ryuk | 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a

Analysis

max time kernel
176s
max time network
87s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
Size

190KB
MD5

727cf4d00df34f36c4767f1ab185244a
SHA1

983331a93a5c91cb3ffee97495eef475d43f3f52
SHA256

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA512

ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

uObNeqU.exe

pid process

1764 uObNeqU.exe

pid	process
1764	uObNeqU.exe

Loads dropped DLL 2 IoCs

Processes:

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe

pid	process
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1784 icacls.exe
1772 icacls.exe
2616 icacls.exe
2624 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1816 vssadmin.exe
2660 vssadmin.exe
Runs net.exe

pid	process
1784	icacls.exe
1772	icacls.exe
2616	icacls.exe
2624	icacls.exe

pid	process
1816	vssadmin.exe
2660	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exeuObNeqU.exe

pid	process
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1764	uObNeqU.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1764	uObNeqU.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
1764	uObNeqU.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exeWMIC.exevssvc.exeuObNeqU.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: SeBackupPrivilege	2220	vssvc.exe
Token: SeRestorePrivilege	2220	vssvc.exe
Token: SeAuditPrivilege	2220	vssvc.exe
Token: SeBackupPrivilege	1764	uObNeqU.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe
Token: 35	2732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exenet.exenet.exenet.execmd.exenet.exeuObNeqU.exe

description	pid	process	target process
PID 1480 wrote to memory of 1764	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	uObNeqU.exe
PID 1480 wrote to memory of 1764	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	uObNeqU.exe
PID 1480 wrote to memory of 1764	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	uObNeqU.exe
PID 1480 wrote to memory of 1764	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	uObNeqU.exe
PID 1480 wrote to memory of 680	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 680	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 680	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 680	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 680 wrote to memory of 572	680	net.exe	net1.exe
PID 680 wrote to memory of 572	680	net.exe	net1.exe
PID 680 wrote to memory of 572	680	net.exe	net1.exe
PID 680 wrote to memory of 572	680	net.exe	net1.exe
PID 1480 wrote to memory of 564	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 564	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 564	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 564	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 564 wrote to memory of 824	564	net.exe	net1.exe
PID 564 wrote to memory of 824	564	net.exe	net1.exe
PID 564 wrote to memory of 824	564	net.exe	net1.exe
PID 564 wrote to memory of 824	564	net.exe	net1.exe
PID 1480 wrote to memory of 1784	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 1784	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 1784	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 1784	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 1772	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 1772	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 1772	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 1772	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	icacls.exe
PID 1480 wrote to memory of 288	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	cmd.exe
PID 1480 wrote to memory of 288	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	cmd.exe
PID 1480 wrote to memory of 288	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	cmd.exe
PID 1480 wrote to memory of 288	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	cmd.exe
PID 1480 wrote to memory of 1816	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	vssadmin.exe
PID 1480 wrote to memory of 1816	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	vssadmin.exe
PID 1480 wrote to memory of 1816	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	vssadmin.exe
PID 1480 wrote to memory of 1816	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	vssadmin.exe
PID 1480 wrote to memory of 1476	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 1476	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 1476	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 1476	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1476 wrote to memory of 1004	1476	net.exe	net1.exe
PID 1476 wrote to memory of 1004	1476	net.exe	net1.exe
PID 1476 wrote to memory of 1004	1476	net.exe	net1.exe
PID 1476 wrote to memory of 1004	1476	net.exe	net1.exe
PID 288 wrote to memory of 1508	288	cmd.exe	WMIC.exe
PID 288 wrote to memory of 1508	288	cmd.exe	WMIC.exe
PID 288 wrote to memory of 1508	288	cmd.exe	WMIC.exe
PID 288 wrote to memory of 1508	288	cmd.exe	WMIC.exe
PID 1480 wrote to memory of 2144	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 2144	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 2144	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 1480 wrote to memory of 2144	1480	4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe	net.exe
PID 2144 wrote to memory of 2228	2144	net.exe	net1.exe
PID 2144 wrote to memory of 2228	2144	net.exe	net1.exe
PID 2144 wrote to memory of 2228	2144	net.exe	net1.exe
PID 2144 wrote to memory of 2228	2144	net.exe	net1.exe
PID 1764 wrote to memory of 2616	1764	uObNeqU.exe	icacls.exe
PID 1764 wrote to memory of 2616	1764	uObNeqU.exe	icacls.exe
PID 1764 wrote to memory of 2616	1764	uObNeqU.exe	icacls.exe
PID 1764 wrote to memory of 2616	1764	uObNeqU.exe	icacls.exe
PID 1764 wrote to memory of 2624	1764	uObNeqU.exe	icacls.exe
PID 1764 wrote to memory of 2624	1764	uObNeqU.exe	icacls.exe
PID 1764 wrote to memory of 2624	1764	uObNeqU.exe	icacls.exe
PID 1764 wrote to memory of 2624	1764	uObNeqU.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe
"C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
"C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2616

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
PID:2640

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2660

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:3032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:27748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:27772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:38288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:38312

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:824

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1784

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2228

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:24364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:24472

