Analysis Overview
SHA256
7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
Threat Level: Known bad
The file 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:29
Reported
2022-02-20 05:57
Platform
win7-en-20211208
Max time kernel
166s
Max time network
113s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe
"C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe"
C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
"C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
"C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe" 8 LAN
C:\Windows\SysWOW64\cmd.exe
cmd /c "vssadmin.exe Delete Shadows /all /quiet"
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delete"
C:\Windows\SysWOW64\cmd.exe
cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
C:\Windows\SysWOW64\cmd.exe
cmd /c "bootstatuspolicy ignoreallfailures"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1648-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | db4ca29781842b11c4a2ce4917ceafdd |
| SHA1 | 533d98314670965f4facbe48b44a5549cd8fcdf5 |
| SHA256 | 3bb429147e7b2c3c92eb5542372289508c2755fcc608335cb4a0d175ca5ad7d9 |
| SHA512 | 83206f81429d3afbda72ec46ebf75a556551859d5d724e2197b3ad127de735adb01fd07f6ae9163af6cfedc5b9e731708cf3b3dd27b9cfad4ac22954f144b1e0 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | dfcffd11420575d7a90124f900bc468d |
| SHA1 | 81c9d9e93958a6be073aaa629fdadc9f8a915677 |
| SHA256 | 7def7f5c6039aba320c281ecf12365bec3cb4ec15801853cfab9afd2717aaffb |
| SHA512 | 235034e149d005c22be60e2118bac7f8ab1f41f8b4f845e1fd06772e882aa75965307b25b8236bf8fe970bbbcd0062e06f0a91821335cd8a0a4b3e1db1f9d0af |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | 6ee12ae700a6281f5a0318dcdf99b06b |
| SHA1 | 2e0703a20cecbe10111368080efbf8c9accfe092 |
| SHA256 | a1bedc24c8ad249322c9102b020b4360d28ebdbc0cf10831f2f1f3a749549493 |
| SHA512 | 40ee9a580653b9543dfed84d828941e6d9f6dfa748a898a950d8f954e5c9e4daac68ad7405bb04fa85b0b5bde2eff5b2e29b5706f31a92a8e27e997f96a26184 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 0dd839453dcdd4f09adf74d5f62db29c |
| SHA1 | 8a3af6b66cd6ea1918b3982399f5d0d2ec482f79 |
| SHA256 | d98a55b776800afaf2f279d1628f6d309e3fef56b46a0e06358c7729df5fef36 |
| SHA512 | ee6205d54e6195fc727a3875f8d5f1924be331d95179ff1ddb141e43c7c70aa4cb5d37eeb06a036a65e5030034a94df6489622c01fcd3ae7b64070bdef8e29d8 |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 3d6a3119e0d253902bbe90e0ea7e70be |
| SHA1 | bb06079920a708b1aeba66e923780b588f154742 |
| SHA256 | 69052c0cbdf0c20197849b4d7c342d077f37dbd6c471631fedce10e51324fc3a |
| SHA512 | 9738fbddc6e3a5b5c58e1be1576b09f3b42e9978fc7593c4b7bb15f71eddfc48f92a5f596788940ddd577c4e9ff140627124ea048fe6d32349958896fd7f8ecc |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms.RYK
| MD5 | 7d1642b9a7ead62110fb4067b27d7ba7 |
| SHA1 | 41a86eae972e1cc8bfc991624d90a8c24607a46f |
| SHA256 | 3eaf066f124a65ab912764280737ed698bc8f9e5aa447402085c9afe93cdcfdb |
| SHA512 | 8e17e0e8c647f956f6a0ea959ec2c15b6e49cfedc96a48f66a00ab261018403d620867e39d39228292b0e7aa0ef6a017ba56c117a5bb22bc16c58d5de67279a3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.RYK
| MD5 | 58fcd669cd7235e529003914c48b78e7 |
| SHA1 | 554575d54b6db9a06e6d47fc0c0dbcffce371585 |
| SHA256 | 1e1d1d15989a557e43312a83625a86f111a6dabcbbf2f5bf454fd41b275ab26d |
| SHA512 | 2dd6399e218efa12c92c23549e86bd896f19c46e772fd7b2b2c7c0794b32dc2234a79763013a9b9efbac6c532b9507083a9fea0a2b0d161f53b44e0345afa05a |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | fe9e23ada0dcda72ead85598c4b18492 |
| SHA1 | e27bbde11c4887f2167bb8bec6c3d883bfd210fa |
| SHA256 | 0ffc47621838cb127e38e25ae3ec6b83e74226f03a7104c60c66c1c1eacc8a60 |
| SHA512 | d816d268bf3966f06dc8dae3238d00d77fc054f20c5643fae9dc72a1d399fbc1df5eb19b1532d264ccd36d117d483edf255550f68ef58bb73b2f212f48909835 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.RYK
| MD5 | 8406ff02f229ec1bb441dc7cade6f30f |
| SHA1 | 7677d0fb4bf7481a929f76b4c94fe25a72346bd2 |
| SHA256 | 3bdbc42a935ffc76502f021fcd0cb322205b2177aa8e0a63fdc511f0863b27ed |
| SHA512 | dd0abec52109358d45274c0d40054a3ce7ef44a5fc0e57d552f838a0e9f776d4ee15cbde5acb0f51afc63847d251b81a422ca4ebb088c2f84a7a373fe2b0f48c |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AE02W23T\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4HKVW8NZ\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DSVD0N50\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E16QEJ8K\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml.RYK
| MD5 | 4c196fdc8db9e5339809694a3aec235e |
| SHA1 | 1479bbf743ac3341f4b3c29ef6523eaa2b810941 |
| SHA256 | 122105c084ab8c179ae5382bcbf2e78a1dfd25ecdd382e9b50afba631d426c01 |
| SHA512 | f89ed9fe529da0f0aa0a3e01d95c8a50df7898bb9f6acb10c5ed309876d1d2d1a1387c43c847d4af268ece40b7700ece90321edf4f6d9084b5c81b489187de0c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml.RYK
| MD5 | 48f458ec8bca25a6530eb47fb55d8136 |
| SHA1 | d7355dd056f4cbc897076cc3bfa00b6f88a12db8 |
| SHA256 | 7fa6ffe6042719d0475561a6d1674747a372580d690e3feb359da65ee7ad0951 |
| SHA512 | ce45a4a08d56a42b0aa9f38e466b0914fc711dfd22901a7b96f20b9a6ceb6e2f96c6f88b5e021e81fa355fa73a60ef8e83f82ed071fc5de7f66724877790c595 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\imagestore.dat.RYK
| MD5 | bb5368e91fa5ddaa98c950d88fc8c942 |
| SHA1 | b47dc07ec85ed2719ef13a01f6c2d054e6a097cb |
| SHA256 | ef506c628c83ab0c8be4bec4c30855924e39c6e62a35cf9224c1cd9c3efbbbee |
| SHA512 | a02b37511c770ac5deaf28fba5c43e8c1d8441d8f35ad3676836b90b5d913d501d3cc3329ccb0f0be8659e549686e1c3696288a7c51d30c15be296b140b4b53e |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.RYK
| MD5 | 16074c1fdb008ff478cb57468970e5c4 |
| SHA1 | 70652e69866bb39c57fa3f71a4638b1e836df663 |
| SHA256 | eb7fd1f89227c85c009d2fcc40d0d0c916639956aa81d0f75e646f13a973371f |
| SHA512 | acf303f56593092945a3188d7f204e04d3897a95c522cbc3f3e8a3a87839dbdc600c602b06333102abc56a15be0159507cc201562a10f3cd90ddb502c3d9d36f |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | f47c802fc6fc8d0ab33c86d73cb9d845 |
| SHA1 | eb0f1d5f71f1de40bd66e45a043b2ac8afe75f33 |
| SHA256 | 4865ead64461d8555095c3dede228aa47b9f319a9df84199ae9c03a1c385f49e |
| SHA512 | a4fec624b55ef2348b0b226dab2a872236c6bc4591345eaff0193050a2efd3f5f9a2a316b590ce12b299c6674393f09f768ec5e1936f988ea2057fe6bf7bf8e2 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | a81455e7a57ffe8098a24b17949c16c9 |
| SHA1 | 210513822ea29b9e1a715a6be7bd830d9a2be588 |
| SHA256 | ef6091856507410a4c29229f490d1eb92b22e2cc34edce292e13ab07690fbcfb |
| SHA512 | 55c1854d99041d3e00e4447bf8aef8faff20716d58644b9873590ac156e1cd59664a2ec1c0dfbc8f250edd68bc46d01716567555e11a0c64d11f28404e9ea219 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZZ3YRT4\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VU6HH54M\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VL9MRVWS\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H2R8HLJC\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK
| MD5 | bfea318b62b3b7a270d2689ad4133ee6 |
| SHA1 | 056d9dc7e8cf89123abed7453c9f0ef46a93c70b |
| SHA256 | eeafb6ab7344c2081005bfde4a8fe69eeec875acc2c139a6bb0d138ef9c8eb97 |
| SHA512 | e041429ba3745190ee3b8b37eec7c426bf5e4720c680df877375112bc5cccf8b3ba36860f4e7e76c0f82b3a2d5b0a8166e1348c41401fe1041856aa2f842e681 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | b152876cdaafe499a5b3426d9d8004b6 |
| SHA1 | 7667a7ecce3bbb357c0b9dbd8f64dbbd33d985a3 |
| SHA256 | b8a23081a3eecb7b8f53750c7224a1e97ba3e6c25f0d7d751fd8742bf7e42724 |
| SHA512 | 36bd75bf1536128b45508e12ee4ca71f9b17d3bfc415be6f50df482208eb806a7e39e77096857ac3c481488319dd256a54cd8bf53f7d91a04b35f45018cc55ea |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
| MD5 | bbb26bbeb685872b0f1eaa0d89360db9 |
| SHA1 | 133a3deba856832771866df603311d09681654f0 |
| SHA256 | 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce |
| SHA512 | 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00008046\10_All_Music.wpl.RYK
| MD5 | d3ce640846e5117c8ee869e4ac6ac88d |
| SHA1 | f686da67975be5e64b05bd2ba17565ba231e7238 |
| SHA256 | fb00a62aed4b887f7d775fc40f10fc7e2b87f2457ffe1055b76287e01471300c |
| SHA512 | 6839ad32efa76ed2dd354b5809cff37ba305d72cf20ad77a46c9ede5f722ebffb1844334f350ee32a32899af5bac2333e0464db3395b12a14f914ad916ac0078 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:29
Reported
2022-02-20 05:57
Platform
win10v2004-en-20220112
Max time kernel
170s
Max time network
184s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe
"C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe"
C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe
"C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe" 8 LAN
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe
"C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe" 8 LAN
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delete"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.80.224.57:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| FR | 2.16.119.157:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |
C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe
| MD5 | cb5081d3b8af578c247dab9bd5e16841 |
| SHA1 | b4870d7b1f6a9f531259efc74a9468d8a045d8f0 |
| SHA256 | 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab |
| SHA512 | 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28 |