Analysis Overview
SHA256
7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
Threat Level: Known bad
The file 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:29
Reported
2022-02-20 06:17
Platform
win7-en-20211208
Max time kernel
171s
Max time network
158s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"
C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
"C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1388-54-0x0000000076421000-0x0000000076423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
| MD5 | f137ba372038184053d680941a2da136 |
| SHA1 | 0ff2395df05c29dceeb23d6cce12798997b47b96 |
| SHA256 | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 |
| SHA512 | 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7 |
\Users\Admin\AppData\Local\Temp\bpRnFes.exe
| MD5 | f137ba372038184053d680941a2da136 |
| SHA1 | 0ff2395df05c29dceeb23d6cce12798997b47b96 |
| SHA256 | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 |
| SHA512 | 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7 |
\Users\Admin\AppData\Local\Temp\bpRnFes.exe
| MD5 | f137ba372038184053d680941a2da136 |
| SHA1 | 0ff2395df05c29dceeb23d6cce12798997b47b96 |
| SHA256 | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 |
| SHA512 | 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7 |
C:\Users\Admin\AppData\Local\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
| MD5 | f137ba372038184053d680941a2da136 |
| SHA1 | 0ff2395df05c29dceeb23d6cce12798997b47b96 |
| SHA256 | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 |
| SHA512 | 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7 |
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK
| MD5 | a77ba066b54ce3d5c0174e5fd13dd4fd |
| SHA1 | fbc2d3697c435caec0868908558c54ca69886713 |
| SHA256 | c626198b1399e9f340691b3b9c627c7ded9aef8dcfda0a3c28c7330d136010d7 |
| SHA512 | 2a268c3817d20a803779b9db844ed50504c4ec456811808f1282dc80029f04f01dd3ca064740241ff17f9db5f02d07338d7168706902a31f13c9de9a0ef50b57 |
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
| MD5 | ff2159c47850ae27883a03bc11de65b9 |
| SHA1 | c19ffc2f8791b6c6f8553b14ecd2afaa92d25f35 |
| SHA256 | 03ae4fe181d00eb8cd9dc367c35efaec48fd158515b0e4aa97d48df6a17c6b29 |
| SHA512 | 5b36b533a50a16bcb0c8168d034065d5e900100a0fdc4d778b5224012818882909f351c08707119f615e434bae6dc4542ecdfc59f0a5cb40beefc9ec03bd5ba6 |
C:\Users\Admin\AppData\Local\Temp\java_install.log.RYK
| MD5 | 5d5452411e9df206a94a09b24511e1c9 |
| SHA1 | bc0265963899bd7cff1998f3d82feac94e3326d7 |
| SHA256 | e860e40682b52793094bcbab153b2e75e5d562e6482ada212556ef53257a7fb8 |
| SHA512 | 19169df01ca4895542d47774e9f3621d55aef3e48fea3d4484392b9e1c95758feaef1a186d0a7fe4e33136dfde20fd12709440e0e62afd133659b1b1281075fd |
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK
| MD5 | 26234c9372a43e3d8ab98d386e4b70f2 |
| SHA1 | 54c9f1b37f19d14534bed81874c6ba76486b9966 |
| SHA256 | 6eae4bd01c69ac2493d0b2faf4bdf4d2c28084a0bd972162d619a909128d2e37 |
