ryuk | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

Analysis

max time kernel
160s
max time network
141s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Size

193KB
MD5

21256f1e6fef12bb963fff955d5f4531
SHA1

45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512

835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

ZNGJIOO.exe

pid process

468 ZNGJIOO.exe

pid	process
468	ZNGJIOO.exe

Loads dropped DLL 2 IoCs

Processes:

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

pid	process
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

824 icacls.exe
360 icacls.exe
1396 icacls.exe
1012 icacls.exe

pid	process
824	icacls.exe
360	icacls.exe
1396	icacls.exe
1012	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZNGJIOO.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

992 vssadmin.exe
1648 vssadmin.exe
Runs net.exe

pid	process
992	vssadmin.exe
1648	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exeZNGJIOO.exe

pid	process
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
468	ZNGJIOO.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
468	ZNGJIOO.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
468	ZNGJIOO.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exeZNGJIOO.exevssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Token: SeBackupPrivilege	468	ZNGJIOO.exe
Token: SeBackupPrivilege	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exeZNGJIOO.execmd.exe

description	pid	process	target process
PID 1528 wrote to memory of 468	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	ZNGJIOO.exe
PID 1528 wrote to memory of 468	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	ZNGJIOO.exe
PID 1528 wrote to memory of 468	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	ZNGJIOO.exe
PID 1528 wrote to memory of 468	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	ZNGJIOO.exe
PID 1528 wrote to memory of 1116	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	taskhost.exe
PID 1528 wrote to memory of 1168	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	Dwm.exe
PID 1528 wrote to memory of 564	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 564	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 564	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 564	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 468 wrote to memory of 360	468	ZNGJIOO.exe	icacls.exe
PID 468 wrote to memory of 360	468	ZNGJIOO.exe	icacls.exe
PID 468 wrote to memory of 360	468	ZNGJIOO.exe	icacls.exe
PID 468 wrote to memory of 360	468	ZNGJIOO.exe	icacls.exe
PID 468 wrote to memory of 1396	468	ZNGJIOO.exe	icacls.exe
PID 468 wrote to memory of 1396	468	ZNGJIOO.exe	icacls.exe
PID 468 wrote to memory of 1396	468	ZNGJIOO.exe	icacls.exe
PID 468 wrote to memory of 1396	468	ZNGJIOO.exe	icacls.exe
PID 1528 wrote to memory of 824	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 824	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 824	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 824	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 1012	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 1012	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 1012	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 1012	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	icacls.exe
PID 1528 wrote to memory of 1660	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 1660	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 1660	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 1660	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 468 wrote to memory of 1352	468	ZNGJIOO.exe	cmd.exe
PID 468 wrote to memory of 1352	468	ZNGJIOO.exe	cmd.exe
PID 468 wrote to memory of 1352	468	ZNGJIOO.exe	cmd.exe
PID 468 wrote to memory of 1352	468	ZNGJIOO.exe	cmd.exe
PID 1528 wrote to memory of 1180	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1528 wrote to memory of 1180	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1528 wrote to memory of 1180	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1528 wrote to memory of 1180	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 468 wrote to memory of 1648	468	ZNGJIOO.exe	vssadmin.exe
PID 468 wrote to memory of 1648	468	ZNGJIOO.exe	vssadmin.exe
PID 468 wrote to memory of 1648	468	ZNGJIOO.exe	vssadmin.exe
PID 468 wrote to memory of 1648	468	ZNGJIOO.exe	vssadmin.exe
PID 1528 wrote to memory of 992	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	vssadmin.exe
PID 1528 wrote to memory of 992	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	vssadmin.exe
PID 1528 wrote to memory of 992	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	vssadmin.exe
PID 1528 wrote to memory of 992	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	vssadmin.exe
PID 1528 wrote to memory of 112	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 112	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 112	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 112	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 2024	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1528 wrote to memory of 2024	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1528 wrote to memory of 2024	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 1528 wrote to memory of 2024	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	cmd.exe
PID 468 wrote to memory of 1796	468	ZNGJIOO.exe	net.exe
PID 468 wrote to memory of 1796	468	ZNGJIOO.exe	net.exe
PID 468 wrote to memory of 1796	468	ZNGJIOO.exe	net.exe
PID 468 wrote to memory of 1796	468	ZNGJIOO.exe	net.exe
PID 1528 wrote to memory of 1300	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 1300	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 1300	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 1528 wrote to memory of 1300	1528	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	net.exe
PID 2024 wrote to memory of 2104	2024	cmd.exe	reg.exe
PID 2024 wrote to memory of 2104	2024	cmd.exe	reg.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
"C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe
  "C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1824
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1648
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    PID:1796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2120
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" /f /reg:64
    3⤵
    PID:3284
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:3312
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:36708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1520
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2144
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2128
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:18584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18612
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:27452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27168
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:36840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5
7b3aae5602792542fd5c44490fac61db

