Analysis Overview
SHA256
9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316
Threat Level: Known bad
The file 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 04:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 04:23
Reported
2022-02-20 04:40
Platform
win7-en-20211208
Max time kernel
174s
Max time network
216s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\RyukReadMe.html | C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\RyukReadMe.html | C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
"C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe"
C:\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe
"C:\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe
"C:\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe
"C:\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.2:7 | udp | |
| N/A | 10.127.0.2:7 | udp | |
| N/A | 10.127.0.3:7 | udp | |
| N/A | 10.127.0.3:7 | udp | |
| N/A | 10.127.0.4:7 | udp | |
| N/A | 10.127.0.4:7 | udp | |
| N/A | 10.127.0.5:7 | udp | |
| N/A | 10.127.0.5:7 | udp | |
| N/A | 10.127.0.6:7 | udp | |
| N/A | 10.127.0.6:7 | udp | |
| N/A | 10.127.0.7:7 | udp | |
| N/A | 10.127.0.7:7 | udp | |
| N/A | 10.127.0.8:7 | udp | |
| N/A | 10.127.0.8:7 | udp | |
| N/A | 10.127.0.9:7 | udp | |
| N/A | 10.127.0.9:7 | udp | |
| N/A | 10.127.0.10:7 | udp | |
| N/A | 10.127.0.10:7 | udp | |
| N/A | 10.127.0.11:7 | udp | |
| N/A | 10.127.0.11:7 | udp | |
| N/A | 10.127.0.12:7 | udp | |
| N/A | 10.127.0.12:7 | udp | |
| N/A | 10.127.0.13:7 | udp | |
| N/A | 10.127.0.14:7 | udp | |
| N/A | 10.127.0.13:7 | udp | |
| N/A | 10.127.0.14:7 | udp | |
| N/A | 10.127.0.15:7 | udp | |
| N/A | 10.127.0.15:7 | udp | |
| N/A | 10.127.0.16:7 | udp | |
| N/A | 10.127.0.17:7 | udp | |
| N/A | 10.127.0.18:7 | udp | |
| N/A | 10.127.0.19:7 | udp | |
| N/A | 10.127.0.20:7 | udp | |
| N/A | 10.127.0.16:7 | udp | |
| N/A | 10.127.0.21:7 | udp | |
| N/A | 10.127.0.17:7 | udp | |
| N/A | 10.127.0.18:7 | udp | |
| N/A | 10.127.0.22:7 | udp | |
| N/A | 10.127.0.19:7 | udp | |
| N/A | 10.127.0.24:7 | udp | |
| N/A | 10.127.0.20:7 | udp | |
| N/A | 10.127.0.21:7 | udp | |
| N/A | 10.127.0.22:7 | udp | |
| N/A | 10.127.0.25:7 | udp | |
| N/A | 10.127.0.24:7 | udp | |
| N/A | 10.127.0.26:7 | udp | |
| N/A | 10.127.0.25:7 | udp | |
| N/A | 10.127.0.27:7 | udp | |
| N/A | 10.127.0.26:7 | udp | |
| N/A | 10.127.0.27:7 | udp | |
| N/A | 10.127.0.28:7 | udp | |
| N/A | 10.127.0.28:7 | udp | |
| N/A | 10.127.0.29:7 | udp | |
| N/A | 10.127.0.30:7 | udp | |
| N/A | 10.127.0.31:7 | udp | |
| N/A | 10.127.0.32:7 | udp | |
| N/A | 10.127.0.33:7 | udp | |
| N/A | 10.127.0.34:7 | udp | |
| N/A | 10.127.0.29:7 | udp | |
| N/A | 10.127.0.35:7 | udp | |
| N/A | 10.127.0.30:7 | udp | |
| N/A | 10.127.0.36:7 | udp | |
| N/A | 10.127.0.31:7 | udp | |
| N/A | 10.127.0.37:7 | udp | |
| N/A | 10.127.0.32:7 | udp | |
| N/A | 10.127.0.33:7 | udp | |
| N/A | 10.127.0.38:7 | udp | |
| N/A | 10.127.0.34:7 | udp | |
| N/A | 10.127.0.35:7 | udp | |
| N/A | 10.127.0.36:7 | udp | |
| N/A | 10.127.0.37:7 | udp | |
| N/A | 10.127.0.39:7 | udp | |
| N/A | 10.127.0.38:7 | udp | |
| N/A | 10.127.0.40:7 | udp | |
| N/A | 10.127.0.39:7 | udp | |
| N/A | 10.127.0.40:7 | udp | |
| N/A | 10.127.0.41:7 | udp | |
| N/A | 10.127.0.41:7 | udp | |
| N/A | 10.127.0.42:7 | udp | |
| N/A | 10.127.0.42:7 | udp | |
| N/A | 10.127.0.43:7 | udp | |
| N/A | 10.127.0.43:7 | udp | |
| N/A | 10.127.0.44:7 | udp | |
| N/A | 10.127.0.44:7 | udp | |
| N/A | 10.127.0.45:7 | udp | |
| N/A | 10.127.0.45:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.0.47:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.0.48:7 | udp | |
| N/A | 10.127.0.47:7 | udp | |
| N/A | 10.127.0.48:7 | udp | |
| N/A | 10.127.0.49:7 | udp | |
| N/A | 10.127.0.49:7 | udp | |
| N/A | 10.127.0.50:7 | udp | |
| N/A | 10.127.0.50:7 | udp | |
| N/A | 10.127.0.51:7 | udp | |
