Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-f6kc1sabfp
Target 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA256 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
Tags
ryuk discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4

Threat Level: Known bad

The file 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 was found to be: Known bad.

Malicious Activity Summary

ryuk discovery ransomware

Ryuk

Deletes shadow copies

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:29

Reported

2022-02-20 06:17

Platform

win7-en-20211208

Max time kernel

171s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
PID 1388 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
PID 1388 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
PID 1388 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
PID 1388 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 772 wrote to memory of 1372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 772 wrote to memory of 1372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 772 wrote to memory of 1372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 772 wrote to memory of 1372 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1388 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1556 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1556 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1556 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1556 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1388 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1388 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1316 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1316 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1316 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1388 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 1628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2004 wrote to memory of 1628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2004 wrote to memory of 1628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2004 wrote to memory of 1628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\icacls.exe
PID 1100 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2272 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2272 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2272 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\net.exe
PID 1100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\net.exe
PID 1100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\net.exe
PID 1100 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe

"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"

C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe

"C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1388-54-0x0000000076421000-0x0000000076423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe

MD5 f137ba372038184053d680941a2da136
SHA1 0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

\Users\Admin\AppData\Local\Temp\bpRnFes.exe

MD5 f137ba372038184053d680941a2da136
SHA1 0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

\Users\Admin\AppData\Local\Temp\bpRnFes.exe

MD5 f137ba372038184053d680941a2da136
SHA1 0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

C:\Users\Admin\AppData\Local\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe

MD5 f137ba372038184053d680941a2da136
SHA1 0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK

MD5 a77ba066b54ce3d5c0174e5fd13dd4fd
SHA1 fbc2d3697c435caec0868908558c54ca69886713
SHA256 c626198b1399e9f340691b3b9c627c7ded9aef8dcfda0a3c28c7330d136010d7
SHA512 2a268c3817d20a803779b9db844ed50504c4ec456811808f1282dc80029f04f01dd3ca064740241ff17f9db5f02d07338d7168706902a31f13c9de9a0ef50b57

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 ff2159c47850ae27883a03bc11de65b9
SHA1 c19ffc2f8791b6c6f8553b14ecd2afaa92d25f35
SHA256 03ae4fe181d00eb8cd9dc367c35efaec48fd158515b0e4aa97d48df6a17c6b29
SHA512 5b36b533a50a16bcb0c8168d034065d5e900100a0fdc4d778b5224012818882909f351c08707119f615e434bae6dc4542ecdfc59f0a5cb40beefc9ec03bd5ba6

C:\Users\Admin\AppData\Local\Temp\java_install.log.RYK

MD5 5d5452411e9df206a94a09b24511e1c9
SHA1 bc0265963899bd7cff1998f3d82feac94e3326d7
SHA256 e860e40682b52793094bcbab153b2e75e5d562e6482ada212556ef53257a7fb8
SHA512 19169df01ca4895542d47774e9f3621d55aef3e48fea3d4484392b9e1c95758feaef1a186d0a7fe4e33136dfde20fd12709440e0e62afd133659b1b1281075fd

C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK

MD5 26234c9372a43e3d8ab98d386e4b70f2
SHA1 54c9f1b37f19d14534bed81874c6ba76486b9966
SHA256 6eae4bd01c69ac2493d0b2faf4bdf4d2c28084a0bd972162d619a909128d2e37
SHA512 740830fdea45acac7daf3567ebd6ee29713e87070b2c1867832d50bc4288ec93dff0a3cb33ccc0fef76703222989caa5439edcd3cf942a4e66483f3e72d5827c

C:\Users\Admin\AppData\Local\Temp\RGID605.tmp-tmp.RYK

MD5 6403006e7ad971fc2dc2a6f9844c5966
SHA1 a409aeddbf788af771075d8530388e7336bccfdf
SHA256 0cebcc3ce4cabe82ede6a7a6c38abdc28fd27d119893baa3741a3d2f1bcb2e37
SHA512 1cf0434341927a9011362b8f7685d29470f2e76780a0457d4737c8cb34c2e7ff5c776ed20cf71282474fea083873cb8874f5010599aefb5c0897fec5ef3f8420

C:\Users\Admin\AppData\Local\Temp\RGID605.tmp.RYK

MD5 0e134c569ea6a8b64847c7473589828d
SHA1 2017621300e0e3819f3eb1dca4623a578bb298c7
SHA256 dd66e09b6f5b33852a09f5f11bca1e72f9a8fbdd14c9d31de37a92309c0a02f2
SHA512 b3e2ccb8a771fe880d2256597ef9a1dd629a36bef46bce0aeeecbb0c351cb3b5bd07c033469254c0c171f92592edde667a9379cb8dc4166915f52a7fdecaf672