SHA1
ef87ea71b8988597c2a4edb3bb484cdef62d5b09

SHA256
9b8aabb9393ac19706f42581332df27cc6573baad7c063564df058998d61c22f

SHA512
ef066fd56e7951f52c16adae502916620c81180a5d12930816b06de91b6ea43c219a88ace70b5421a34873c2fc9de967d571a14f83de973eec91dd5b6bd9dfdc

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5
1cab0f8287dfda4eec296fd36d0bede7

SHA1
be767d9c6718ab1d0be24138e8aab100d0af4df7

SHA256
a74d00bb5371da3ecb991d01be2ce4017c1078be2eaacbb97fa246002c236fb9

SHA512
16500d637102d0de0d0278ad8ce0aa534b663976453fd2ce4c88182ae18f5f99be06500ff5eb876f919b8423838355f46db5eb0c738f5d18fe3413c80bd1d8ea

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
732dcb1e802d76e40a1388fae11d2e4f

SHA1
17066592c389b5b20c7f587c78d71f0a9cb6edf5

SHA256
ec08a20e3b9cbdc5bce26aa163e225b0e94a0415e468fa092790685f4b516af5

SHA512
5aa8083d388b95b62fbb8075bf8305f733d795dd497c987c20c39ff64d804773b76405ec558a617631b9ee2176faf147cf5afee19e7600307381bf3608dbddd2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
4ebfdeaa6c0cca37959cca483e3123d8

SHA1
2bcd5987b2edb56ff3a6ef860af6fb91e585443c

SHA256
3f0e907eb20a4501459b787c7fa5756d119c6529da9745c1f750b0361d572c97

SHA512
ed9815dcf93c0ca1e9ee7382919624b5a8a8cfa4eb9214876faf397c783e939d8d9a1b04e6ebf5df41095e4944e3877ff666dc4d23a4d9262714ce1c2492b364

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5
8fcfb688caebd63840228ce98386386a

SHA1
e161ee79d1952c3f07f9c8122187996cf8e5bb5c

SHA256
9301ebff479c679e08d93101c33fd1947bec0ffa665adfe5d349fa3674817d64

SHA512
b8e0d82ddbc0629c6a3a109d4126535859ad752d4dc704a69b3451058955707487da48c2125bf6efe92476de16667b81e58d8fb12223a44bcb38a25e2a7f5ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5
5bc6812fd5866b9b063987aa4e8cb5cb

SHA1
761f8aac1d5eaa88b501a51d75235021c82fb2fe

SHA256
d87a2e2092c99342fc05ebe27707a3ecb75c7ff24a41dc95cb187b840ab5e06d

SHA512
20e695bdef6471b15008cdf6c90902ab72b695e0f25223273748662cb9d8091590c54e652caba520ac5a9256d9be8f582f401861cf84d0b842bd0877d745f232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5
a6fb9b332f0232ac79ea6e66676b7328

