b201020ff279d3328858002d7d8bb0eeb09629023e60703eb83df0968e791615d72995fda86a3abc3cf4f5dd6f34137 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif
| MD5 | c79dc652b6a93478e95f5428a75f804b |
| SHA1 | 4113eb83d1d87cbd8d422f690d6f8917d3c6705e |
| SHA256 | e8c72f0fd675fbe3ea296ace68b4e3d518940106fb1d5930dc10b3453ce2129c |
| SHA512 | 0ce058f98e5a8bac8e96000fdd5d47265b1d9b1cbc276d4779b80791fa979d23129c72b45cb3e32c1ee9d503eb134d1d554ef375700d9f2bc03b4f7ad6926374 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg
| MD5 | 951a7cef4d930022f4b7c27c88534b9c |
| SHA1 | 5eae8e2fa318c3572273cb309644e096ce0e42e4 |
| SHA256 | 1a4f656afadf92891092ef2ce43fc7a2ea384addd86b0cf35cb78be245f1a50d |
| SHA512 | 2bf4c805f788aff0b4df52276a74a17e118ceb327ebf2cf446ed66ddc58dfc8cd6e8164ecea98545a72304c3f742d4b523a6dc9efdf289fed24664330313c488 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | a8f8fe3731b2fe54f3994b34b379a4ff |
| SHA1 | 717b60c1bff4cb5b6d4d3010a33390c083de69bc |
| SHA256 | e3bb06814d2bcd23dc19ab695ecc9d3b8067c9a61f62fef31434e2d6ac6ad6e1 |
| SHA512 | bd3d7d24fb321c807fda4db0fc0404a3a207635c7f581fd54f0f1d0e772b5bcff30c81283cc3fc349625e063115932ccac16cf20f6a62d20f6a3f758bce2b494 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 73a1b1ba783fb35c726ebe6cf61a212d |
| SHA1 | c89c4303ec359e64e846e9e012a693f550db6cbc |
| SHA256 | 1d869eea17f10c8b1eb1199cc570db5d827c7717198689e4c996216a0a6a35a5 |
| SHA512 | 644fb3428a5e027f645923ba1ddaae1f67be2945cdbc86fb95189635307d1cf6e26ec87edc2ff8d9fad97fc44e590af28ac8c4cb1721a71d87cb4eda75f105b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat.RYK
| MD5 | d89da2ff8f2a73b2f39eed832781727d |
| SHA1 | 75c727add2718933b9a4b363e092ec0a19879517 |
| SHA256 | 2e5b4f3bdbeea6ab5412ac81dd4823844387a5598c519ce9e2e8efe12bd31bf3 |
| SHA512 | 7d0cb10578b188c1843a979d20d81043df363821186397d5ff4152cf230d0cd6d3961c51cada07707f74c1d5f81ae2e74306eb5b9ba438f52a862c8a892e07d1 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 02:55
Reported
2022-02-20 03:23
Platform
win10v2004-en-20220113
Max time kernel
164s
Max time network
219s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yeFcpTq.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
"C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe"
C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe
"C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:64
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| FR | 2.16.119.157:443 | tcp | |
| FR | 2.16.119.157:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe
| MD5 | 35fb90e465df48871ee78df492fe22de |
| SHA1 | ddfba2e525968f6aedf050613f32b124b13f776a |
| SHA256 | b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2 |
| SHA512 | 60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7 |
C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe
| MD5 | 35fb90e465df48871ee78df492fe22de |
| SHA1 | ddfba2e525968f6aedf050613f32b124b13f776a |
| SHA256 | b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2 |
| SHA512 | 60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |
C:\Users\RyukReadMe.html
| MD5 | c41739852bd55bc696f12de5b67f888b |
| SHA1 | bccf16bbd0a27888c11e4db5c0dc0da409935739 |
| SHA256 | ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9 |
| SHA512 | f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187 |