ryuk | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

Analysis

max time kernel
174s
max time network
80s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Size

189KB
MD5

090826c3c34fb53a639f1d2919e1b44c
SHA1

ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512

d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

IJecnaS.exe

pid process

676 IJecnaS.exe

pid	process
676	IJecnaS.exe

Loads dropped DLL 2 IoCs

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe

pid	process
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1096 icacls.exe
1104 icacls.exe
1100 icacls.exe
1808 icacls.exe

pid	process
1096	icacls.exe
1104	icacls.exe
1100	icacls.exe
1808	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IJecnaS.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1288 vssadmin.exe
1672 vssadmin.exe
Runs net.exe

pid	process
1288	vssadmin.exe
1672	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exeIJecnaS.exe

pid	process
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
676	IJecnaS.exe
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
676	IJecnaS.exe
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
676	IJecnaS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exeIJecnaS.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Token: SeBackupPrivilege	676	IJecnaS.exe
Token: SeBackupPrivilege	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemProfilePrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeProfSingleProcessPrivilege	1776	WMIC.exe
Token: SeIncBasePriorityPrivilege	1776	WMIC.exe
Token: SeCreatePagefilePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeDebugPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeRemoteShutdownPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: 33	1776	WMIC.exe
Token: 34	1776	WMIC.exe
Token: 35	1776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1396	WMIC.exe
Token: SeSecurityPrivilege	1396	WMIC.exe
Token: SeTakeOwnershipPrivilege	1396	WMIC.exe
Token: SeLoadDriverPrivilege	1396	WMIC.exe
Token: SeSystemProfilePrivilege	1396	WMIC.exe
Token: SeSystemtimePrivilege	1396	WMIC.exe
Token: SeProfSingleProcessPrivilege	1396	WMIC.exe
Token: SeIncBasePriorityPrivilege	1396	WMIC.exe
Token: SeCreatePagefilePrivilege	1396	WMIC.exe
Token: SeBackupPrivilege	1396	WMIC.exe
Token: SeRestorePrivilege	1396	WMIC.exe
Token: SeShutdownPrivilege	1396	WMIC.exe
Token: SeDebugPrivilege	1396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1396	WMIC.exe
Token: SeRemoteShutdownPrivilege	1396	WMIC.exe
Token: SeUndockPrivilege	1396	WMIC.exe
Token: SeManageVolumePrivilege	1396	WMIC.exe
Token: 33	1396	WMIC.exe
Token: 34	1396	WMIC.exe
Token: 35	1396	WMIC.exe
Token: SeBackupPrivilege	2212	vssvc.exe
Token: SeRestorePrivilege	2212	vssvc.exe
Token: SeAuditPrivilege	2212	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1396	WMIC.exe
Token: SeSecurityPrivilege	1396	WMIC.exe
Token: SeTakeOwnershipPrivilege	1396	WMIC.exe
Token: SeLoadDriverPrivilege	1396	WMIC.exe
Token: SeSystemProfilePrivilege	1396	WMIC.exe
Token: SeSystemtimePrivilege	1396	WMIC.exe
Token: SeProfSingleProcessPrivilege	1396	WMIC.exe
Token: SeIncBasePriorityPrivilege	1396	WMIC.exe
Token: SeCreatePagefilePrivilege	1396	WMIC.exe
Token: SeBackupPrivilege	1396	WMIC.exe
Token: SeRestorePrivilege	1396	WMIC.exe
Token: SeShutdownPrivilege	1396	WMIC.exe
Token: SeDebugPrivilege	1396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1396	WMIC.exe
Token: SeRemoteShutdownPrivilege	1396	WMIC.exe
Token: SeUndockPrivilege	1396	WMIC.exe
Token: SeManageVolumePrivilege	1396	WMIC.exe
Token: 33	1396	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exenet.exenet.exeIJecnaS.exenet.exe