SHA1
8e46129ba1268097fcbd9e3b96a41db5ab7b8b50

SHA256
c196d5680f7836a08656aacf116758e094ab13d71038aeb4a52e9d8e8112c7de

SHA512
08a1002e8234f5188fe0eb849fe03b520299ce0fde0d7ef80f4c92e7cb2dc8fb5b838626f287b3d61a896007328526bb938852170111ab062850ebd410c4c85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5
57432725a840ea545febd5d67e1ae422

SHA1
5c9c0f3a3799b255b0126ee2e3c09efaeb85439d

SHA256
9d9eecd7c0671e3dd334d0d0724935210cf48deed4f53665d1a756be959a9ef5

SHA512
b4e9c2fa8023294090ffb108a420036ba1f65b4ae1201789073ebd08c53dfcbf911f7ede7332edcad9afc31bf409a88629c893173ca7f91f2af4638e7ac42677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5
34e2d3ade33e04fe97e1850f6d5bfa68

SHA1
6182aa1b67d4a8129891246bf63acbf051009669

SHA256
4654c55a1deb34e07d8c51bbf25487c9ec69f527b6e11b98d8ca3a59ceeec3f0

SHA512
3a900d7cabfd11ad12c3200a9b032b7dffda72675cbc4a2b7b20e3a04b621aeca3f30f9a169dd6f96dbf64d800df8f95005eaa97a72d7595914e8734405b75f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore

MD5
59888cde8927e0c3b3d44af2333887fb

SHA1
da3ae66ec6b161ad6a9298a2446d8854cb85e17e

SHA256
4b5e0d2b400d70656ed53116d5a6c59181fedeebd4146dcae21359aa33a4ac47

SHA512
9eb833dbba1711aac45b60de937fde711bea47cdfe6f43dcc37f52422b3bc02690773ffa5f799d9b6dcb8322e2abd4186cffe7f60c197f9037a0eefdb36bc2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.RYK

MD5
a462a5c03840b7d96593d7c8b8b03573

SHA1
0ed2b4feb883732d3643d578737a60188a3a95dd

SHA256
6a9bc4f308223d57c96085a41a8aa7c66492e60e2b3c9b219f29fe192cf5d271

SHA512
3e2134239afc7f6a325baa766eba54ebe8809d1094766907e176b0709a3136c0601e3d546b0a45f684e7d92a2d5b08b8921c415abc53440baacb6dd4aeaafc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log.RYK

MD5
3c8329c5a3d0a4ca37f95349b1dff086

SHA1
a8fa8697730cb8a3e02e11d09061a7a988d68207

SHA256
d4c66bccbb7bea38321b44a536e09fb092849ce82424babc959f973408013994

SHA512
e41abf6fdfd13398853f58d3d41b5f0d17156a5b7b597a738885c37286f43a2a52c01723811586446a87521e2938748a80868e391a436f56598f978b7d103064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.RYK

MD5
51241e9e090e3579962709a406a7b499

SHA1
5312612a199f8e78088b4efed2208c38a59fa92c

SHA256
fee5dfc69dbef8712467f0ae20509c53af1eac2738734d5d86fa9231f5c83bbd

SHA512
7321f6eb030d4766dc1c0b77b18295efbc46a4c7d44ee9f3eaa53e36ab40b400ac8f305656da8bbcfcd17c313b602db71190b7e1b1fd45cf974ddcf77459722f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.RYK

MD5
9877c39093a36de24e75db223a5d842c

SHA1
1ab4483ccffc94b740db88e5f9758e8867b1f13b

SHA256
3319aebe728737b88dcd0c35595022b9821d995e11dca1c12c0fa40bc08698b1

SHA512
8aafd79722fdd65bcb39cd2a1641af68fdc77a2382245c49b51daa5beaddf3babd95b8ff9b32cc74efdd9481c03d1428bed9c2debd4c6ed74e00277ff555f3a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.RYK