| N/A | 10.127.0.51:7 | udp | |
| N/A | 10.127.0.52:7 | udp | |
| N/A | 10.127.0.53:7 | udp | |
| N/A | 10.127.0.54:7 | udp | |
| N/A | 10.127.0.55:7 | udp | |
| N/A | 10.127.0.56:7 | udp | |
| N/A | 10.127.0.57:7 | udp | |
| N/A | 10.127.0.58:7 | udp | |
| N/A | 10.127.0.52:7 | udp | |
| N/A | 10.127.0.53:7 | udp | |
| N/A | 10.127.0.59:7 | udp | |
| N/A | 10.127.0.54:7 | udp | |
| N/A | 10.127.0.60:7 | udp | |
| N/A | 10.127.0.55:7 | udp | |
| N/A | 10.127.0.61:7 | udp | |
| N/A | 10.127.0.56:7 | udp | |
| N/A | 10.127.0.57:7 | udp | |
| N/A | 10.127.0.62:7 | udp | |
| N/A | 10.127.0.58:7 | udp | |
| N/A | 10.127.0.59:7 | udp | |
| N/A | 10.127.0.63:7 | udp | |
| N/A | 10.127.0.60:7 | udp | |
| N/A | 10.127.0.64:7 | udp | |
| N/A | 10.127.0.61:7 | udp | |
| N/A | 10.127.0.65:7 | udp | |
| N/A | 10.127.0.62:7 | udp | |
| N/A | 10.127.0.66:7 | udp | |
| N/A | 10.127.0.63:7 | udp | |
| N/A | 10.127.0.67:7 | udp | |
| N/A | 10.127.0.64:7 | udp | |
| N/A | 10.127.0.68:7 | udp | |
| N/A | 10.127.0.65:7 | udp | |
| N/A | 10.127.0.69:7 | udp | |
| N/A | 10.127.0.66:7 | udp | |
| N/A | 10.127.0.67:7 | udp | |
| N/A | 10.127.0.70:7 | udp | |
| N/A | 10.127.0.68:7 | udp | |
| N/A | 10.127.0.69:7 | udp | |
| N/A | 10.127.0.70:7 | udp | |
| N/A | 10.127.0.71:7 | udp | |
| N/A | 10.127.0.71:7 | udp | |
| N/A | 10.127.0.72:7 | udp | |
| N/A | 10.127.0.72:7 | udp | |
| N/A | 10.127.0.73:7 | udp | |
| N/A | 10.127.0.74:7 | udp | |
| N/A | 10.127.0.73:7 | udp | |
| N/A | 10.127.0.74:7 | udp | |
| N/A | 10.127.0.75:7 | udp | |
| N/A | 10.127.0.76:7 | udp | |
| N/A | 10.127.0.75:7 | udp | |
| N/A | 10.127.0.76:7 | udp | |
| N/A | 10.127.0.77:7 | udp | |
| N/A | 10.127.0.78:7 | udp | |
| N/A | 10.127.0.77:7 | udp | |
| N/A | 10.127.0.79:7 | udp | |
| N/A | 10.127.0.78:7 | udp | |
| N/A | 10.127.0.79:7 | udp | |
| N/A | 10.127.0.80:7 | udp | |
| N/A | 10.127.0.80:7 | udp | |
| N/A | 10.127.0.81:7 | udp | |
| N/A | 10.127.0.82:7 | udp | |
| N/A | 10.127.0.81:7 | udp | |
| N/A | 10.127.0.82:7 | udp | |
| N/A | 10.127.0.83:7 | udp | |
| N/A | 10.127.0.83:7 | udp | |
| N/A | 10.127.0.84:7 | udp | |
| N/A | 10.127.0.84:7 | udp | |
| N/A | 10.127.0.85:7 | udp | |
| N/A | 10.127.0.85:7 | udp | |
| N/A | 10.127.0.86:7 | udp | |
| N/A | 10.127.0.87:7 | udp | |
| N/A | 10.127.0.86:7 | udp | |
| N/A | 10.127.0.88:7 | udp | |
| N/A | 10.127.0.89:7 | udp | |
| N/A | 10.127.0.90:7 | udp | |
| N/A | 10.127.0.91:7 | udp | |
| N/A | 10.127.0.92:7 | udp | |
| N/A | 10.127.0.87:7 | udp | |
| N/A | 10.127.0.93:7 | udp | |
| N/A | 10.127.0.88:7 | udp | |
| N/A | 10.127.0.94:7 | udp | |
| N/A | 10.127.0.89:7 | udp | |
| N/A | 10.127.0.90:7 | udp | |
| N/A | 10.127.0.91:7 | udp | |
| N/A | 10.127.0.92:7 | udp | |
| N/A | 10.127.0.93:7 | udp | |
| N/A | 10.127.0.94:7 | udp | |
| N/A | 10.127.0.95:7 | udp | |
| N/A | 10.127.0.96:7 | udp | |
| N/A | 10.127.0.95:7 | udp | |
| N/A | 10.127.0.96:7 | udp | |
| N/A | 10.127.0.97:7 | udp | |
| N/A | 10.127.0.97:7 | udp | |
| N/A | 10.127.0.98:7 | udp | |
| N/A | 10.127.0.98:7 | udp | |
| N/A | 10.127.0.99:7 | udp | |
| N/A | 10.127.0.99:7 | udp | |
| N/A | 10.127.0.100:7 | udp | |
| N/A | 10.127.0.100:7 | udp | |
| N/A | 10.127.0.101:7 | udp | |
| N/A | 10.127.0.101:7 | udp | |
| N/A | 10.127.0.102:7 | udp | |
| N/A | 10.127.0.102:7 | udp | |
| N/A | 10.127.0.103:7 | udp | |
| N/A | 10.127.0.103:7 | udp | |
| N/A | 10.127.0.104:7 | udp | |
| N/A | 10.127.0.104:7 | udp | |
| N/A | 10.127.0.105:7 | udp | |
| N/A | 10.127.0.105:7 | udp | |
| N/A | 10.127.0.106:7 | udp | |
| N/A | 10.127.0.107:7 | udp | |
| N/A | 10.127.0.106:7 | udp | |
| N/A | 10.127.0.107:7 | udp | |
| N/A | 10.127.0.108:7 | udp | |
| N/A | 10.127.0.108:7 | udp | |
| N/A | 10.127.0.109:7 | udp | |
| N/A | 10.127.0.109:7 | udp | |
| N/A | 10.127.0.110:7 | udp | |
| N/A | 10.127.0.110:7 | udp | |
| N/A | 10.127.0.111:7 | udp | |
| N/A | 10.127.0.111:7 | udp | |