description	pid	process	target process
PID 1156 wrote to memory of 676	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	IJecnaS.exe
PID 1156 wrote to memory of 676	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	IJecnaS.exe
PID 1156 wrote to memory of 676	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	IJecnaS.exe
PID 1156 wrote to memory of 676	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	IJecnaS.exe
PID 1156 wrote to memory of 1144	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	taskhost.exe
PID 1156 wrote to memory of 1236	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	Dwm.exe
PID 1156 wrote to memory of 1696	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 1696	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 1696	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 1696	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 852	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 852	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 852	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 852	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 852 wrote to memory of 876	852	net.exe	net1.exe
PID 852 wrote to memory of 876	852	net.exe	net1.exe
PID 852 wrote to memory of 876	852	net.exe	net1.exe
PID 852 wrote to memory of 876	852	net.exe	net1.exe
PID 1696 wrote to memory of 1508	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1508	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1508	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1508	1696	net.exe	net1.exe
PID 1156 wrote to memory of 1100	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1156 wrote to memory of 1100	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1156 wrote to memory of 1100	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1156 wrote to memory of 1100	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 676 wrote to memory of 1096	676	IJecnaS.exe	icacls.exe
PID 676 wrote to memory of 1096	676	IJecnaS.exe	icacls.exe
PID 676 wrote to memory of 1096	676	IJecnaS.exe	icacls.exe
PID 676 wrote to memory of 1096	676	IJecnaS.exe	icacls.exe
PID 1156 wrote to memory of 1104	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1156 wrote to memory of 1104	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1156 wrote to memory of 1104	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1156 wrote to memory of 1104	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 676 wrote to memory of 1808	676	IJecnaS.exe	icacls.exe
PID 676 wrote to memory of 1808	676	IJecnaS.exe	icacls.exe
PID 676 wrote to memory of 1808	676	IJecnaS.exe	icacls.exe
PID 676 wrote to memory of 1808	676	IJecnaS.exe	icacls.exe
PID 676 wrote to memory of 1404	676	IJecnaS.exe	cmd.exe
PID 676 wrote to memory of 1404	676	IJecnaS.exe	cmd.exe
PID 676 wrote to memory of 1404	676	IJecnaS.exe	cmd.exe
PID 676 wrote to memory of 1404	676	IJecnaS.exe	cmd.exe
PID 1156 wrote to memory of 1980	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 1156 wrote to memory of 1980	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 1156 wrote to memory of 1980	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 1156 wrote to memory of 1980	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 676 wrote to memory of 1672	676	IJecnaS.exe	vssadmin.exe
PID 676 wrote to memory of 1672	676	IJecnaS.exe	vssadmin.exe
PID 676 wrote to memory of 1672	676	IJecnaS.exe	vssadmin.exe
PID 676 wrote to memory of 1672	676	IJecnaS.exe	vssadmin.exe
PID 1156 wrote to memory of 1288	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	vssadmin.exe
PID 1156 wrote to memory of 1288	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	vssadmin.exe
PID 1156 wrote to memory of 1288	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	vssadmin.exe
PID 1156 wrote to memory of 1288	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	vssadmin.exe
PID 1156 wrote to memory of 1216	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 1216	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 1216	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1156 wrote to memory of 1216	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1216 wrote to memory of 556	1216	net.exe	net1.exe
PID 1216 wrote to memory of 556	1216	net.exe	net1.exe
PID 1216 wrote to memory of 556	1216	net.exe	net1.exe
PID 1216 wrote to memory of 556	1216	net.exe	net1.exe
PID 1156 wrote to memory of 1828	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 1156 wrote to memory of 1828	1156	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
"C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
"C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1096

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
PID:1404

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" /f /reg:64
3⤵
PID:9628

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:9752

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:9668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:9736

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:26044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:26252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:876

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:1980

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
2⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:1592

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:9620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:9744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:9644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:9728

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:25776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:26300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:25688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:26336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
9a4d5a97f359c430fa85e4062b0f0722

SHA1
bc343aaffa58cb9a93fcc677e8c2917a5cc9c556

SHA256
9befa8ae8dc78fed1fb3be0fab33b028922c5b0c3624cb26ddf265487ce21f00

SHA512
73d8b35fb1f27b73f51eab186b855e9011bc05226aaa6aa4314c665a5d3eff60f5cc4bc47ac6a9fb8969b093905c0e380fd04fddf85163a34eebb197646c936a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
MD5
ad9cb5b733e30c0bec951cac94130619

SHA1
1b8239170a5ad6dc31fe4eb046d0758721fa31b5

SHA256
4b22ed6e92f70f0a4c050aec76df11991def25ab37267042bab120498163351a

SHA512
5b18adba30a4ffa760ee7e262b45dbee174e965715a40f6c41de97b39396dc8e3dfb15b095ab9587a51ba35b2488b6925ccde82540d7da0281d8755eb1836fe7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
0548767fd4eb790636d918494bb59147

SHA1
629887f7de2f5582387de39a76263f6f6d07868f

SHA256
7fae49675da5b7f33508b4e2ed7bfa461b76a1401eaf24e70bea38ce04e2df8c

SHA512
c1ffefd3cd577f24941b1166a23e0a4c9fb58663067cb193c58926456385ad5b2610fc738d7a43584bc8d6f9b0259341622d267c2c191f93ada09eb208af3bf5

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
c76dc13d3aaa5abb7f7caa5e4a3384dd

SHA1
85c77271cb2fdf97b916d8a2aed37127a942c6fa

SHA256
6c525de967e85ca649d46bed23e279866a898d7e0f50480e571fa77b21132460

SHA512
5b9ffd349bcc7afe90b95c9cba95d462533faa13491e1971eaa4b25f8396606b0c40ba2f7be9300efee3487076a215564fb98c4730154bbe249743418604a5ad

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK
MD5
3b6bcaa76bb3758cd611498758dd96d0

SHA1
377d1428c3dfe489d25dace08bcc7c03a166b66b

SHA256
0adb863edef9fe785fede471bbc38b057e58a237cffcf6feea149210118db3b9

SHA512
cf85b21fe70d81c6b3bb3afa625288f12e10f3d8e671bcb2e869956d13344a9ab67f58c6f613d34cb1abf7031702db5e6402842768ad83037c614793b1a9a136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1HZZ20GT\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N4BWCEPN\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QDAZQ7UR\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\T9SSAR8Y\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TN1O5RR8\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
064d78a24de28cf38e57907752b77b41

SHA1
e7a2a7132fb27ea9febb15866e04219137475321

SHA256
c99ea6c6a769d97c9563ff1748c9f1e5e73b9ddb74f00427595fab81d9334709

SHA512
445cb42f8bcbc554b485684c16937007558e41acaa4275b88280000c0acbded834189c7d25b4cc3a4e950c3381d341fc18ee2b52388bf1fd1b7ba42ea48ff64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
MD5
4b7d72d5b844f5a4135952ce613322ba

SHA1
a0d9174d308c5a9339aaebe1af7490cc08534da0

SHA256
abacf5de8a07fdd11a011b49ccb72fd81100ce76682ef0a5a93a33b5ac2c192e

SHA512
f7efc8fc0145ae3317ce785eae21c3dcc2da9d758073519f82584db99515a46e13553cfe69d6474f0f92acf72374cca7041652f047378acbdcadcc750e2ce5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
ccf25e67b39e0a7ddc1aca1a6d9ef104

SHA1
95d35c75489b57e75f44b209355081f3a8ed5f1c

SHA256
09d86bb1ae9926d6c52fbbb4eea69f4df1b93cda8d763ddd455256bd04e15a72

SHA512
191fc47653a0d94309d1882697c9997f029819171cef5c52fb04edb3188fc21b0a78ac6e11f078b71f099586cba4a07fe77982bfce92aa3205be19f1a6103505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
MD5
1131c33d7948438e2f2775abea4cb375

SHA1
9783139d7e9624f98945de31b0ed628535b39351

SHA256
cad15167b8452ff874ecd31f040cae958891e68a7bebf4bc087b233f7c9c9acf

SHA512
bd0eb5463532ba9762c8149f3bd1761c9019a1abcbcb306e1635c590ab7a48fea6defdbea6a6f69aa21d29ddf5d5540bdf3006de44b90a7a18c7715db9b64ed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK
MD5
9d095c37d4838fb5a035cf3395905ad7

SHA1
b203142c336515f9fca29bf2af911cb15ee92ff0

SHA256
6fe5fe21e30de7b330c8c8d4152a1594a6f8e63d8f88d0eb7bb89817b44632c4

SHA512
bb5f389bfad7e788f673dd798c98db80ff66a90858f6f2ca1c3f11bc32689821e987813a237abf2899c60f25058f948d66663e5ba254490a12dd532df6f4fa1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
MD5
73457c40d3009e96d2f6774076d80b93

SHA1
cf353b1b747dc80f31bfc3af823b67702c9180bc

SHA256
682e465ce4ec1312ac860deb574eb49c505a5ac85db8b7a8e0ef12b2dd418fcd

SHA512
d545d47e3cbed304dbd79cba64ee4d6d8e9f04955397452efefd746fe23f8f4e0e4a0df275ffdfe1329d90d963a68fb061e575b5ac1fd9905c0f12ceb3f81afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK
MD5
09bbbbedca9b4304390aad0516732fbd

SHA1
e6f0cb2bc70d6950cbffab3df6b73424eb9e15df

SHA256
154e93259945386252639e89954ac7ab801d24ac728906bcb589bbb611fed67d

SHA512
15baf0f41cdf4e725929b845897e34545e6a1010aa779a42b3ddfbb75b17127fffb31b55a2cb7661b148b45aafae53f4ab2187e5088608dae836177052e4a3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
MD5
090826c3c34fb53a639f1d2919e1b44c

SHA1
ab355fed7323cb1dfaf1e32833acd77ffa23c287

SHA256
7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

SHA512
d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Download Submit
C:\Users\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
\Users\Admin\AppData\Local\Temp\IJecnaS.exe
MD5
090826c3c34fb53a639f1d2919e1b44c

SHA1
ab355fed7323cb1dfaf1e32833acd77ffa23c287

SHA256
7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

SHA512
d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Download Submit
\Users\Admin\AppData\Local\Temp\IJecnaS.exe
MD5
090826c3c34fb53a639f1d2919e1b44c

SHA1
ab355fed7323cb1dfaf1e32833acd77ffa23c287

SHA256
7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

SHA512
d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Download Submit
memory/1144-59-0x0000000030000000-0x000000003016F000-memory.dmp

Filesize
1.4MB

Download
memory/1156-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download