MD5
17edb49a780dcf16ce14626766b6303a

SHA1
06260c37877c7b134cf23a70b72afd6a28e592f8

SHA256
c6a7e981c35c995da51b16324de271e314ae3c310df5ce186785c5e5c64019fa

SHA512
54a9380d3e78f6c9c04915b06105c72ca3f826aee566fe61f370a13d0678fbb56e4f563d57855f1d324ea405461026bbd52e48155510e75c730f6ef9f1ba84d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.RYK

MD5
0176d2a536ce7c4aff105e4e96021147

SHA1
c02b8bcb91bce404c9c7996cb0b9ebbbcc0cc1f0

SHA256
a748df34eac153ac804c7d1370f17c339df09b1d4592ff945742bfbbbaa50186

SHA512
d73f811d5223e920e393b6e54f1955ffb0e84b24614d50e0692aab45d92ad15e8fed54d0b974bb76160b5f2f2ba5b1287333ee35706c7b21481069812eda8f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.RYK

MD5
dd287e60771fd1ddffed371264e74fb9

SHA1
887d761c4c6491bc6fea11560e00130f5fbc7e96

SHA256
a621a47acd3e338ae472d524f694f238222494764acf962380993bb1897ab4d7

SHA512
324c17ff17cbb209dd7d159a24a33a4b363ef1dbe7f520ae92d277a620d5b3c86a33b86c2c1c35ba5e3baa7831a37aca75bdc4f5ece912b27a906c1e045d6ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.RYK

MD5
a8c06dda54aba674523e38aa390ac651

SHA1
a14a8ac06ec5b69c1edb1cf466dfe861b6a3c4a9

SHA256
f60c42204a592a43c79465ec62722bf4591b47522ae62a6ea0e86adae87bddc7

SHA512
7202d795b8b108b39fb739be0707267eb9997c4ee1bd4e168a23dd6284fb16f0fdbd326d42bd8bc184b4e3bdfca79c5143d34ce6d439d50a84116d628372db16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.RYK

MD5
78c5d431a9ceec3c710c7acb7a982e87

SHA1
f90e0b942aafa288c4cd2f25a0acad6ff7ab9a74

SHA256
930a513e9e0ca6c62b5dc881c91619fbaba42c25c9ec204dc82fdd4c60231d8b

SHA512
dc2a861033676ee7758b5accd9cf39d182d68a3a636df87cc3a7db225d1b718c29879c046feab3e430ec97978c00a2e08deb33e3148b00846348f40c262d61e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.RYK

MD5
f5d1eb411436d7e3b2e2c5c162488642

SHA1
d5e6fb0c247ac2246e7ec02946ce40c15fc1b70e

SHA256
068193cb99240e33983ce1d02f878f8b02ba22d089e9b3422e31141fc8caeced

SHA512
92055aed571ade11da8ce7abe08d691b870d98c0dc811fc66ce910c1a6d53060d7fbb035d7c988199f8b30a33449b3130fe4e06bae5cbe08ba64a7eb8123ad4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK

MD5
1b6ba687fe69f3d8ca083fd0ba5a8b62

SHA1
6bbd06af7443dc79689074ad9c0fdb82bb851866

SHA256
72db96d3f9e07d0c6bceab4ae5422b1532e6ceea1d662fbad83db536433751cf

SHA512
9d33d94960b109f9dab153ad049851f985ec9b038cfd8e082d2751c7ed3f895ca8da687ecc0577c11661d0b4f5c38aeb392e3b3055fed33eaf62e5812729c865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK

MD5
c631ab1ebb02209abe42d2957c021113

SHA1
5650ead80157763847bc2ad86fe0d90919e14bdd

SHA256
c7a4ba8bffb87b1240db5c963ab96daf3de672ddce7a39dae23e3027b244e70d

SHA512
f37159520000be9fd8984a45bab5072f670f23a77cb02da0d6a70690c4a79fa0525d6d350ffc376cace0cd38996257d03700a1ddb0f5c1b1c0e2815b7f39abfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK

MD5
95b12ae3118f58e4b0978b3491360229

SHA1
a3f201a3d9847ad3a4f93f0eb90b0b718c13b84d

SHA256
ccb1a390166851a55f254b87f884c50a636ca5f9c735c62c72b5a785bee77de8

SHA512
ac5b731801bdbabfe817538cda85bd46e6174a8d04a3056005a441b76e91e28c7f23dbbd47e92d84eaa0a096d44ef461044017750cdef772ab91c0105ccb7a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK

MD5
90b93ea902c95432036087da3bef216f

SHA1
93aba524ae987d3788839f5ff024de91ebe361c6

SHA256
11d10da318711153ecccfbb542f08af4a99941479327a1471251ba62f03ee55d

SHA512
89df01cf94708e3e9e073702efde6c36cf55094a7c9dde746f1c10448b79a1772d72ae31ecad15193461a77136b98d037461d1b316f37fd968e970098fd54207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5
3ff77355a5afc38bef8554b20238322d

SHA1
076cc0cfbb31db6a747acdc816d5151ddbeeee54

SHA256
12da6c33d9fff7fc33ad953bc70b48d912432d5ccf70e2aef56dead1f8a00163

SHA512
742c4d80f9ed96a9d3e4e2306c715e0bdf973fa7e5a2fcd1d96ec84e5cbf31ab5ba841cf145062f6e9732742b89ea629c120d7abbf69c567e5da512842fc907f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK

MD5
27f12e94741460bde0181cdcebbdf482

SHA1
1e818901c60298308052b1884af54850bff5cf0f

SHA256
25f116980abd5c336967a1d71a2c355c123a723f15213dd85e47411fed81a0a8

SHA512
d63b453871bdfad16e6da4b20ea48dd7be20c20b73c6af31b17ab37f8db0e7468bccf2e073228f3f9751fd746c42b98c30cc14654736a58b5995e890d9ef978e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK

MD5
bb3504120de6ad0d964bc74aac422563

SHA1
8c91b7d57f6b6cb0e01cff54d7306bd74b9f10f2

SHA256
701c604195fd2f3eb4a353ca2723833a360d7c19a95d32c9696bc9e87388fcde

SHA512
f72508f8b925eaaa1b6f31a8c73258cbcb144322e83cc8154698fd1011018b9605b3940235f101c223428ace4284d0063fa807b11090514ac3cdf051d4813851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe

MD5
21256f1e6fef12bb963fff955d5f4531

SHA1
45f2ba25a028bb4756e37b810b96a32bb359b339

SHA256
84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

SHA512
835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Download Submit
C:\Users\RyukReadMe.html

MD5
b3b2c5565ef72eb13c047661d64689cd

SHA1
5a6e9dd4ab19865b39fc4690b5294998dc61d853

SHA256
61fa77d232426f76177a360feb12c5a52b52e4c62479b9e3c51ff2d58e4bc283

SHA512
25e40ccc86d209ee183d84732436916b0c6ce6b878a6325302cf77008e05c585772844586488b8ac810fc293dd9a3eb4ad37d3f319e0721ea437db3ecb8f6de0

Download Submit
\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe

MD5
21256f1e6fef12bb963fff955d5f4531

SHA1
45f2ba25a028bb4756e37b810b96a32bb359b339

SHA256
84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

SHA512
835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Download Submit
\Users\Admin\AppData\Local\Temp\ZNGJIOO.exe

MD5
21256f1e6fef12bb963fff955d5f4531

SHA1
45f2ba25a028bb4756e37b810b96a32bb359b339

SHA256
84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

SHA512
835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Download Submit
memory/1116-60-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1528-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download