| N/A | 10.127.0.112:7 | udp | |
| N/A | 10.127.0.113:7 | udp | |
| N/A | 10.127.0.112:7 | udp | |
| N/A | 10.127.0.113:7 | udp | |
| N/A | 10.127.0.114:7 | udp | |
| N/A | 10.127.0.115:7 | udp | |
| N/A | 10.127.0.114:7 | udp | |
| N/A | 10.127.0.116:7 | udp | |
| N/A | 10.127.0.115:7 | udp | |
| N/A | 10.127.0.117:7 | udp | |
| N/A | 10.127.0.118:7 | udp | |
| N/A | 10.127.0.116:7 | udp | |
| N/A | 10.127.0.117:7 | udp | |
| N/A | 10.127.0.118:7 | udp | |
| N/A | 10.127.0.120:7 | udp | |
| N/A | 10.127.0.119:7 | udp | |
| N/A | 10.127.0.119:7 | udp | |
| N/A | 10.127.0.121:7 | udp | |
| N/A | 10.127.0.122:7 | udp | |
| N/A | 10.127.0.123:7 | udp | |
| N/A | 10.127.0.124:7 | udp | |
| N/A | 10.127.0.125:7 | udp | |
| N/A | 10.127.0.120:7 | udp | |
| N/A | 10.127.0.126:7 | udp | |
| N/A | 10.127.0.121:7 | udp | |
| N/A | 10.127.0.127:7 | udp | |
| N/A | 10.127.0.122:7 | udp | |
| N/A | 10.127.0.128:7 | udp | |
| N/A | 10.127.0.123:7 | udp | |
| N/A | 10.127.0.129:7 | udp | |
| N/A | 10.127.0.124:7 | udp | |
| N/A | 10.127.0.130:7 | udp | |
| N/A | 10.127.0.125:7 | udp | |
| N/A | 10.127.0.131:7 | udp | |
| N/A | 10.127.0.126:7 | udp | |
| N/A | 10.127.0.127:7 | udp | |
| N/A | 10.127.0.128:7 | udp | |
| N/A | 10.127.0.132:7 | udp | |
| N/A | 10.127.0.129:7 | udp | |
| N/A | 10.127.0.133:7 | udp | |
| N/A | 10.127.0.130:7 | udp | |
| N/A | 10.127.0.131:7 | udp | |
| N/A | 10.127.0.134:7 | udp | |
| N/A | 10.127.0.132:7 | udp | |
| N/A | 10.127.0.133:7 | udp | |
| N/A | 10.127.0.135:7 | udp | |
| N/A | 10.127.0.134:7 | udp | |
| N/A | 10.127.0.135:7 | udp | |
| N/A | 10.127.0.136:7 | udp | |
| N/A | 10.127.0.136:7 | udp | |
| N/A | 10.127.0.138:7 | udp | |
| N/A | 10.127.0.137:7 | udp | |
| N/A | 10.127.0.139:7 | udp | |
| N/A | 10.127.0.140:7 | udp | |
| N/A | 10.127.0.138:7 | udp | |
| N/A | 10.127.0.141:7 | udp | |
| N/A | 10.127.0.139:7 | udp | |
| N/A | 10.127.0.142:7 | udp | |
| N/A | 10.127.0.140:7 | udp | |
| N/A | 10.127.0.137:7 | udp | |
| N/A | 10.127.0.141:7 | udp | |
| N/A | 10.127.0.143:7 | udp | |
| N/A | 10.127.0.144:7 | udp | |
| N/A | 10.127.0.142:7 | udp | |
| N/A | 10.127.0.145:7 | udp | |
| N/A | 10.127.0.143:7 | udp | |
| N/A | 10.127.0.146:7 | udp | |
| N/A | 10.127.0.144:7 | udp | |
| N/A | 10.127.0.145:7 | udp | |
| N/A | 10.127.0.146:7 | udp | |
| N/A | 10.127.0.147:7 | udp | |
| N/A | 10.127.0.148:7 | udp | |
| N/A | 10.127.0.147:7 | udp | |
| N/A | 10.127.0.148:7 | udp | |
| N/A | 10.127.0.149:7 | udp | |
| N/A | 10.127.0.151:7 | udp | |
| N/A | 10.127.0.151:7 | udp | |
| N/A | 10.127.0.153:7 | udp | |
| N/A | 10.127.0.155:7 | udp | |
| N/A | 10.127.0.153:7 | udp | |
| N/A | 10.127.0.154:7 | udp | |
| N/A | 10.127.0.155:7 | udp | |
| N/A | 10.127.0.156:7 | udp | |
| N/A | 10.127.0.157:7 | udp | |
| N/A | 10.127.0.156:7 | udp | |
| N/A | 10.127.0.157:7 | udp | |
| N/A | 10.127.0.159:7 | udp | |
| N/A | 10.127.0.158:7 | udp | |
| N/A | 10.127.0.159:7 | udp | |
| N/A | 10.127.0.161:7 | udp | |
| N/A | 10.127.0.162:7 | udp | |
| N/A | 10.127.0.163:7 | udp | |
| N/A | 10.127.0.149:7 | udp | |
| N/A | 10.127.0.150:7 | udp | |
| N/A | 10.127.0.150:7 | udp | |
| N/A | 10.127.0.152:7 | udp | |
| N/A | 10.127.0.164:7 | udp | |
| N/A | 10.127.0.165:7 | udp | |
| N/A | 10.127.0.167:7 | udp | |
| N/A | 10.127.0.160:7 | udp | |
| N/A | 10.127.0.161:7 | udp | |
| N/A | 10.127.0.169:7 | udp | |
| N/A | 10.127.0.162:7 | udp | |
| N/A | 10.127.0.171:7 | udp | |
| N/A | 10.127.0.163:7 | udp | |
| N/A | 10.127.0.173:7 | udp | |
| N/A | 10.127.0.164:7 | udp | |
| N/A | 10.127.0.165:7 | udp | |
| N/A | 10.127.0.175:7 | udp | |
| N/A | 10.127.0.154:7 | udp | |
| N/A | 10.127.0.152:7 | udp | |
| N/A | 10.127.0.158:7 | udp | |
| N/A | 10.127.0.160:7 | udp | |
| N/A | 10.127.0.167:7 | udp | |
| N/A | 10.127.0.169:7 | udp | |
| N/A | 10.127.0.177:7 | udp | |
| N/A | 10.127.0.171:7 | udp | |
| N/A | 10.127.0.179:7 | udp | |