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK

MD5 9e7a331bfde19e950054c66638619b7a
SHA1 9d3d3e47478d9972817032ccb407ed1e9f898f51
SHA256 331a2bcc66cbe584c7011c1b99c45b8abbb4152edd5f9b1487cb66dede45d0d2
SHA512 c13dd43c204a90388e74a5b7d637d5579df6b41157562faf2e36dfe9d053d790dc746ba85c7d6390e415532af72ec1c5018dcf72c8a846c9834eafacac3860e5

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 b56e516d5c0a4e6b5fb344b4de08fbd3
SHA1 cc190d045506308835dc1af48acea0a9afd4e624
SHA256 0311dedc267e9e0410a3e9914b3d7b2655818abc872cc1b9937f2cf3c85c7bec
SHA512 4c5a9bc47291dec621aecfe1a05aa1d9a38bfea0bc5c85e2dea024e901553d9138543e1a9388a8b5a76cd76d526bdf9460468e8db35acb567ec8aca13567dfd1

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 1754c736b24c3ee7d2cca45606e91fbe
SHA1 decc287a19ac4643daccc9b3b1a40b2697982b76
SHA256 8f91ec80e3b3470481bd079a6ed011cd4f69fa8cf1adf61918d7f9aefd628e4d
SHA512 227314d3de8908f7a6e6a375719882a6ce5d152e0c7f77460fe4a08b39f9b5752ee13f078cd28009259b69d7940462ad43be699e53760f440ccacec18d799452

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 8e58d8ee61ee8a105d913e03cd24f10e
SHA1 f1c89810111e698d95f6002d91ea5f40352abb41
SHA256 6f1f43a67598da49f11c7a475671dcc009eaf02cd1c4c1c5f6d01a44951065d1
SHA512 eb318e55a9f7b463ef18d8e294980213e779381f64a7f3fce78f67b90ba2368ba3e60304b16f600331b20b47ec337ab317a3a08d56605e0ede25ee185573d9e3

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 f242baab7d112f456f15fedfd6a1fd90
SHA1 6024f5f453dd3419f7bf16bb97086998fe3a64f7
SHA256 5132b8956f92d7c5f7f520d36ee9a97cd5f018ff89bcdedbdf140f47ca2195b5
SHA512 8dc139a3144b7000c143710ac7592c0e4287aac9092bee2c427cbb3dbaed1b7f579d3b371a0a43eba011a3bdb0ab979f3801bf317347a8478fe8c411f927323a

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5 f35f12ec6cfafad67089691abd4d59a7
SHA1 c3c5b5cb9b69a16321521a9cb1c724e7393d4e0d
SHA256 f4ec3647fb443f3feba12765bb402a8fb50737ff2a7744600eeddabc729933c9
SHA512 7cda7269949841bd8a6daad83137dac5a069a672dbbb4a0ec202e2111dec0489446a8cdc38d3ec57324ad34308ed4e5ed7d6920a98d1e5f182ef2748851cbfd0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 7ccb211222ac1770397566e9c8b6c9a9
SHA1 ce3d2b84540e73b2276273433fefae001caaa03c
SHA256 436a73342be5800272f5155118202c1b3a35cb5538e1e71278bcc9267b86d4a4
SHA512 2e189a8caaf4538719006af29ad4eb397fe8e33ef38a060f7d15098756e4b0a6a2368fcb2617e826ea0d29c0122ea80880ef05f264cf68c0845f8c24069e0d42

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 04b2b7b65d58a9239e9a74d3a6f0595d
SHA1 e9f72f611dc428d0397debbb2ce3fd64ad5c6218
SHA256 d75a66b4a01f411b77ec228d687474ac943b82489187334a7ef60dcfa382cff4
SHA512 a06b4abcbbf305739c871f49429070f3391e0105d59365f65eb3ba32c6128a38aa26df1826a4f6ab1c9aab68b5ead7bf43a148ca32cd160b04645c363a31ffc7

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 cfae5d01ca8b70ee7e476050dd72cea1
SHA1 28f29343357dcce3fbbf97b02c5b1335d3468019
SHA256 8552f1436a0d4ac9ff42243480dcebef6786e40868eca1bf6d27f622f25d26b6
SHA512 136ccce5e806e6a72f3a91cc6b2f060da2edbfcccc755e540b097c4a75c441afe563d0879e7df2811602c3143018977a151ba806373b4dc2655fe26a84e045ac