| SHA512 | 740830fdea45acac7daf3567ebd6ee29713e87070b2c1867832d50bc4288ec93dff0a3cb33ccc0fef76703222989caa5439edcd3cf942a4e66483f3e72d5827c |
C:\Users\Admin\AppData\Local\Temp\RGID605.tmp-tmp.RYK
| MD5 | 6403006e7ad971fc2dc2a6f9844c5966 |
| SHA1 | a409aeddbf788af771075d8530388e7336bccfdf |
| SHA256 | 0cebcc3ce4cabe82ede6a7a6c38abdc28fd27d119893baa3741a3d2f1bcb2e37 |
| SHA512 | 1cf0434341927a9011362b8f7685d29470f2e76780a0457d4737c8cb34c2e7ff5c776ed20cf71282474fea083873cb8874f5010599aefb5c0897fec5ef3f8420 |
C:\Users\Admin\AppData\Local\Temp\RGID605.tmp.RYK
| MD5 | 0e134c569ea6a8b64847c7473589828d |
| SHA1 | 2017621300e0e3819f3eb1dca4623a578bb298c7 |
| SHA256 | dd66e09b6f5b33852a09f5f11bca1e72f9a8fbdd14c9d31de37a92309c0a02f2 |
| SHA512 | b3e2ccb8a771fe880d2256597ef9a1dd629a36bef46bce0aeeecbb0c351cb3b5bd07c033469254c0c171f92592edde667a9379cb8dc4166915f52a7fdecaf672 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK
| MD5 | 9e7a331bfde19e950054c66638619b7a |
| SHA1 | 9d3d3e47478d9972817032ccb407ed1e9f898f51 |
| SHA256 | 331a2bcc66cbe584c7011c1b99c45b8abbb4152edd5f9b1487cb66dede45d0d2 |
| SHA512 | c13dd43c204a90388e74a5b7d637d5579df6b41157562faf2e36dfe9d053d790dc746ba85c7d6390e415532af72ec1c5018dcf72c8a846c9834eafacac3860e5 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | b56e516d5c0a4e6b5fb344b4de08fbd3 |
| SHA1 | cc190d045506308835dc1af48acea0a9afd4e624 |
| SHA256 | 0311dedc267e9e0410a3e9914b3d7b2655818abc872cc1b9937f2cf3c85c7bec |
| SHA512 | 4c5a9bc47291dec621aecfe1a05aa1d9a38bfea0bc5c85e2dea024e901553d9138543e1a9388a8b5a76cd76d526bdf9460468e8db35acb567ec8aca13567dfd1 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 1754c736b24c3ee7d2cca45606e91fbe |
| SHA1 | decc287a19ac4643daccc9b3b1a40b2697982b76 |
| SHA256 | 8f91ec80e3b3470481bd079a6ed011cd4f69fa8cf1adf61918d7f9aefd628e4d |
| SHA512 | 227314d3de8908f7a6e6a375719882a6ce5d152e0c7f77460fe4a08b39f9b5752ee13f078cd28009259b69d7940462ad43be699e53760f440ccacec18d799452 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 8e58d8ee61ee8a105d913e03cd24f10e |
| SHA1 | f1c89810111e698d95f6002d91ea5f40352abb41 |
| SHA256 | 6f1f43a67598da49f11c7a475671dcc009eaf02cd1c4c1c5f6d01a44951065d1 |
| SHA512 | eb318e55a9f7b463ef18d8e294980213e779381f64a7f3fce78f67b90ba2368ba3e60304b16f600331b20b47ec337ab317a3a08d56605e0ede25ee185573d9e3 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | f242baab7d112f456f15fedfd6a1fd90 |
| SHA1 | 6024f5f453dd3419f7bf16bb97086998fe3a64f7 |
| SHA256 | 5132b8956f92d7c5f7f520d36ee9a97cd5f018ff89bcdedbdf140f47ca2195b5 |
| SHA512 | 8dc139a3144b7000c143710ac7592c0e4287aac9092bee2c427cbb3dbaed1b7f579d3b371a0a43eba011a3bdb0ab979f3801bf317347a8478fe8c411f927323a |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | f35f12ec6cfafad67089691abd4d59a7 |
| SHA1 | c3c5b5cb9b69a16321521a9cb1c724e7393d4e0d |
| SHA256 | f4ec3647fb443f3feba12765bb402a8fb50737ff2a7744600eeddabc729933c9 |
| SHA512 | 7cda7269949841bd8a6daad83137dac5a069a672dbbb4a0ec202e2111dec0489446a8cdc38d3ec57324ad34308ed4e5ed7d6920a98d1e5f182ef2748851cbfd0 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | 7ccb211222ac1770397566e9c8b6c9a9 |
| SHA1 | ce3d2b84540e73b2276273433fefae001caaa03c |
| SHA256 | 436a73342be5800272f5155118202c1b3a35cb5538e1e71278bcc9267b86d4a4 |
| SHA512 | 2e189a8caaf4538719006af29ad4eb397fe8e33ef38a060f7d15098756e4b0a6a2368fcb2617e826ea0d29c0122ea80880ef05f264cf68c0845f8c24069e0d42 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | 04b2b7b65d58a9239e9a74d3a6f0595d |
| SHA1 | e9f72f611dc428d0397debbb2ce3fd64ad5c6218 |
| SHA256 | d75a66b4a01f411b77ec228d687474ac943b82489187334a7ef60dcfa382cff4 |
| SHA512 | a06b4abcbbf305739c871f49429070f3391e0105d59365f65eb3ba32c6128a38aa26df1826a4f6ab1c9aab68b5ead7bf43a148ca32cd160b04645c363a31ffc7 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | cfae5d01ca8b70ee7e476050dd72cea1 |
| SHA1 | 28f29343357dcce3fbbf97b02c5b1335d3468019 |
| SHA256 | 8552f1436a0d4ac9ff42243480dcebef6786e40868eca1bf6d27f622f25d26b6 |
| SHA512 | 136ccce5e806e6a72f3a91cc6b2f060da2edbfcccc755e540b097c4a75c441afe563d0879e7df2811602c3143018977a151ba806373b4dc2655fe26a84e045ac |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 98c5a4529b05bea05177ef4e8cf5416b |
| SHA1 | 06a91cb5f7df047ab264d7e4969a0e7fca74484e |
| SHA256 | b26e65750e886e4e155f7d67bfed6e89761a8a9f187060b3ca20a9f0d7285a69 |
| SHA512 | a66c8f90cef339afc4eaa53e8a55e3a4610e94b699cc096dc25542952c9830abd52a1b90f4e1abd6391fa581bf62ae29ba7ac893f5303e8b677ed641f7f3bf8e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI37AD.txt
| MD5 | 571a0080a1d2417b299b090e67712c74 |
| SHA1 | 9e149b522e2b35d521511c51b1bfa8ba4d6d51d2 |
| SHA256 | 09e91c9df7251e420a6e2c79dbe323c4cb76e743a9ede1b493d4e04729757a9c |
| SHA512 | 10130cdbbcdaf873b8aee45ddf350ba19c1dbc915ce58a6be0185472fbbc9ac7599837e388528b6de65593d098206d204787b8b1bab916984397828981056d6f |
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
| MD5 | ea5d4ad45066105c22808ad4546ebfe0 |
| SHA1 | cfbaea604e5813d5e5785bca12764687fe8f0074 |
| SHA256 | 75becb44f7e2d3fba7b43a3b5e5a1aa0ecf9af52ba154d7993c23e33bfabc1f0 |
| SHA512 | 3089f083a2ab622e80c897b2f14c636222c5112a9d09ab1626f1e408593201d1afcdf9e975798401eec29e6fc091974d035398a008c3ea59831c7dfbed413fef |
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | 6e98b51a31e41b2426c582281ee102cb |
| SHA1 | a174db31fc1864cb8c855de3edc47c9a7efb592d |
| SHA256 | 39a227a534e359964d2d9dc9860646b612eaeb7cdd8a195720a67adcf00f5229 |
| SHA512 | 6a7b0155250ffc437ce6b262a7addcc688ed4ba56e7f781b89134dc539c7560683b004260e1c7c0b5bc628bbb99903d836b12544423c0607718d5a2a2783f701 |
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log
| MD5 | 593aed88d7a712cdd46181c36a0c07f6 |
| SHA1 | 906d1a5c5c3f0db39996e279035cc343b68197f5 |
| SHA256 | f5c29ab15ce0a47ef39b6787b0c34240869f94ce24dd62669cb185239efa846e |
| SHA512 | 792b2ba56a03e941da92869ba65764364ec0c3490c52f3e52406eb22f1c9d5dbd0a422f0d3990546e519be333da7989f4477ffd50af0294847ad7a339a37bacb |
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log
| MD5 | 8d4c36b9d68fd2b4e9849d40d7e3cdc1 |
| SHA1 | dab23198d3c9740630d8fc6ae952c80c71539b0c |
| SHA256 | 1eee0a4983cdf27092e69a4784126d1f6ac3ddc4664695e80e7a5629a0f70e45 |
| SHA512 | 6ff03dc7ebf7e8383f99f2807bff57730fe0dc3a5300e94ef692aa39c72ca20ec3d781a3574c642e307f48bb13945e598adc14438e92a4f62b8fd1a6b3908a53 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp.RYK
| MD5 | b604bd96e0a719276e622450b432a177 |
| SHA1 | e05139bab77dce79b34623506ad9b6f4c87d3199 |
| SHA256 | 32d3177485bdb8a00fc9e559a7e8017756bd3087a84061f692985f9e69a1525b |
| SHA512 | bc6395b298aefd94045a7d57dda8d5367c578b7150c4dad89e22785782039b083aaaccf2dc3b831361f8cdd64699b656afb32cabbe20ebf7eb37d70e55b7725a |
C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-153457-0.log.RYK
| MD5 | 4eacf09ecc69d2218323affb1b1eb5e1 |
| SHA1 | ef222e830b78661e59d9d02cf7d61d611876a578 |
| SHA256 | 8ba0dd1c708a16b7cb24abbb0f5f5d2fe10d636359bc2a014b23a016379b8c59 |
| SHA512 | f012d88a23610d6c229d6c2f07b708fce3cdbf7a02ba36de1bdf92e6655f56e97f2f8606a172febaf45fdfa98a7cf1b26b86ec39db944892d89987176a3096bb |
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Temp\WPDNSE\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Temp\SetupExe(20211208152740AA4).log.RYK
| MD5 | 7bad0e7744a7051251edb8a83f1f3b6d |
| SHA1 | f1a5a4036ba696e2f23997df62d84d6a0465f796 |
| SHA256 | 8204e54f3e436d05027d4f0594f4521cb87ef946c4f02ab0d3812a8b35f1d3fe |
| SHA512 | 08afc2ed3ee5b7c51139da7e0fdb13a4636c1d48d2b216a177a128860ccf05b83956f57fe9643aed218f663b95c68459c593658b0250a89dc41e4ac675eac4a0 |
C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-154432-0.log.RYK
| MD5 | 8d6dda4acfd16e435531488c4e413e10 |
| SHA1 | b3b9bcab9e06060875ce46ba9e8144b5c7aa8d6c |
| SHA256 | 8022c6c661e04af758535a1e8e6e14cd53f7df54f50440df8dcd1333789cd5f3 |
| SHA512 | 82b40886a19d78791f8e202cd9ffecfdd0b928afe180a175d91f48daa2b2397e211d5e910e6aa093be5dbf8a0110d9040cee92eba699c0494ddd58e01e93b96b |
C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-154117-0.log.RYK
| MD5 | f3a8708b9d341f04e174f6f693ef3987 |
| SHA1 | 3488a5423fef143f8691b7759d2ff9a089b40615 |
| SHA256 | e350c718b8f187254996aeaaaaf26ac0de575904cf3738624ee2b6cfbfa25136 |
| SHA512 | 55cb01e008b40ed29f2675571b184e181389e702a58563fee8f4466bc0342502729a724ae82b6cf69711b304fd5e6516d074ce164ea302a7245f5431d9ff8d9b |
C:\Users\Admin\AppData\Local\Temp\lpksetup-20211208-153819-0.log.RYK
| MD5 | c43e9c864ecaf269f259e57b5af53a9c |
| SHA1 | 9b5fd2e870a15e3d5462afc2c385d6deca280849 |
| SHA256 | 90815396beb93ad27879cccfe890a04faecbb0b3b3c4584f089c08891f3bc96a |
| SHA512 | ae56125bba9721307f99f7a93ea6ae39da6fb7d4e82cbfc7f64aab0b6f6b5ce0d44522076ac5c60ab3138ec5999e1ff54f70b36c33e231293f91cd54ae4ea17b |
memory/1100-120-0x000000000E130000-0x000000000EBEA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:29
Reported
2022-02-20 06:17
Platform
win10v2004-en-20220113
Max time kernel
192s
Max time network
227s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"
C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe
"C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe
| MD5 | f137ba372038184053d680941a2da136 |
| SHA1 | 0ff2395df05c29dceeb23d6cce12798997b47b96 |
| SHA256 | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 |
| SHA512 | 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7 |
C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe
| MD5 | f137ba372038184053d680941a2da136 |
| SHA1 | 0ff2395df05c29dceeb23d6cce12798997b47b96 |
| SHA256 | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4 |
| SHA512 | 9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | ff5f49740537a6a4fc56a8de1a8e5528 |
| SHA1 | 43bff2080f37293c0190839161bdeb35b7dd1682 |
| SHA256 | a1d83a342b12828035334ad642c3c1ba1a80c1d8dc6466c8d74889c0ffec6b4b |
| SHA512 | 59f9652d77448d2bbdbc74535960b7028716729516315c1de1605727eaa8bc06017729fac3d543b71ac417be447f4226e18efc113952b80d1107e4b31942f710 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | 109016c4713c9a5fc7c7f5d724760ff2 |
| SHA1 | e691478b7a6ead08bbdc146c57e0380d639d1c67 |
| SHA256 | 5efe7ed63033f00a7c9131b96b2c0e0f113ee43d1eb4ab23d484c2244842b7a9 |
| SHA512 | 851a54adcae60cbc82ca92f33c427be142c89d1235e02c04a687067165aea395a83518b6cb301582c2288b58605ef0f465d64c98b9c69bb554d938cf379abc5e |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
| MD5 | fdf730ca0931947eb7e95cd87431dffd |
| SHA1 | 0440d7110c331382a1fa1124116eed067c0daf43 |
| SHA256 | 5035dcbb7e9b7da37c0bb6791dfe26c365c57a3f3046e0a3bd850b5ec72ddf36 |
| SHA512 | 5a76e665a04232cdab6a91a5c760355846e381249307dd73150e55a0f7257e4a588839e85af78f9f09e037a4ca7674c282ed3ae80828560efc3010bb414743e1 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | 5c8773c7f4dc6c6912911383a781db08 |
| SHA1 | 176172d6ac4c6521689bb7ffd672326d61d806d1 |
| SHA256 | 5e37df0a31320399ee449ab48b0ac965a8382078570c688697534efcfce645a0 |
| SHA512 | fea515af8ffa06c839508a4507fb0967709cc36d509eaff7832243e9bad9531456cc9b595cfe5d8db58f768f16e1c231056e7dcde710c580871f2f3b8972c06b |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\3D Objects\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | 1a785c12981bd5fa2cdcb1e606f003a0 |
| SHA1 | 5fb77ac50356ef45cdba80d07093e99f589880c7 |
| SHA256 | 7af9232e62601fb5636e66b81c9bd6b8cbabb5765aba18c144cf0a454a7c7616 |
| SHA512 | 766586b2bb41218b53b4774ae192e1ae5150b5340f77ce46d1753ea2ac10e35af8a8e791b1f38dff591431a876ec2acdccf540c86bff7ce614076b05c4c74f85 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp
| MD5 | f27c00cf3468211808b0be3a8bcce717 |
| SHA1 | e25003e1955d57ffcda54ccbf291870cd0590fd9 |
| SHA256 | 00d7e8aae818540b59c15bafbdb84cb55f79a16549b2f8a6a5f565e0771e3ab8 |
| SHA512 | 65f9c6f366b83f89e9c9cef1107f9e6ab510a75436ce2039f2d1ac13fd533af8f95eb65ad9bfeaa8441a1fa27a89e7fbfcfbc1798efaa288feb306c93e1a6c6e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
| MD5 | 70bdcf4a82632296241783f20cf49885 |
| SHA1 | 8185a574b0a949ac0627ef0824810d9a2e0f78ed |
| SHA256 | 88671bffa2004a00c3dc5a2ef98d4cf4c867fd332b558c8093e28072a25f59e8 |
| SHA512 | 46509ad2ed4745098736960de7ccdf162f4e33ab35f69d1d69a2d26c06620b25c795114d1d5e5894fe8dec8d70fb3d4a240d8580114d59cad8e54948200dc4ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK
| MD5 | a673be8ffe8c57f0b6f1fc9ab24140b7 |
| SHA1 | 85b506ebdb97e2c3375dd78274b0bde510d4100c |
| SHA256 | 60cbdd4dca783552b78d3f23a735d2234fc6b9112ca2a7557f89318b8fcd13d8 |
| SHA512 | 55faa18d6fadaa1a1bd01d9b11406485bb9af08a3f30080899180c52cb73f34a96179aae3f9e6005c189d7b223acc68fb32c5c584ee6f75b362669053893f7f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
| MD5 | bb09e7270ab9c6a8bd7ff6b5f3a7f88a |
| SHA1 | e35109ab9ff6c6b896c5ae250f51dca7932da02b |
| SHA256 | 73177e39408b2d7adc9a151ac9ad2af96cd190f880aa404376a577c085bd0e57 |
| SHA512 | 7b938ea99f19159ee3da8a022689b7473c02c4a4ef68947d12fc6fc32cb59f589e2ea0cade24ef143b8f6dedc59d6f818717a6377081ab7e2013d13245b90734 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 576c98851c85b7674b666d2b7ce48d35 |
| SHA1 | 1b23bc471e5887f36e76baa45dc6989973cd10fe |
| SHA256 | 79b3411ca5fcc9a5e7bafde68df200aa3c8efb5a8bd97a90e6b609e54cdeac37 |
| SHA512 | 2e8360e00aad9c361df2843085e0877dea5b34d2403a26fc945ebc0aa53f4d3c3f76ff879173b0533657671ca0a0fd834e157cfaaf1a72974836c2f8f9ad64fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
| MD5 | 30900acf8b900a56743bedb7c75d98c6 |
| SHA1 | b8e5b7fda3416bfdc3b7a10e30745f99cfb0c20b |
| SHA256 | 8e40858510743513f7ac93a911b095e8ab12c308d607cc86e8eef555ef402b54 |
| SHA512 | a61fb627aa71d9f09acbdc72320dd6a3be91e6b45081ab2d113313141e357216de98bca2f88326cb1644f5d50d9362000509d03f62f04bfcf186dedaf538c113 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\de-DE\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\de-CH\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\de-AT\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\da-DK\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\de-LI\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\cs-CZ\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ca-ES\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\bn-BD\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\bg-BG\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\az-Latn-AZ\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-YE\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\GameDVR\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\RyukReadMe.html
| MD5 | 51b608055d70f58fd8b19a75dd21856a |
| SHA1 | 5ca8da66d460c9c4cc6886cd255f603d45f87d10 |
| SHA256 | 6b8a72627d2eff4de9261d77334d9ec29ca1165b0bfe46ca8a6a63d2f57d14b7 |
| SHA512 | f7bef0a90e5aed9a39fc9b52bf41f75498f03041ad424fb668b29ff07d426cbef014c307ae0a725089da7df7f973de2ae17b28bef12d492f2c3b5497a36c3aac |