| N/A | 10.127.0.173:7 | udp | |
| N/A | 10.127.0.181:7 | udp | |
| N/A | 10.127.0.175:7 | udp | |
| N/A | 10.127.0.183:7 | udp | |
| N/A | 10.127.0.177:7 | udp | |
| N/A | 10.127.0.185:7 | udp | |
| N/A | 10.127.0.179:7 | udp | |
| N/A | 10.127.0.181:7 | udp | |
| N/A | 10.127.0.187:7 | udp | |
| N/A | 10.127.0.183:7 | udp | |
| N/A | 10.127.0.185:7 | udp | |
| N/A | 10.127.0.187:7 | udp | |
| N/A | 10.127.0.189:7 | udp | |
| N/A | 10.127.0.189:7 | udp | |
| N/A | 10.127.0.191:7 | udp |
Files
memory/1792-54-0x0000000075471000-0x0000000075473000-memory.dmp
\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\users\Public\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
| MD5 | c4071b36bbffbe9ed3c36c23ebff8369 |
| SHA1 | c8b49b56275434fb2b1db2b8b531850d63711b5d |
| SHA256 | 4a16239aca35bdb5678f7a4be72ce432857e14912ce14d54bdc6a6222fe90b89 |
| SHA512 | 833771b62369ce7a1568f53a832ebd9401973da0aa7bb4c1ab0764631385a0e112de42bc9c1c9b56370248b6f77d2894a2ae4a47092fddec51262c95e351b86c |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
| MD5 | d87f4145fb53c5e84eaaa951b9bcefb9 |
| SHA1 | c5eb3bbcda53ddf4fe29284a9226725b4e117528 |
| SHA256 | 2ae7bad471d9b4c240b2141f663b5c77a9fe7d8f0932a8905a4ff07b1f8e42b3 |
| SHA512 | 6d6c329649d6c448e7dc97e1780f64b5ee741905f6e472e0fbbaaec9ef3ef896994fe4a71513c7971e2c7b816cda9112a67435e698315f6e211b1258a645b44a |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK
| MD5 | 104997de70c7cd19439ab9f4a57beb72 |
| SHA1 | f344e0c912ae18a0df67f09c835eebc838ef9e49 |
| SHA256 | e7d879131f71967e2942fb2eac8451d50040e4229cd82a18797591d4e3a1f1b5 |
| SHA512 | bf6d0a9acc11b028f0bcd845b71b9f258bcb12495db78a470aaf33dd2363f3d3bf3a7d9b569dc1658358832558654bdc5d82532875e86d257f4c481446efff65 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
| MD5 | 351d4e615110310a7a2cd8de8dda3cae |
| SHA1 | e81102bf4ece4a4f2c283dd27f10b2b572dbe2c8 |
| SHA256 | be6b894f6039ffde4678de3ef889d95092eede3ea95b56c55ae605c0d857648e |
| SHA512 | fe587ce5466066cf56c8f0f32e0cf42875f1046edc856d4a59c735fc848cf109a13ae9aa764400563156ae1a410674ef59e46ef6f74234de4d8e5c6982d617ea |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK
| MD5 | 802801116e4552f3eb9866231c632e19 |
| SHA1 | 012cc86edb0babb09428a332a28cca0a7d8697be |
| SHA256 | 0454988dd1d2606541ce272a07d32ad7ed5ffb17186dd8c4c427bc59af8c9a20 |
| SHA512 | 86318c9a4b5c56c0477eea0ec34ee0de5dc58bf7e3aa18193be32d48c262ec4096699f3c0e2d53535c1654537d3e9d1283c87a521ec2ecb1793d8e0d3d7d75e4 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
| MD5 | f13ce4c2165968013351e8f17f8abcab |
| SHA1 | 1c973f858d5ad035cce0b92d6c2bc5c5ac79cbe7 |
| SHA256 | 3e35db2ae0b84feb203e773068e74395c07237b4d0150bd431579a0b50e2dd87 |
| SHA512 | 13537aeeda38e4406ad7c09c582a26bd93afaefed52b9dd2631574df6e8791ecd74d52db4a41ae51c9525ad5e189562eb257f424cd20edec062f3fcd24dfdbe9 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK
| MD5 | 4e8f4b78ce3ded89015a32443dc42aae |
| SHA1 | 90657ddf8a55e7866b0051a4a091c14417f6ff01 |
| SHA256 | 074479afac0df28a7d89115924e7b0f2325459a0563f247c3982b6c2f6c23881 |
| SHA512 | 54f8ab25938843eaa73d77d9ef18359d144d05e60a746022f3409810f3e5e2f3bb9372a03a9d68aa79e2d295a67adc2b5ae4962147ebf8393a517e3c4bd3e3c8 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK
| MD5 | b19d039d877b86a8c2a818e827850196 |
| SHA1 | 5be4d5f41b2bc287c0e290ad4d1d2eb6f7f144f4 |
| SHA256 | cce70ab6a080c6f710ea6e99f5f8e004c8b3d3767a849a97191071a9f49cb2d0 |
| SHA512 | 7791193e08570045fee156ec5865515864c2f5507f7ce8ecaa95da0cbc41ac3941833b5359c8b4ed6c77bbed7cfd1fa289182119e0fda772a924c9e46864e30b |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
| MD5 | a4be2107bca1260cdf6d3daf7e6a490d |
| SHA1 | 29692aea0fc96872f7a06aa3a59d237fd1fdb930 |
| SHA256 | 4fe4ccc33c8a191e7c1a315720c4bcf40d3e2f3346fcf2b7e1dc0dc4c32aca91 |
