Analysis Overview
SHA256
7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
Threat Level: Known bad
The file 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:43
Reported
2022-02-20 06:34
Platform
win7-en-20211208
Max time kernel
174s
Max time network
80s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IJecnaS.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
"C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"
C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
"C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" /f /reg:64
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1156-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
\Users\Admin\AppData\Local\Temp\IJecnaS.exe
| MD5 | 090826c3c34fb53a639f1d2919e1b44c |
| SHA1 | ab355fed7323cb1dfaf1e32833acd77ffa23c287 |
| SHA256 | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030 |
| SHA512 | d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720 |
\Users\Admin\AppData\Local\Temp\IJecnaS.exe
| MD5 | 090826c3c34fb53a639f1d2919e1b44c |
| SHA1 | ab355fed7323cb1dfaf1e32833acd77ffa23c287 |
| SHA256 | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030 |
| SHA512 | d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720 |
C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
| MD5 | 090826c3c34fb53a639f1d2919e1b44c |
| SHA1 | ab355fed7323cb1dfaf1e32833acd77ffa23c287 |
| SHA256 | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030 |
| SHA512 | d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720 |
memory/1144-59-0x0000000030000000-0x000000003016F000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 9a4d5a97f359c430fa85e4062b0f0722 |
| SHA1 | bc343aaffa58cb9a93fcc677e8c2917a5cc9c556 |
| SHA256 | 9befa8ae8dc78fed1fb3be0fab33b028922c5b0c3624cb26ddf265487ce21f00 |
| SHA512 | 73d8b35fb1f27b73f51eab186b855e9011bc05226aaa6aa4314c665a5d3eff60f5cc4bc47ac6a9fb8969b093905c0e380fd04fddf85163a34eebb197646c936a |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 0548767fd4eb790636d918494bb59147 |
| SHA1 | 629887f7de2f5582387de39a76263f6f6d07868f |
| SHA256 | 7fae49675da5b7f33508b4e2ed7bfa461b76a1401eaf24e70bea38ce04e2df8c |
| SHA512 | c1ffefd3cd577f24941b1166a23e0a4c9fb58663067cb193c58926456385ad5b2610fc738d7a43584bc8d6f9b0259341622d267c2c191f93ada09eb208af3bf5 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | c76dc13d3aaa5abb7f7caa5e4a3384dd |
| SHA1 | 85c77271cb2fdf97b916d8a2aed37127a942c6fa |
| SHA256 | 6c525de967e85ca649d46bed23e279866a898d7e0f50480e571fa77b21132460 |
| SHA512 | 5b9ffd349bcc7afe90b95c9cba95d462533faa13491e1971eaa4b25f8396606b0c40ba2f7be9300efee3487076a215564fb98c4730154bbe249743418604a5ad |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | ad9cb5b733e30c0bec951cac94130619 |
| SHA1 | 1b8239170a5ad6dc31fe4eb046d0758721fa31b5 |
| SHA256 | 4b22ed6e92f70f0a4c050aec76df11991def25ab37267042bab120498163351a |
| SHA512 | 5b18adba30a4ffa760ee7e262b45dbee174e965715a40f6c41de97b39396dc8e3dfb15b095ab9587a51ba35b2488b6925ccde82540d7da0281d8755eb1836fe7 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | 3b6bcaa76bb3758cd611498758dd96d0 |
| SHA1 | 377d1428c3dfe489d25dace08bcc7c03a166b66b |
| SHA256 | 0adb863edef9fe785fede471bbc38b057e58a237cffcf6feea149210118db3b9 |
| SHA512 | cf85b21fe70d81c6b3bb3afa625288f12e10f3d8e671bcb2e869956d13344a9ab67f58c6f613d34cb1abf7031702db5e6402842768ad83037c614793b1a9a136 |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | 064d78a24de28cf38e57907752b77b41 |
| SHA1 | e7a2a7132fb27ea9febb15866e04219137475321 |
| SHA256 | c99ea6c6a769d97c9563ff1748c9f1e5e73b9ddb74f00427595fab81d9334709 |
| SHA512 | 445cb42f8bcbc554b485684c16937007558e41acaa4275b88280000c0acbded834189c7d25b4cc3a4e950c3381d341fc18ee2b52388bf1fd1b7ba42ea48ff64b |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1HZZ20GT\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QDAZQ7UR\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
| MD5 | 4b7d72d5b844f5a4135952ce613322ba |