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:24536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:23808

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:27796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:27820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:33532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:33448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
69bd776eb6ba8fbbf28664acfc789df3

SHA1
fa0ee22ff3c3000a9bef5487df244e1ba7c9b4d7

SHA256
ff0f69f4c95a921c859573a5e6c71e66381b3275ca8c1f7f9e477c38de959a15

SHA512
13d13d5077340a91358a1f0d785f8faa1a03118ed946dc08922d6fade181af6e4c762c66a03becb55ab5f2d195b796b48f2e36e098312d473d20ab1de4616099

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
MD5
0263f87e403a12940199b72f8de8751c

SHA1
b2353e98b50d59e8b1148b3e12c97becdbd15a30

SHA256
1cb3b5b20bf6ba61181df947a9e482c4b5097bd14a64bec7484effafc620ed3b

SHA512
66f92ea2a593de8492a91196b1c1e3a5294772e66cb1918c36082f6a9b741aa79451c09aba4a6f8123f74367d89fcb0689ab469e17d9241bb670a1a31cd364f8

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
e61de08e108d0e1b8b2e30bc0b3fde4e

SHA1
d147b827baf45506bf50ee5bfd4d17764c958dbb

SHA256
f5f9801db7b23a385fcb59362f908bd0ef215e55fa4065c26c580497d5ca38ad

SHA512
3a26fed569ceb9c6bc1e6094e90a64633096eed19e0536c3a213a183cc61e6f3f60e64bfad1abc5be270d245df9b43ce06482c873f039a5b36350d2ba8f63cdd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
385d311074da3817c08671ad9f597b10

SHA1
4340d33ba61f609528dda00aaa68f97a5df9ab6e

SHA256
44da321ec7ba370e8727f7f3a1cc3db9ea9047096c14e57831e6bd55725691d9

SHA512
84f71f676be1e581deb1b3a6ea17d1d7c6314153327a3b2f9027066d59b66d87a9c4f1ab3a3541700cb6357a7b5549db337d0a549db074cd3c706123a85d9dbc

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK
MD5
7bcc00047a085de0f6b02026ff175b61

SHA1
ce4c296ebc307b750bb83c4dba643be48fcedb67

SHA256
a2a559b356a56ebf7d693d98feb5dcdb2faabb366bab5991c25313e1917d9456

SHA512
2fa855dd887182112ac42a455cfcd15bdfbe59d6e50cb5c05c21a88880514e65eaadf9b45dbf5886785c9a6c322c87caf067c1d49994b0051ed5d9f348df6379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
84c5e23c69115b59d5d992a0e5bb5881

SHA1
d47c933c7d5f0d6896f962c477ba24e87dc931f4

SHA256
aabe874d1c6e540bd0e890bc3b75e1df306e21200d1bfc09a6fa6d51c4461c47

SHA512
2986a1a79c20828b025e7a1ef784352c16e663350781b3c5fd521e4d02e9e6789f38840c37ca1292fde9c3e2a81f5ee6065b29962680ec967bfbd5ef77740801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
MD5
157eec80d778a51ae66cd488969addaa

SHA1
3a972178f230fa374f63bfe6a481217f941c1e9b

SHA256
4d645f3b836b77ae41d5bfc4eac7ce1cadb207cf31ab32814612e4c4baf32adc

SHA512
67134effb81f5236fbf247bf7c5d8fcc943f8b237f58a2e0668766b54f332de27b43128b765075ceee4dbe888f86d0f4e05edaa91a73d181b758f8ff79b0d2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
c9b1c82a88dbc1291c6db01fd4548ed7

SHA1
a61829cced3b155ac7643b46ff5c78105f54570f

SHA256
d7dbd1aa95a7216ba560029f7f136d7328720090f6f50964f4c9a015c5003012

SHA512
4b64147e94f038efeffd4cc4ebfdd9256f29bde7554a36630f1f6bfd438656e268da541f76349c2aa2bf05db1c3dfcffa7abcb3dbcab4189d198989f1647ae8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
MD5
7fe5bdfd356d7bf4249a231f90efd804

SHA1
04815fcd2035e23e6418a54206ab3ab3785a0547

SHA256
326e42c32b2147f004c6315920a8d90ced9b4621d879179c3c8511746dd731d1

SHA512
2e5c2773bb73726eba72a21e360eb0320bce89e500d6906e71ae16492c5a4cdf15e742cd1df065d35c5fea48192049354bda0b252281c924f1e3f928f745e295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK
MD5
a8820ebfb19bf1e28a6a8a657eeccbfe

SHA1
75fea6109e4e406ab6b7acf551481deab3d1b59b

SHA256
f69bf417bd47a2c248b7e9564b40995eab63e6dfc5839e47f6151d403a769c73

SHA512
e5d1db6ed57e078dbb4ecdb1ed56eec32c7987c62675ff7c8611c8309827a5d19c5c8502359913edd9795cdace4542d2218f4d44ccba4c5123336d0810ad7234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
MD5
188e9ee79b5a6f87fb0d8ca69da1dc7a

SHA1
f00ae724fa524efe94c7d97af852857bc658b3cc

SHA256
20503a5811f3e27f8dd0466a5a9cd9cc89f3a0cf2dd4fa4b49f56a7af9747c5e

SHA512
191810f7fbbc52735218f67c901028fcc670d710ac670df34c4ba7e05e0a72989eefdb028c333510f5c49de6e0ae143c9080fbd03e004da70aa122b230ca49a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK
MD5
c94d6f920ff50c5870ba4781a2b1447c

SHA1
eba3cb59d44127ba02679b465370f2243025757a

SHA256
fe2172fab0b11f7d1fda633486565cd8698b3a62c36a4a15c90536e9706d9dcd

SHA512
dd1ea0f35dc7a1217b3b5781bed7fe267e3f12d21b1ff1dc9263c312ce13da1078fb3ae5e97ee0b37fc9a74b8cc8703e91f2b14465e631cf27dcd929def46534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK
MD5
338f0659dd234049f407a5bc866e86b8

SHA1
2be984f0f633f82f5936ed4c1f5f8e53c035d491

SHA256
5d9f842f7bcf0ed3199c6ecefb4120720e34138e017c68f5e37c3032293e809d

SHA512
8544decb710085392521278495cebfed9839ed61a0fe60d15626ecc9b0e74d15368a17d213b227de792ed026f656c21cadd3f94256d28b8fa7aad50b1e17e90c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK
MD5
3c27bf494077329b33cf94d378cc1c4a

SHA1
705e59f3d9ab247de985d2da47ced7321055c07c

SHA256
0a7e903010e5bffb1e1c2e5614af277cba9145f742919af8d2f6da062efdaa55

SHA512
a4d2bb43d5baa3f9361cdb07bc7da72640c319f9ce2aa3045876ee435e54954d744915939ab007ecd094c630a6c4a42c9ae974945ca9c290152d3fca0af8c356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK
MD5
1bd881cdaedbbad53dd157a60060fb2b

SHA1
853a634bf8fbaab639bb2133a4c9002db537a952

SHA256
64b4811be1030f50e172ac9537e0767b5fb3a2b4361c20d88dd36d915ecff738

SHA512
eac8f45875c2aa58d2b7eed55dc8ac327ba42f8abbbd18e9a7fb920836096bb88001ec0b36942bb33e7c6e8d7fad85f521d1e5e2dcac74a60282c723db158be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK
MD5
4cf61e4917bc97d04ee531b092301cfe

SHA1
b17c3fab966b6edad3a6e785289623e752a82295

SHA256
7345f280a5e9eb2ec3d41f8403c70aa0981ca89ff122595f2fb5be0d803275c7

SHA512
be3ae0085e0b0b95553d85a3e8fa6560f71e26d6ce3cbec0a8cf780c4e70f831fe6bfe35b9236b4b80b7c8acb54600d12d1d00a3335f9a283af1d9809c8709aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK
MD5
22693af205b4e20944c802281fa9f2af

SHA1
113751467e0739d89e59378faa22e62a77aa364a

SHA256
f2006d70ce09958667de4094864a1fd89102e7a0cc5b78b61c2f076132120e74

SHA512
3295e1baf2fe71d59e5392c1f6c7a2e4db674b113f6acc5d6f04963f13111dc0eb4218370377e322285570680fce305da57a8a55d619f49e0be781fbb819ab5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK
MD5
661a96d8025d0cb3c15f2ab4ee42a9eb

SHA1
6961717e962eec2f723971460a9ba37e79d27cba

SHA256
361f0d6888ae724ec0d7c5a4aac2edb8c8d0fcee91407fcbb00f7fc4bb3618fa

SHA512
9694c374f17798e3b987a47ea0bae6ae29ef7fc64a6f7010b8d6c7e611749b3e8ad5668e98dac6804a0b7a69ad1427f2f0a9f619f24a3cf7850d4dab4d318c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
MD5
727cf4d00df34f36c4767f1ab185244a

SHA1
983331a93a5c91cb3ffee97495eef475d43f3f52

SHA256
4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a

SHA512
ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

Download Submit
C:\Users\RyukReadMe.html
MD5
e5a0d49ea2478881d00f2043e603c9dc

SHA1
3debe0b34a7edf304a912ecc51a086a31c86c2cc

SHA256
5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c

SHA512
99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

Download Submit
\Users\Admin\AppData\Local\Temp\uObNeqU.exe
MD5
727cf4d00df34f36c4767f1ab185244a

SHA1
983331a93a5c91cb3ffee97495eef475d43f3f52

SHA256
4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a

SHA512
ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

Download Submit
\Users\Admin\AppData\Local\Temp\uObNeqU.exe
MD5
727cf4d00df34f36c4767f1ab185244a

SHA1
983331a93a5c91cb3ffee97495eef475d43f3f52

SHA256
4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a

SHA512
ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

Download Submit
memory/1480-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1764-120-0x000000000E3F0000-0x000000000E514000-memory.dmp

Filesize
1.1MB

Download
memory/1764-121-0x000000000DF50000-0x000000000E074000-memory.dmp

Filesize
1.1MB

Download