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5 98c5a4529b05bea05177ef4e8cf5416b
SHA1 06a91cb5f7df047ab264d7e4969a0e7fca74484e
SHA256 b26e65750e886e4e155f7d67bfed6e89761a8a9f187060b3ca20a9f0d7285a69
SHA512 a66c8f90cef339afc4eaa53e8a55e3a4610e94b699cc096dc25542952c9830abd52a1b90f4e1abd6391fa581bf62ae29ba7ac893f5303e8b677ed641f7f3bf8e

C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI37AD.txt

MD5 571a0080a1d2417b299b090e67712c74
SHA1 9e149b522e2b35d521511c51b1bfa8ba4d6d51d2
SHA256 09e91c9df7251e420a6e2c79dbe323c4cb76e743a9ede1b493d4e04729757a9c
SHA512 10130cdbbcdaf873b8aee45ddf350ba19c1dbc915ce58a6be0185472fbbc9ac7599837e388528b6de65593d098206d204787b8b1bab916984397828981056d6f

C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt

MD5 ea5d4ad45066105c22808ad4546ebfe0
SHA1 cfbaea604e5813d5e5785bca12764687fe8f0074
SHA256 75becb44f7e2d3fba7b43a3b5e5a1aa0ecf9af52ba154d7993c23e33bfabc1f0
SHA512 3089f083a2ab622e80c897b2f14c636222c5112a9d09ab1626f1e408593201d1afcdf9e975798401eec29e6fc091974d035398a008c3ea59831c7dfbed413fef

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 6e98b51a31e41b2426c582281ee102cb
SHA1 a174db31fc1864cb8c855de3edc47c9a7efb592d
SHA256 39a227a534e359964d2d9dc9860646b612eaeb7cdd8a195720a67adcf00f5229
SHA512 6a7b0155250ffc437ce6b262a7addcc688ed4ba56e7f781b89134dc539c7560683b004260e1c7c0b5bc628bbb99903d836b12544423c0607718d5a2a2783f701

C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log

MD5 593aed88d7a712cdd46181c36a0c07f6
SHA1 906d1a5c5c3f0db39996e279035cc343b68197f5
SHA256 f5c29ab15ce0a47ef39b6787b0c34240869f94ce24dd62669cb185239efa846e
SHA512 792b2ba56a03e941da92869ba65764364ec0c3490c52f3e52406eb22f1c9d5dbd0a422f0d3990546e519be333da7989f4477ffd50af0294847ad7a339a37bacb

C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log

MD5 8d4c36b9d68fd2b4e9849d40d7e3cdc1
SHA1 dab23198d3c9740630d8fc6ae952c80c71539b0c
SHA256 1eee0a4983cdf27092e69a4784126d1f6ac3ddc4664695e80e7a5629a0f70e45
SHA512 6ff03dc7ebf7e8383f99f2807bff57730fe0dc3a5300e94ef692aa39c72ca20ec3d781a3574c642e307f48bb13945e598adc14438e92a4f62b8fd1a6b3908a53

C:\Users\Admin\AppData\Local\Temp\Admin.bmp.RYK

MD5 b604bd96e0a719276e622450b432a177
SHA1 e05139bab77dce79b34623506ad9b6f4c87d3199
SHA256 32d3177485bdb8a00fc9e559a7e8017756bd3087a84061f692985f9e69a1525b
SHA512 bc6395b298aefd94045a7d57dda8d5367c578b7150c4dad89e22785782039b083aaaccf2dc3b831361f8cdd64699b656afb32cabbe20ebf7eb37d70e55b7725a

C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-153457-0.log.RYK

MD5 4eacf09ecc69d2218323affb1b1eb5e1
SHA1 ef222e830b78661e59d9d02cf7d61d611876a578
SHA256 8ba0dd1c708a16b7cb24abbb0f5f5d2fe10d636359bc2a014b23a016379b8c59
SHA512 f012d88a23610d6c229d6c2f07b708fce3cdbf7a02ba36de1bdf92e6655f56e97f2f8606a172febaf45fdfa98a7cf1b26b86ec39db944892d89987176a3096bb

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Temp\WPDNSE\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Temp\SetupExe(20211208152740AA4).log.RYK

MD5 7bad0e7744a7051251edb8a83f1f3b6d
SHA1 f1a5a4036ba696e2f23997df62d84d6a0465f796
SHA256 8204e54f3e436d05027d4f0594f4521cb87ef946c4f02ab0d3812a8b35f1d3fe
SHA512 08afc2ed3ee5b7c51139da7e0fdb13a4636c1d48d2b216a177a128860ccf05b83956f57fe9643aed218f663b95c68459c593658b0250a89dc41e4ac675eac4a0