| SHA512 | 9a1d421088e88cd3a3e84365c0e970dc1a6b2cdf03e6aebc0d574908956da19107dc408174171369d661913305ae402cdc6995c31f03398147f9b35c187a283f |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
| MD5 | d61e620853f5c6b1a4840b82d9a0cdab |
| SHA1 | 9729f2101528369443f6dd782e6420fae3596497 |
| SHA256 | 50f2164bf9be6d6c881f8be6b00b16dc13a60a99d97b3f4d108fcbf407173d4e |
| SHA512 | 58b95604f8cbbab1ea50224161fa56c9ef3208e6fb720371e8796dd45e3f082fb3dee97d47e75d3c6f3dac949de97690afc84f594ebac56be46241b2ff59a193 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 679e097ed36b0dc3659de58136b84967 |
| SHA1 | 9fb92bedc98c03318c4d2e34ea98f554a1856d6e |
| SHA256 | 2ae7f9fca55db1fe65893c87adfcd90e996a4b8ceee195f7fa88518d1f3758fc |
| SHA512 | 8fb873811d68a4ed3915acbf8422e3d521278ba6d223b94b978c6b9fab6bb43c06ccad17527e4ed3399925b9cf57804906601f4341480eb4dd22815e095aeea5 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
| MD5 | beecde5a2f3c85787478f21f0fb91a6c |
| SHA1 | c8ebc65d78746c58f1f5fcf87da2baed63c948fb |
| SHA256 | 8fb61fd91d97f91cc3a88e17e0f174095fb7f6ea426f09f17e2352baa08e9d8c |
| SHA512 | c78cf8c0edf501c52b90d5af571eabc1871855a056d71b1d705dd415e686719773a4b8692e63b9ee0a6bc310774e6193700e28dc5eb98696d154f3aa8a131835 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK
| MD5 | fb8ff1fedccd2327ebc8fbe23d44f849 |
| SHA1 | fec6a40aa8a68979191a6c95f7e6515c935aa8b2 |
| SHA256 | 032559b1989cf073989863d94db6db1c0dc8a4657ea5a67fa2cab6eea9177835 |
| SHA512 | 4bfe6148f24447b29815b7b9694f0a20e6cf5f88d59c1c6a37266ba71bbde5a09b29babbaec62813a8ddb321eda1db61087ece472d83948fb3a2a40dfb316330 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK
| MD5 | 0e4074abd05950e4d4f1449708223be6 |
| SHA1 | d58f5f8353a408d58a77219c0e39f76ea453fdca |
| SHA256 | a332c9d8c239def7445d7c17a0d60be32dab1b5f99048290146f0ab685ee2c7a |
| SHA512 | 3e0d11218442a3697a9bf66d32eb4081ef9f9c51266e3bbb5333b38952f2227ca7e97766a964381c777bae6ce6eedf27c7b28660a6eeadc4e0ec3b573288a142 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK
| MD5 | 0484df538493a3612ce9614577c287a5 |
| SHA1 | 0e59b1cc1246b3cdca62c68ee76d080e02b55189 |
| SHA256 | 9dbf25f51e8da2ed89ab86df7019a99dca972515f75a25f85311844c07519c89 |
| SHA512 | 4dc6e8ca38db96f4dbe85e675897c52b092cb14d2d0d2196d371e966cbfa9fb3841d9e6f1020a88917f773a498408be0c16bf2916fcb83ce323fd18b3d27c9cc |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
| MD5 | 5a20673d3019dad1cb64d7caa59f19ab |
| SHA1 | 8f04e4eb3599ffab859fffd12d7cc4471953f020 |
| SHA256 | 460f7fe72c735f771264cc4fb51622f2b310a1cae5e847cf9bfaef9f738e7317 |
| SHA512 | c0f6e15b2842b22bb8bfb1b77f1adc8204c89f7472f519c4a80b303336b78231c66fbef1d8760b8da65603f4e660a67e6ca1a598c403d24bbc772b2177268e98 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK
| MD5 | 17750d32d782495791cedc7f0ad86745 |
| SHA1 | 164f29f55948214aac76d4f03baf0f1d0d6290f3 |
| SHA256 | 6f898514bdeb9b0916a48406cfae516b521fa2fac8c0f7d363909915a523d452 |
| SHA512 | 59c1ec876149fff183d16fb2af9efec6624a2ce249e6f28c97ff962fb24c7afce957ed0fc0e03682c9c6ac4ea4e8e544c0eef9dd1ff7346fba043472fc61fc6e |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK
| MD5 | e23b9140e202efd01ea3a4c91572ac2c |
| SHA1 | 97d00a148b63f647f3a38a434bf16fc90051773c |
| SHA256 | aa02ed6f0817a3acec9aa9259e0f080f53896ad6b575d8578c6e2fcf3b38e912 |
| SHA512 | 918bdc8bab1381545b0c884debd94a46398e46c8209e98549f2996785f11f99c9667c00eb8d7468980c72b65525831e0c7395ece447d6366da78c3bca8ab50e4 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 849a8191de806b8ff8bdcac1a4b87ac7 |
| SHA1 | e52a64a2569f75bf4a7a1b5ea1bd00a41727383a |
| SHA256 | 3a4523b707a39adff87f8b7fdf9a6d37badd4cf5329b449648b372c0bfcd9b69 |
| SHA512 | 07cf6791ff78232aab28e864c094b3b47a1b83d3232c96c8f8638f7469d2d744503ed9fecfaa2ee0270a9025377806bbca56fac3271f620ee8dabfb67db690ba |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | f56a9454ee2496394d034cd969c64416 |
| SHA1 | 1fd71414341c6d2d73d535b9119cac8aa0da0a58 |
| SHA256 | fbad2507319a51252536da71d16e6ad0fb1d1401935a9993d1f1a0d2282b0883 |
| SHA512 | 6095de7fa8719e95316b355cd544c65caeb4988c75282b0efe1b262b1f11c62404ee4c8f457ffdb1b4c1a2d9d0aefd25e83d3f29d00b1dd2f02870d84660c51e |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
| MD5 | 5ca0ce2fb437acd0d6c7b876bd70fccb |
| SHA1 | 34732fc081b17424a42f058f78620442609fcf78 |
| SHA256 | 9ed72980212ea7da31b6b82717daf7afa20eec3de6a9a8ef7c56e50f77b12e8f |
| SHA512 | ded007f2f11bed782add1b19a2c2e773b2ecaad554778a97e49176b1d83e1c21fec4ec7d568500eb69549fd572f3d8c478a4e9f30b4063c04b237597f7f67370 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK
| MD5 | caeee4bf9a4f4195cfb69d13bd7ced99 |
| SHA1 | 49b8657fcf5f44275c18cc1fb79c7bcfafd804c4 |
| SHA256 | a30f67ffa3251dbeefc494f1af7e9e30698029cebfddf19a8f0576617d564013 |
| SHA512 | 3ef1cf57b9161d6be372fd54678b24386876423ba73a025b08607feaccad927fce861f54a91100a26b5e4c705e389cb42477f980e3bac1e303ca723742535b41 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK
| MD5 | 89499f255b22366701c79a08b92b6809 |
| SHA1 | 6f94e1bb5e23f35ef4d7e9659fac734fb194064c |
| SHA256 | abee43e420056aa09b0a516c80346deff49d7436235939938f6bbbcda65d8f0c |
| SHA512 | 08ab3f76eadeae21d7ceac63bd1972320ff07000ca67bbd58caeb93f2d9ae09ea139f774dbea7e0b7185761524b3de3842ef397b7e730c4be17ee2ddd641b42e |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
| MD5 | 5f1bcc6d10f516af5c05557bcac2bb65 |
| SHA1 | 10bd62d44cb033c1e6aa918264969b623e19fc2e |
| SHA256 | b084c8aea88c572754d103864588509e699c842c4ba33271947200bda2c9f8cc |
| SHA512 | 012e362764ec606175fa74d41e59eb865532698ab89a1bba2ae9b7ca7db4d71c97c57d9e7feaeed1e0238c776f4e88dbd6b68bcea0a7813076f1399089c1c47b |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK
| MD5 | 670a4b969e84c321f70fd2ab545028cf |
| SHA1 | 5d9a829987bc598286df18f06d746359cfa4c306 |
| SHA256 | dbc67ebbd72c1572d92ef67d2c6bd15378b90a03d645312c3efcf8e31c311cdf |
| SHA512 | 8facf9a5264d526bed7a537bc75dd6110252159e704f027eb3cb019b25e7887fffea778b2281b98d5d8f9ced8972caeabb174dc3637573e676c01fb038422501 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 9ee20ae20b2d5af7077180d2807a77b0 |
| SHA1 | 7dc576e41271c003fc2d6f5b3d269640aee5ebc9 |
| SHA256 | 481bdd02ac7a032899c0d1f392af498701c6a255610c596830a47a589c66582d |
| SHA512 | 554076b47df5197671366fae632c0d9d30d3e992943627d8cf1f6f19ffc282d55f699cda705dbdc17f947a7e743b776acd328040eeeea82664e619d088b66dee |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
| MD5 | 751400f11dc5416b0223112bfa5b26f4 |
| SHA1 | 1a0cbe5ecc9bdd782d8b2e7ebdb8723ad0101e2f |
| SHA256 | 9ec8e58e78de5f03d424e17664dcbc24886bac6bc7907cb0f40a9efea515cb85 |
| SHA512 | 25ea79ec8d25eddd68b6656e4f52f53f86547939adf560d33886c4bf20d97de660ab28a531b5228260da168d57f55201fe9fce0ea1233e9e5eb873ba55dc947e |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
| MD5 | a71bfa5548b2b5a9fabea6195abd3dc6 |
| SHA1 | 0912336cda8c725843a5325a948ffe1bf699248e |
| SHA256 | 0aa58a7b949fa8f0ca54b1ff6fa9b5c9e54f46d36975f17f1326b73ac8442230 |
| SHA512 | 082d9a9272af2b18eb1edb6df9bcbf07a6c9df4e5bf15f9651445254bcf661771d1cccee8e5080902adabd3ecc128e9267b3ca5dba482390a43d40566653e36d |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
| MD5 | 5a6bc926a56dc7d640e90fcfe3904154 |
| SHA1 | 512573d69f0ba861fe3cd5cfdb7de45e4db033c5 |
| SHA256 | cf32df0305ce5e4b95977f71217ea1f93b7d02e6a5f95912a4b52c88b5cea8ab |
| SHA512 | 86c4d2d019e4078b7d58f38c684b4d3451eba8b657ab291f33853d15ad3179f2043fc80fdcb328435afe788f186e74954af1974e3e5e997ad95974f064fa42b5 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | b4a135e96529ff68e9130505b9b407a8 |
| SHA1 | 318c054904f9cc457581cd2aa859e2a4df8dab8c |
| SHA256 | 892e79880cad7dbf731136b8e84e724295483dbde9654518bbf57ccf7459b6a2 |
| SHA512 | 76d47e7181fba907e65bc4b36719df6f520a33f92c65ef8adbd9857daf87693aa6d00e1d732f9c3c506583f627adef836a710f9131ed3296d7b49722d57eee8f |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
| MD5 | e531c9a1d74a5eb89ddfd77aaffbdc30 |
| SHA1 | 449e5f7b947e69b7f6661b2cb4ceb01bdab0faed |
| SHA256 | 5e08c28e7c7d715bf6e9ae66f8c3058ed6db10e44442001d9c76d8092d660442 |
| SHA512 | 0a7c231d126cc79470bb61840ccccc0c7632cb27b86b43145c827fe52e4c75ade4756371dca1209892bdadf625bc84c8b04151bfba0c6600655167cec07b87d7 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
| MD5 | a88af8f985d624d23701f8a71a252d96 |
| SHA1 | 95b87afb5982fd4e158037f1f7f71b10c8fd0c71 |
| SHA256 | f4e6e862fe12031a16528b222301ffff64d9d2573777ff232f0a86063a39bca2 |
| SHA512 | 2ab3d2cbc67ba492ba69d3eeff0683340b47cf54b36c43818a189cea24e3c75da0bf3067cdc63d398eae2e9435fff2f285084ffc088d62fdd9e783f522df8f92 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
| MD5 | 94e552a586ebc06c8b29f1373a0d3c2d |
| SHA1 | 011bef096bcccf219ebab65624a3d9a54e76eb2e |
| SHA256 | dfe4b69315e0216234dfe8d032473b2e559f9f931bd22d43be85412281f7400c |
| SHA512 | 4d6a9266e2cec5959b4236b17078a20833fc1bb9dff91da0c4414b49513f6903092d05ef04c674823b81c3479922ffd1c9b378b3ee1c818c9c0066ea4acdb267 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 6f164ab33d2bdd8155c49ff7a8056b69 |
| SHA1 | be3198bdb8d9eb415b928c7c8cad26b6890f839d |
| SHA256 | 93560afaa908c8fc501d76f6b6ae5ae4c38248fc8f6bc8ed90a72f7226310fda |
| SHA512 | cc7dcc4e6631761a1ea16c37f018933989cedede59fa558460ace447d116026ca4252df9597931e28b2f3a9feb83f31d5d23fe9403cc20330bcf7039dc12f2a2 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK
| MD5 | 3977ac024ef6e1149ce6ba2cdad8d156 |
| SHA1 | c9327ca99123a62bb2fe3169ca9be58822f2253d |
| SHA256 | 059c8c1fa8adcb59bd8717a1832b08837f98c30fb69b34ade6af68e3c5698c58 |
| SHA512 | fa11c857de23c27c42a823daf4a4258f00bc7cd78e75be65ea62c6e955ab79cce446616779be1d8f731f73b82dd6a11455e76f20d0663495417d148c5b553936 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK
| MD5 | 3497d2acbbf9b4fb91594d22532930ea |
| SHA1 | ed5ad412abfe57844739b16946b6707ecf691b7a |
| SHA256 | 0c17644abea0b64aeb46d7ac39d8bae070edad9bc6f964671108eca8a5930ec3 |
| SHA512 | bedcb0f5dcf7f5ef6e50c78469c2ea96207fb59133675afff5057b06fb534443e1d1bd7b7d0b01ea0f64249cacabc0a2faacf156a2af87440ca4c1e88b62a975 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK
| MD5 | ef839bc1f146c9cc7456a0dd8e01f317 |
| SHA1 | 689152e687420e7d94921a0120f145807f1fceb9 |
| SHA256 | 0fd462680367168ea16c661a03a5598aa997c7af9919c0c0629ca71e9625bf84 |
| SHA512 | d8ec9251846f49759d85a3e74025bbc099e584f1d5a17010bf4cce15b95be6d2add937b6c3202dfb34e0baa1f99d5a2b99e41a3b875de2138e471f87bddb4290 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK
| MD5 | 5ed4efd59c217b4cb4ff881d9f377a08 |
| SHA1 | a8951699920dd6bf05e6cee537be02ff7cb57afd |
| SHA256 | 63bef62ae09ca1542856c1657b43cafbbaba25b6c349e592dfae43f54433962b |
| SHA512 | d8f99ce012fde0765fc9d95896d48d861a3e8f7cea42038a36d2acb8f86c790faf83196279742dc2e82ef98485fa57990bc473894e04d912c185c4d3d62ec4a2 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
memory/1792-83-0x000000000A770000-0x000000000B22A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 04:23
Reported
2022-02-20 04:39
Platform
win10v2004-en-20220112
Max time kernel
185s
Max time network
204s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899819021377688" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.337836" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.335324" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4300" | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
"C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe
"C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe
"C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe" 8 LAN
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe
"C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe" 8 LAN
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 20.54.24.148:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.97:7 | udp | |
| N/A | 10.127.0.141:7 | udp | |
| N/A | 10.127.1.138:7 | udp | |
| N/A | 10.127.3.9:7 | udp | |
| N/A | 10.127.3.136:7 | udp | |
| N/A | 10.127.3.198:7 | udp | |
| N/A | 10.127.3.205:7 | udp | |
| N/A | 10.127.3.210:7 | udp | |
| N/A | 10.127.3.212:7 | udp | |
| N/A | 10.127.3.213:7 | udp | |
| N/A | 10.127.3.216:7 | udp | |
| N/A | 10.127.3.217:7 | udp | |
| N/A | 10.127.3.218:7 | udp | |
| N/A | 10.127.3.222:7 | udp | |
| N/A | 10.127.3.223:7 | udp | |
| N/A | 10.127.3.228:7 | udp | |
| N/A | 10.127.3.229:7 | udp | |
| N/A | 10.127.3.231:7 | udp | |
| N/A | 10.127.3.239:7 | udp | |
| N/A | 10.127.3.240:7 | udp | |
| N/A | 10.127.3.241:7 | udp | |
| N/A | 10.127.3.242:7 | udp | |
| N/A | 10.127.3.244:7 | udp | |
| N/A | 10.127.3.246:7 | udp | |
| N/A | 10.127.3.247:7 | udp | |
| N/A | 10.127.3.254:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.96:7 | udp | |
| N/A | 10.127.0.97:7 | udp | |
| N/A | 10.127.0.140:7 | udp | |
| N/A | 10.127.0.141:7 | udp | |
| N/A | 10.127.0.192:7 | udp | |
| N/A | 10.127.1.138:7 | udp | |
| N/A | 10.127.1.140:7 | udp | |
| N/A | 10.127.1.210:7 | udp | |
| N/A | 10.127.1.211:7 | udp | |
| N/A | 10.127.1.212:7 | udp | |
| N/A | 10.127.2.25:7 | udp | |
| N/A | 10.127.2.26:7 | udp | |
| N/A | 10.127.2.49:7 | udp | |
| N/A | 10.127.2.50:7 | udp | |
| N/A | 10.127.2.67:7 | udp | |
| N/A | 10.127.2.100:7 | udp | |
| N/A | 10.127.2.101:7 | udp | |
| N/A | 10.127.2.145:7 | udp | |
| N/A | 10.127.2.207:7 | udp | |
| N/A | 10.127.2.208:7 | udp | |
| N/A | 10.127.3.9:7 | udp | |
| N/A | 10.127.3.97:7 | udp | |
| N/A | 10.127.3.116:7 | udp | |
| N/A | 10.127.3.117:7 | udp | |
| N/A | 10.127.3.118:7 | udp | |
| N/A | 10.127.3.119:7 | udp | |
| N/A | 10.127.3.120:7 | udp | |
| N/A | 10.127.3.121:7 | udp | |
| N/A | 10.127.3.122:7 | udp | |
| N/A | 10.127.3.123:7 | udp | |
| N/A | 10.127.3.124:7 | udp | |
| N/A | 10.127.3.125:7 | udp | |
| N/A | 10.127.3.126:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe
| MD5 | a846277644734a79f5367050e39508dd |
| SHA1 | cecc43a1fab79846fb2a1790a95ac6a4c5d66579 |
| SHA256 | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316 |
| SHA512 | 92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47 |
C:\users\Public\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\odt\config.xml.RYK
| MD5 | 1c495e2c3469b7132c533aae84a1ad3a |
| SHA1 | 7ab3a30a1c228918370aa2fe74e5ce93663f3fcb |
| SHA256 | 80bac6ad62c0893c36f4c2ce5963f4e1331ab769975c2e6d11787d3c5ac7f2a0 |
| SHA512 | 0769d4078a164d727c9c7ae2bc064d4ee83f136b594064563dbbdce88f5e12efa22b4bef309e74f84f827d07515c12ec4394727f1c9f1eef292c8c0b4af93d1f |
C:\odt\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\DumpStack.log.tmp.RYK
| MD5 | 5d670018a6eda9904c64bfa1c0878a38 |
| SHA1 | 68e7a12e71388661888d2ee95979feb79e108eff |
| SHA256 | 70ed3b1007ea64181ceef859ff9d7f2699c8874f8de430a54be3015fe593bb9f |
| SHA512 | 9f7ed99a8c747b0533d0f573a65c327f9f97e229df3e5578abd239ebf112497126b67ebafafba710c293dc5b65ea31ec00d8dfb2a1b0d5e1a1b055ee55a2ceef |
C:\PerfLogs\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\ProgramData\USOShared\Logs\User\NotifyIcon.a9a32fd3-7ea9-4900-b975-017ab8f34ce8.1.etl
| MD5 | a7e393fceede2bf2ad7f4282c94a6ba9 |
| SHA1 | e2ceb7ecd3f28cd307b3a50f67e7793626fcdfb1 |
| SHA256 | 5db8f6b750b44026299ec49979c01bb017d146b728f4b7a4de3cd4bbf170e05a |
| SHA512 | a9fbaa1780abab83f8d867a91c0f49bef9270270a50b74cf00007f572a82e17c87f76915d36cacf5031e64f258cede617484e56dea3252fdb45c3b0e30d78460 |
C:\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\Users\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |
C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\RyukReadMe.html
| MD5 | 56c83e67197423d78c596861e82493a3 |
| SHA1 | 0905d3a60afc6dcb442761479f0cb967fb3ab7b8 |
| SHA256 | 1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e |
| SHA512 | 4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056 |