| SHA1 | a0d9174d308c5a9339aaebe1af7490cc08534da0 |
| SHA256 | abacf5de8a07fdd11a011b49ccb72fd81100ce76682ef0a5a93a33b5ac2c192e |
| SHA512 | f7efc8fc0145ae3317ce785eae21c3dcc2da9d758073519f82584db99515a46e13553cfe69d6474f0f92acf72374cca7041652f047378acbdcadcc750e2ce5ea |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | 1131c33d7948438e2f2775abea4cb375 |
| SHA1 | 9783139d7e9624f98945de31b0ed628535b39351 |
| SHA256 | cad15167b8452ff874ecd31f040cae958891e68a7bebf4bc087b233f7c9c9acf |
| SHA512 | bd0eb5463532ba9762c8149f3bd1761c9019a1abcbcb306e1635c590ab7a48fea6defdbea6a6f69aa21d29ddf5d5540bdf3006de44b90a7a18c7715db9b64ed7 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | ccf25e67b39e0a7ddc1aca1a6d9ef104 |
| SHA1 | 95d35c75489b57e75f44b209355081f3a8ed5f1c |
| SHA256 | 09d86bb1ae9926d6c52fbbb4eea69f4df1b93cda8d763ddd455256bd04e15a72 |
| SHA512 | 191fc47653a0d94309d1882697c9997f029819171cef5c52fb04edb3188fc21b0a78ac6e11f078b71f099586cba4a07fe77982bfce92aa3205be19f1a6103505 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TN1O5RR8\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\T9SSAR8Y\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N4BWCEPN\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK
| MD5 | 9d095c37d4838fb5a035cf3395905ad7 |
| SHA1 | b203142c336515f9fca29bf2af911cb15ee92ff0 |
| SHA256 | 6fe5fe21e30de7b330c8c8d4152a1594a6f8e63d8f88d0eb7bb89817b44632c4 |
| SHA512 | bb5f389bfad7e788f673dd798c98db80ff66a90858f6f2ca1c3f11bc32689821e987813a237abf2899c60f25058f948d66663e5ba254490a12dd532df6f4fa1a |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | 73457c40d3009e96d2f6774076d80b93 |
| SHA1 | cf353b1b747dc80f31bfc3af823b67702c9180bc |
| SHA256 | 682e465ce4ec1312ac860deb574eb49c505a5ac85db8b7a8e0ef12b2dd418fcd |
| SHA512 | d545d47e3cbed304dbd79cba64ee4d6d8e9f04955397452efefd746fe23f8f4e0e4a0df275ffdfe1329d90d963a68fb061e575b5ac1fd9905c0f12ceb3f81afd |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK
| MD5 | 09bbbbedca9b4304390aad0516732fbd |
| SHA1 | e6f0cb2bc70d6950cbffab3df6b73424eb9e15df |
| SHA256 | 154e93259945386252639e89954ac7ab801d24ac728906bcb589bbb611fed67d |
| SHA512 | 15baf0f41cdf4e725929b845897e34545e6a1010aa779a42b3ddfbb75b17127fffb31b55a2cb7661b148b45aafae53f4ab2187e5088608dae836177052e4a3a0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:43
Reported
2022-02-20 06:33
Platform
win10v2004-en-20220113
Max time kernel
184s
Max time network
205s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PqdfzJO.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
"C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"
C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
"C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 52.184.215.140:443 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
| MD5 | 090826c3c34fb53a639f1d2919e1b44c |
| SHA1 | ab355fed7323cb1dfaf1e32833acd77ffa23c287 |
| SHA256 | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030 |
| SHA512 | d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720 |
C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
| MD5 | 090826c3c34fb53a639f1d2919e1b44c |
| SHA1 | ab355fed7323cb1dfaf1e32833acd77ffa23c287 |
| SHA256 | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030 |
| SHA512 | d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\3D Objects\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
| MD5 | c9e68ed326520b4ad5ff9f00576e1b09 |
| SHA1 | 4189465ad4d3563eebe685d01e87ca55e7e085dd |
| SHA256 | d2d79fb3e3095eefd2a8c29f499157f80df66e2a9b61bf37285d4c6841c49eab |
| SHA512 | 3a97934055a60fc58259d26a272d33a43c374aacf5bd762521020bd1f97b4b0159dde594e15cbc4b3a16be8b4b0dddc5ef529630bc38a4e37c1d6a281d3d5c57 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 8d23eb184e108fbd3fdd93df2cb2be6e |
| SHA1 | 6109f3336c87bac6488a193625ffd9019b209346 |
| SHA256 | 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957 |
| SHA512 | 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09 |