C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-154432-0.log.RYK

MD5 8d6dda4acfd16e435531488c4e413e10
SHA1 b3b9bcab9e06060875ce46ba9e8144b5c7aa8d6c
SHA256 8022c6c661e04af758535a1e8e6e14cd53f7df54f50440df8dcd1333789cd5f3
SHA512 82b40886a19d78791f8e202cd9ffecfdd0b928afe180a175d91f48daa2b2397e211d5e910e6aa093be5dbf8a0110d9040cee92eba699c0494ddd58e01e93b96b

C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-154117-0.log.RYK

MD5 f3a8708b9d341f04e174f6f693ef3987
SHA1 3488a5423fef143f8691b7759d2ff9a089b40615
SHA256 e350c718b8f187254996aeaaaaf26ac0de575904cf3738624ee2b6cfbfa25136
SHA512 55cb01e008b40ed29f2675571b184e181389e702a58563fee8f4466bc0342502729a724ae82b6cf69711b304fd5e6516d074ce164ea302a7245f5431d9ff8d9b

C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-153819-0.log.RYK

MD5 c43e9c864ecaf269f259e57b5af53a9c
SHA1 9b5fd2e870a15e3d5462afc2c385d6deca280849
SHA256 90815396beb93ad27879cccfe890a04faecbb0b3b3c4584f089c08891f3bc96a
SHA512 ae56125bba9721307f99f7a93ea6ae39da6fb7d4e82cbfc7f64aab0b6f6b5ce0d44522076ac5c60ab3138ec5999e1ff54f70b36c33e231293f91cd54ae4ea17b

memory/1100-120-0x000000000E130000-0x000000000EBEA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:29

Reported

2022-02-20 06:17

Platform

win10v2004-en-20220113

Max time kernel

192s

Max time network

227s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe
PID 1340 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe
PID 1340 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe
PID 1340 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 4576 wrote to memory of 3344 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4576 wrote to memory of 3344 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4576 wrote to memory of 3344 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1340 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1580 wrote to memory of 2044 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1580 wrote to memory of 2044 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1580 wrote to memory of 2044 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1340 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1340 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1340 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 4256 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\icacls.exe
PID 4256 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\icacls.exe
PID 4256 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\icacls.exe
PID 4256 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\icacls.exe
PID 4256 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\icacls.exe
PID 4256 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\icacls.exe
PID 1340 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1340 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 1340 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\icacls.exe
PID 4256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\cmd.exe
PID 4256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\cmd.exe
PID 4256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 2152 wrote to memory of 4452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2152 wrote to memory of 4452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2152 wrote to memory of 4452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1340 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe C:\Windows\SysWOW64\net.exe
PID 4256 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\net.exe
PID 4256 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\net.exe
PID 4256 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\net.exe
PID 4256 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\net.exe
PID 4256 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\net.exe
PID 4256 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe C:\Windows\SysWOW64\net.exe
PID 4108 wrote to memory of 1608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4108 wrote to memory of 1608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4108 wrote to memory of 1608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1532 wrote to memory of 2004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1532 wrote to memory of 2004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1532 wrote to memory of 2004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 1980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 1980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 1980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3188 wrote to memory of 1048 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe

"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"

C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe

"C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe

MD5 f137ba372038184053d680941a2da136
SHA1 0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe

MD5 f137ba372038184053d680941a2da136
SHA1 0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 ff5f49740537a6a4fc56a8de1a8e5528
SHA1 43bff2080f37293c0190839161bdeb35b7dd1682
SHA256 a1d83a342b12828035334ad642c3c1ba1a80c1d8dc6466c8d74889c0ffec6b4b
SHA512 59f9652d77448d2bbdbc74535960b7028716729516315c1de1605727eaa8bc06017729fac3d543b71ac417be447f4226e18efc113952b80d1107e4b31942f710

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 109016c4713c9a5fc7c7f5d724760ff2
SHA1 e691478b7a6ead08bbdc146c57e0380d639d1c67
SHA256 5efe7ed63033f00a7c9131b96b2c0e0f113ee43d1eb4ab23d484c2244842b7a9
SHA512 851a54adcae60cbc82ca92f33c427be142c89d1235e02c04a687067165aea395a83518b6cb301582c2288b58605ef0f465d64c98b9c69bb554d938cf379abc5e

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc

MD5 fdf730ca0931947eb7e95cd87431dffd
SHA1 0440d7110c331382a1fa1124116eed067c0daf43
SHA256 5035dcbb7e9b7da37c0bb6791dfe26c365c57a3f3046e0a3bd850b5ec72ddf36
SHA512 5a76e665a04232cdab6a91a5c760355846e381249307dd73150e55a0f7257e4a588839e85af78f9f09e037a4ca7674c282ed3ae80828560efc3010bb414743e1

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 5c8773c7f4dc6c6912911383a781db08
SHA1 176172d6ac4c6521689bb7ffd672326d61d806d1
SHA256 5e37df0a31320399ee449ab48b0ac965a8382078570c688697534efcfce645a0
SHA512 fea515af8ffa06c839508a4507fb0967709cc36d509eaff7832243e9bad9531456cc9b595cfe5d8db58f768f16e1c231056e7dcde710c580871f2f3b8972c06b

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\3D Objects\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 1a785c12981bd5fa2cdcb1e606f003a0
SHA1 5fb77ac50356ef45cdba80d07093e99f589880c7
SHA256 7af9232e62601fb5636e66b81c9bd6b8cbabb5765aba18c144cf0a454a7c7616
SHA512 766586b2bb41218b53b4774ae192e1ae5150b5340f77ce46d1753ea2ac10e35af8a8e791b1f38dff591431a876ec2acdccf540c86bff7ce614076b05c4c74f85

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp

MD5 f27c00cf3468211808b0be3a8bcce717
SHA1 e25003e1955d57ffcda54ccbf291870cd0590fd9
SHA256 00d7e8aae818540b59c15bafbdb84cb55f79a16549b2f8a6a5f565e0771e3ab8
SHA512 65f9c6f366b83f89e9c9cef1107f9e6ab510a75436ce2039f2d1ac13fd533af8f95eb65ad9bfeaa8441a1fa27a89e7fbfcfbc1798efaa288feb306c93e1a6c6e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 70bdcf4a82632296241783f20cf49885
SHA1 8185a574b0a949ac0627ef0824810d9a2e0f78ed
SHA256 88671bffa2004a00c3dc5a2ef98d4cf4c867fd332b558c8093e28072a25f59e8
SHA512 46509ad2ed4745098736960de7ccdf162f4e33ab35f69d1d69a2d26c06620b25c795114d1d5e5894fe8dec8d70fb3d4a240d8580114d59cad8e54948200dc4ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK

MD5 a673be8ffe8c57f0b6f1fc9ab24140b7
SHA1 85b506ebdb97e2c3375dd78274b0bde510d4100c
SHA256 60cbdd4dca783552b78d3f23a735d2234fc6b9112ca2a7557f89318b8fcd13d8
SHA512 55faa18d6fadaa1a1bd01d9b11406485bb9af08a3f30080899180c52cb73f34a96179aae3f9e6005c189d7b223acc68fb32c5c584ee6f75b362669053893f7f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

MD5 bb09e7270ab9c6a8bd7ff6b5f3a7f88a
SHA1 e35109ab9ff6c6b896c5ae250f51dca7932da02b
SHA256 73177e39408b2d7adc9a151ac9ad2af96cd190f880aa404376a577c085bd0e57
SHA512 7b938ea99f19159ee3da8a022689b7473c02c4a4ef68947d12fc6fc32cb59f589e2ea0cade24ef143b8f6dedc59d6f818717a6377081ab7e2013d13245b90734

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 576c98851c85b7674b666d2b7ce48d35
SHA1 1b23bc471e5887f36e76baa45dc6989973cd10fe
SHA256 79b3411ca5fcc9a5e7bafde68df200aa3c8efb5a8bd97a90e6b609e54cdeac37
SHA512 2e8360e00aad9c361df2843085e0877dea5b34d2403a26fc945ebc0aa53f4d3c3f76ff879173b0533657671ca0a0fd834e157cfaaf1a72974836c2f8f9ad64fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

MD5 30900acf8b900a56743bedb7c75d98c6
SHA1 b8e5b7fda3416bfdc3b7a10e30745f99cfb0c20b
SHA256 8e40858510743513f7ac93a911b095e8ab12c308d607cc86e8eef555ef402b54
SHA512 a61fb627aa71d9f09acbdc72320dd6a3be91e6b45081ab2d113313141e357216de98bca2f88326cb1644f5d50d9362000509d03f62f04bfcf186dedaf538c113

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\de-DE\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\de-CH\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\de-AT\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\da-DK\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\de-LI\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\cs-CZ\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ca-ES\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\bn-BD\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\bg-BG\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\az-Latn-AZ\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-YE\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\GameDVR\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\RyukReadMe.html

MD5 51b608055d70f58fd8b19a75dd21856a
SHA1 5ca8da66d460c9c4cc6886cd255f603d45f87d10
SHA256 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7
SHA512 f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac