Malware Analysis Report

2024-10-19 06:15

Sample ID 220220-jjg6xsbcam
Target 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA256 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
Tags
ryuk discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a

Threat Level: Known bad

The file 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a was found to be: Known bad.

Malicious Activity Summary

ryuk discovery ransomware

Ryuk

Deletes shadow copies

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 07:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 07:41

Reported

2022-02-20 08:52

Platform

win7-en-20211208

Max time kernel

176s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
PID 1480 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
PID 1480 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
PID 1480 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe
PID 1480 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 680 wrote to memory of 572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 680 wrote to memory of 572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 680 wrote to memory of 572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 680 wrote to memory of 572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1480 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 564 wrote to memory of 824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 564 wrote to memory of 824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 564 wrote to memory of 824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 564 wrote to memory of 824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1480 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 1480 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1480 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1480 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1480 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1480 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1476 wrote to memory of 1004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1476 wrote to memory of 1004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1476 wrote to memory of 1004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1476 wrote to memory of 1004 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 288 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 288 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 288 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 288 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1480 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1480 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 2144 wrote to memory of 2228 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2144 wrote to memory of 2228 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2144 wrote to memory of 2228 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2144 wrote to memory of 2228 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1764 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe
PID 1764 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe
PID 1764 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe
PID 1764 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe
PID 1764 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe
PID 1764 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe
PID 1764 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe
PID 1764 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe

"C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe"

C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe

"C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1480-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

\Users\Admin\AppData\Local\Temp\uObNeqU.exe

MD5 727cf4d00df34f36c4767f1ab185244a
SHA1 983331a93a5c91cb3ffee97495eef475d43f3f52
SHA256 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA512 ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

\Users\Admin\AppData\Local\Temp\uObNeqU.exe

MD5 727cf4d00df34f36c4767f1ab185244a
SHA1 983331a93a5c91cb3ffee97495eef475d43f3f52
SHA256 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA512 ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

C:\Users\Admin\AppData\Local\Temp\uObNeqU.exe

MD5 727cf4d00df34f36c4767f1ab185244a
SHA1 983331a93a5c91cb3ffee97495eef475d43f3f52
SHA256 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA512 ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

C:\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 69bd776eb6ba8fbbf28664acfc789df3
SHA1 fa0ee22ff3c3000a9bef5487df244e1ba7c9b4d7
SHA256 ff0f69f4c95a921c859573a5e6c71e66381b3275ca8c1f7f9e477c38de959a15
SHA512 13d13d5077340a91358a1f0d785f8faa1a03118ed946dc08922d6fade181af6e4c762c66a03becb55ab5f2d195b796b48f2e36e098312d473d20ab1de4616099

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 0263f87e403a12940199b72f8de8751c
SHA1 b2353e98b50d59e8b1148b3e12c97becdbd15a30
SHA256 1cb3b5b20bf6ba61181df947a9e482c4b5097bd14a64bec7484effafc620ed3b
SHA512 66f92ea2a593de8492a91196b1c1e3a5294772e66cb1918c36082f6a9b741aa79451c09aba4a6f8123f74367d89fcb0689ab469e17d9241bb670a1a31cd364f8

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 385d311074da3817c08671ad9f597b10
SHA1 4340d33ba61f609528dda00aaa68f97a5df9ab6e
SHA256 44da321ec7ba370e8727f7f3a1cc3db9ea9047096c14e57831e6bd55725691d9
SHA512 84f71f676be1e581deb1b3a6ea17d1d7c6314153327a3b2f9027066d59b66d87a9c4f1ab3a3541700cb6357a7b5549db337d0a549db074cd3c706123a85d9dbc

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 e61de08e108d0e1b8b2e30bc0b3fde4e
SHA1 d147b827baf45506bf50ee5bfd4d17764c958dbb
SHA256 f5f9801db7b23a385fcb59362f908bd0ef215e55fa4065c26c580497d5ca38ad
SHA512 3a26fed569ceb9c6bc1e6094e90a64633096eed19e0536c3a213a183cc61e6f3f60e64bfad1abc5be270d245df9b43ce06482c873f039a5b36350d2ba8f63cdd

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5 7bcc00047a085de0f6b02026ff175b61
SHA1 ce4c296ebc307b750bb83c4dba643be48fcedb67
SHA256 a2a559b356a56ebf7d693d98feb5dcdb2faabb366bab5991c25313e1917d9456
SHA512 2fa855dd887182112ac42a455cfcd15bdfbe59d6e50cb5c05c21a88880514e65eaadf9b45dbf5886785c9a6c322c87caf067c1d49994b0051ed5d9f348df6379

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 84c5e23c69115b59d5d992a0e5bb5881
SHA1 d47c933c7d5f0d6896f962c477ba24e87dc931f4
SHA256 aabe874d1c6e540bd0e890bc3b75e1df306e21200d1bfc09a6fa6d51c4461c47
SHA512 2986a1a79c20828b025e7a1ef784352c16e663350781b3c5fd521e4d02e9e6789f38840c37ca1292fde9c3e2a81f5ee6065b29962680ec967bfbd5ef77740801

C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 c9b1c82a88dbc1291c6db01fd4548ed7
SHA1 a61829cced3b155ac7643b46ff5c78105f54570f
SHA256 d7dbd1aa95a7216ba560029f7f136d7328720090f6f50964f4c9a015c5003012
SHA512 4b64147e94f038efeffd4cc4ebfdd9256f29bde7554a36630f1f6bfd438656e268da541f76349c2aa2bf05db1c3dfcffa7abcb3dbcab4189d198989f1647ae8c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 7fe5bdfd356d7bf4249a231f90efd804
SHA1 04815fcd2035e23e6418a54206ab3ab3785a0547
SHA256 326e42c32b2147f004c6315920a8d90ced9b4621d879179c3c8511746dd731d1
SHA512 2e5c2773bb73726eba72a21e360eb0320bce89e500d6906e71ae16492c5a4cdf15e742cd1df065d35c5fea48192049354bda0b252281c924f1e3f928f745e295

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

MD5 157eec80d778a51ae66cd488969addaa
SHA1 3a972178f230fa374f63bfe6a481217f941c1e9b
SHA256 4d645f3b836b77ae41d5bfc4eac7ce1cadb207cf31ab32814612e4c4baf32adc
SHA512 67134effb81f5236fbf247bf7c5d8fcc943f8b237f58a2e0668766b54f332de27b43128b765075ceee4dbe888f86d0f4e05edaa91a73d181b758f8ff79b0d2e3

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK

MD5 a8820ebfb19bf1e28a6a8a657eeccbfe
SHA1 75fea6109e4e406ab6b7acf551481deab3d1b59b
SHA256 f69bf417bd47a2c248b7e9564b40995eab63e6dfc5839e47f6151d403a769c73
SHA512 e5d1db6ed57e078dbb4ecdb1ed56eec32c7987c62675ff7c8611c8309827a5d19c5c8502359913edd9795cdace4542d2218f4d44ccba4c5123336d0810ad7234

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5 188e9ee79b5a6f87fb0d8ca69da1dc7a
SHA1 f00ae724fa524efe94c7d97af852857bc658b3cc
SHA256 20503a5811f3e27f8dd0466a5a9cd9cc89f3a0cf2dd4fa4b49f56a7af9747c5e
SHA512 191810f7fbbc52735218f67c901028fcc670d710ac670df34c4ba7e05e0a72989eefdb028c333510f5c49de6e0ae143c9080fbd03e004da70aa122b230ca49a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK

MD5 661a96d8025d0cb3c15f2ab4ee42a9eb
SHA1 6961717e962eec2f723971460a9ba37e79d27cba
SHA256 361f0d6888ae724ec0d7c5a4aac2edb8c8d0fcee91407fcbb00f7fc4bb3618fa
SHA512 9694c374f17798e3b987a47ea0bae6ae29ef7fc64a6f7010b8d6c7e611749b3e8ad5668e98dac6804a0b7a69ad1427f2f0a9f619f24a3cf7850d4dab4d318c9e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\new\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb00001.log.RYK

MD5 3c27bf494077329b33cf94d378cc1c4a
SHA1 705e59f3d9ab247de985d2da47ced7321055c07c
SHA256 0a7e903010e5bffb1e1c2e5614af277cba9145f742919af8d2f6da062efdaa55
SHA512 a4d2bb43d5baa3f9361cdb07bc7da72640c319f9ce2aa3045876ee435e54954d744915939ab007ecd094c630a6c4a42c9ae974945ca9c290152d3fca0af8c356

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.chk.RYK

MD5 c94d6f920ff50c5870ba4781a2b1447c
SHA1 eba3cb59d44127ba02679b465370f2243025757a
SHA256 fe2172fab0b11f7d1fda633486565cd8698b3a62c36a4a15c90536e9706d9dcd
SHA512 dd1ea0f35dc7a1217b3b5781bed7fe267e3f12d21b1ff1dc9263c312ce13da1078fb3ae5e97ee0b37fc9a74b8cc8703e91f2b14465e631cf27dcd929def46534

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Backup\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\oeold.xml.RYK

MD5 22693af205b4e20944c802281fa9f2af
SHA1 113751467e0739d89e59378faa22e62a77aa364a
SHA256 f2006d70ce09958667de4094864a1fd89102e7a0cc5b78b61c2f076132120e74
SHA512 3295e1baf2fe71d59e5392c1f6c7a2e4db674b113f6acc5d6f04963f13111dc0eb4218370377e322285570680fce305da57a8a55d619f49e0be781fbb819ab5d

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log.RYK

MD5 338f0659dd234049f407a5bc866e86b8
SHA1 2be984f0f633f82f5936ed4c1f5f8e53c035d491
SHA256 5d9f842f7bcf0ed3199c6ecefb4120720e34138e017c68f5e37c3032293e809d
SHA512 8544decb710085392521278495cebfed9839ed61a0fe60d15626ecc9b0e74d15368a17d213b227de792ed026f656c21cadd3f94256d28b8fa7aad50b1e17e90c

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5 4cf61e4917bc97d04ee531b092301cfe
SHA1 b17c3fab966b6edad3a6e785289623e752a82295
SHA256 7345f280a5e9eb2ec3d41f8403c70aa0981ca89ff122595f2fb5be0d803275c7
SHA512 be3ae0085e0b0b95553d85a3e8fa6560f71e26d6ce3cbec0a8cf780c4e70f831fe6bfe35b9236b4b80b7c8acb54600d12d1d00a3335f9a283af1d9809c8709aa

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.RYK

MD5 1bd881cdaedbbad53dd157a60060fb2b
SHA1 853a634bf8fbaab639bb2133a4c9002db537a952
SHA256 64b4811be1030f50e172ac9537e0767b5fb3a2b4361c20d88dd36d915ecff738
SHA512 eac8f45875c2aa58d2b7eed55dc8ac327ba42f8abbbd18e9a7fb920836096bb88001ec0b36942bb33e7c6e8d7fad85f521d1e5e2dcac74a60282c723db158be9

memory/1764-120-0x000000000E3F0000-0x000000000E514000-memory.dmp

memory/1764-121-0x000000000DF50000-0x000000000E074000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 07:41

Reported

2022-02-20 08:52

Platform

win10v2004-en-20220113

Max time kernel

195s

Max time network

214s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe
PID 4556 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe
PID 4556 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe
PID 4556 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 1288 wrote to memory of 1348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1288 wrote to memory of 1348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1288 wrote to memory of 1348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4556 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4760 wrote to memory of 1552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 1552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 1552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4556 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 4556 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 4556 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 4060 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\icacls.exe
PID 4060 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\icacls.exe
PID 4060 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\icacls.exe
PID 4060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\icacls.exe
PID 4060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\icacls.exe
PID 4060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\icacls.exe
PID 4556 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 4556 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 4556 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\icacls.exe
PID 4556 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 5092 wrote to memory of 3476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5092 wrote to memory of 3476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5092 wrote to memory of 3476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4556 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4556 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe
PID 4488 wrote to memory of 4316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4488 wrote to memory of 4316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4488 wrote to memory of 4316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4060 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\net.exe
PID 4060 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\net.exe
PID 4060 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\net.exe
PID 1444 wrote to memory of 1472 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1444 wrote to memory of 1472 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1444 wrote to memory of 1472 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3112 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3112 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3112 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4060 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\net.exe
PID 4060 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\net.exe
PID 4060 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe C:\Windows\SysWOW64\net.exe
PID 2232 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2232 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2232 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1440 wrote to memory of 436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1440 wrote to memory of 436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1440 wrote to memory of 436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4556 wrote to memory of 5688 N/A C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe

"C:\Users\Admin\AppData\Local\Temp\4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a.exe"

C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe

"C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 52.184.215.140:443 tcp
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe

MD5 727cf4d00df34f36c4767f1ab185244a
SHA1 983331a93a5c91cb3ffee97495eef475d43f3f52
SHA256 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA512 ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

C:\Users\Admin\AppData\Local\Temp\evsKwSI.exe

MD5 727cf4d00df34f36c4767f1ab185244a
SHA1 983331a93a5c91cb3ffee97495eef475d43f3f52
SHA256 4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA512 ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Users\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.RYK

MD5 13787316a08247b16ea7c4401a99861e
SHA1 8349c240285a9488176859ed11b6a9aa29848dc7
SHA256 51dbe20e40423cfca104b8dafc03f3dda1f4d8b598f3efd3f97c5453ae61dee7
SHA512 17bb70809e032d11154c005a09aa5571caaec60fd3248e36ac77c0154d5e4158cd07393d4f298386ac7e10eb372907fd1c68ee221fc11fed57a603bc44f040a9

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.RYK

MD5 af4b66398c399680c00dbcea14fa5a55
SHA1 c7abfe79bb698842c0d70d009dd4f04d403c96bf
SHA256 60ddd2157856767cabc816b41d87f952f5490ab303cf45e8eb8fc2371cbeabd2
SHA512 37471cd12275ad03326335dac9d5bc2f8e438df49fbaac8981793f5f2a7dcfcaea591f9313be511941f280c0a0b7841098bcbcd1089cab10a6dd3576a19cdb0a

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx

MD5 a801b8bdf39b57cc9e9c7acfa4e7b859
SHA1 d26f3c4f30417356d93bb5fc8429b9fd0e774cb3
SHA256 0e3e136c8de7f313fabdb8ed5a67df55aeb428eaa35eca342a20b2c248465e57
SHA512 f15bfa33361974c15cb1849fc4345792368b375392647e2db2b0d93816ffe8062b0f32da6001a76e10680823cc5a33e786d0d2a06fa64091cdf3a7361993d131

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 e2e36e461037d8d368d21353b53aeed2
SHA1 6ccc512f9587e6023def14c4af1bbcd94e62109a
SHA256 885230a592e8c521f0ad9e63a8822e95bef73bc679c87915b8d9e04af45c873e
SHA512 995030c224977a0322c2a2aa66b829d092c01cb6e8d863d8ff9d7e4f335eff5fbd32ed0d957b68550565eed6fdb61e4cf769c174ac4df27b9f098fe774d2f732

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx

MD5 ee1746fc3d5184c08274847740e55865
SHA1 8fb8fc9ed9b96e1ad9d7abd85e02a32e2929aa1f
SHA256 a29fb6739c6d6b6f4e4a5e920f1cecabdfdf50534bd95249f24ee6153ca6d496
SHA512 af16d86540aeebc6ebf1ae648c3a397c0f5ba35ff627a58d433daf4d7e209d28f3dff1f7f5190498185db8b7bb222961456fded675b38b283d066dd23f84a67a

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp

MD5 ee2689bca19a138fc2c2048e212936d5
SHA1 fc758555594836f7558401cdc27fa079ea6f606d
SHA256 2e166c7092d6a679922ca192739379eaacda994b9acfa2b0c1b6c54ef6cac3f5
SHA512 232a51258918d75e8b2e2bb11abfaba1b67afc6d7b5bf8ecdb08f5f6003eda1d2f162a5a952a6d9461b691eaf6f1ffa380201f85723eb5fde202867bf4b478c2

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 462129e3b74d9e683c723d5568c0ed56
SHA1 1a5905f825523555c9a9f843dcbf1321b7e771d5
SHA256 642d0556e2b3c0df8bff6cd670da59521a1ebec6a14a8551c14b76004ef19f4d
SHA512 db2cd979f1192566f95268b53772507b6cce4b74b132878654147a10612b3e7678fe9863cd715420966e5837afd76a07ec592f58bb7a4b8c22489f1649d5dcb5

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 f991040898bbeaf082a6b7f9b4ee7a11
SHA1 bbfede7dc2354105bc988afc85d64f6e502d1ca8
SHA256 69a7aadfac8e971e98f86657942bc11efcb239dd5290af433d4b1d9137bf391e
SHA512 6f1202be99cb7e054126bd2b3acf50c34f14cb2d036a8017c5dce7b215bc3a8c28b114d85636b58a7cb9fc725a50b4c2483d50f4e411a1bc7bc2b1281137926c

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 01b92305f1c9d9f56c6236ce89cf09d0
SHA1 e82fb54eee4904eb325f6c98ada07035ccbdc2ad
SHA256 62bdf9d307f3fb950750fc7bcfa64c850e7fd8fb0ecf32eeee2e7f9685b3565f
SHA512 ed5c9b6cedd9f82181d4c0df033b53cd84bd32e66cf1af7b07c4a213213479dd19c0e2d3f3b25f338b2712c326e487e629a4b1774357922ee2ce57f448b6d37a

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 fd8fa454610b543f07b3c17c19d5ed4c
SHA1 501eb6ce829cff54fab254d1f072f57951389767
SHA256 a48f38e92049874d87d4d846ace8b258f26b6bfdcf4971249530d5ae3b9b0c7a
SHA512 070cb773da08a0ad4238233691091fd9a00152a378ec098bde0e666e51d04d7bababd3f8f9a33efab98814d94643ce40311de039d82cd24840115807eb24a6ba

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 cd9f32cebb32d48e4cf7b25b3ee65aa3
SHA1 c3d2db47d2ca571641877d9c3b8e06faedf6e12f
SHA256 0f340669150bcf4487107be56f89c0216057e6a140a13cd004e6c1377adb0268
SHA512 055531fa6a8c2dd6e141611535ccb3332634cb235bcec57607232e1605e221aa04cfe6f85d1d3660cce2447aa4ea25654225d6bb086be5d936d3af2c3610b0be

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\3D Objects\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 7d34f2943f268a6f6adfffbdfdb498d2
SHA1 dde2eba0b516a68429994a61d63a431a4a67cc6c
SHA256 3aa5214b930905e614f857354709879e86dbe4f7404f5b2158e4ec304bb74e8d
SHA512 0c4c4910b2ccfa85e91d02ed3160d914d53584e59f1ea4a64ecf100eb26e90b0b9c492cb5ff14ee5b7936f8d80415f5d762114276d7ea8a074c07084a5a72d76

C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp.RYK

MD5 f1630cccba0c34f1a004c068707fc9db
SHA1 465f99fc8c1f0378fc350953c699637cd1073cc6
SHA256 00aec1e06f3c185fff53a03a4cdab056a81107b2033db2f820c7d74383cf6c50
SHA512 b6f42bd4d7a091f6a50bf292d325aba860b5492c7ee2296807219dbde453c7b37c7b5df23176e44a3898906ff7fa82aa68932288e4ab12cf4fa473873c31cb4b

C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol.RYK

MD5 f4dff35f9b905403b630083dc9fd1dc6
SHA1 d25f3b69637fb7c8c8d15dc8e0b5486fc66d9d67
SHA256 84a4817abed64075c001a0bbbefe881fa28238158e8ec7825c76162522bd295e
SHA512 1cc03a3e08353aaabdb36585eb4dc2aa9e8bd938456e7fe2646031fe23c0033cd5a144afd6a3f8a9533b9000c3902317b1ccab4f0225258ae25e6a6c46755486

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5 3f1e49a927db8af7e16aa3899025d242
SHA1 0bcc0629128a88e7470ab974e3e3edb2f61c27d7
SHA256 c107a7a2d9de4bc1290590df8f41287804f994ef922ad5d6c90a26bc9b2f7f15
SHA512 b67a33fdbeb53957d98ccbc5d7d027dcc3c009837b68d3736612eba0d61cf16731a7ebcb308241646de0588ef75562e1409b58f345bb61ae9876026c7f44be87

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma.RYK

MD5 fcf20fbfd828af7e0bebf010791c95b4
SHA1 c6f801e092025c742003fe2d432045bc8a41654e
SHA256 0db8b4392a8108493d5cc31908022b0a53afe1e0a9da809202a804126298df72
SHA512 ab01622c6e541fa7c9272d568a969eb8e8cb474e1058681676032c75669006e039bf52c159887767e6d85d03d74d8f07b240deef4f18d2c5c0b0387850b86f30

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico.RYK

MD5 7b0ee99584de850fe8c48b3433ccb6f1
SHA1 e63b3d0176290705687b853983a1ec95cd05652f
SHA256 3dc55c94a01fbdfaff94647b8437ea4253ff97c2ba462496a14ac607c01df658
SHA512 5d9ed2e118b50d87dc97c985144bd933d5ee1a9419a340e14a96b35431c19cdc161fa092266f6400d943b2b309d25f2c382fdee459f3c082615fc1dc725a0cbf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons.RYK

MD5 90fa451e791bdd514bf5fc1a709fc3bd
SHA1 e8faf4171644f3778bf4f424d374499a52028bf8
SHA256 7d009af3ca492774242dd18304a7a2129bdcb763ce1c8d5442f9f683b77d503e
SHA512 06ffc0af8e603981d0788464d11b307a92031705400805b5f4ee841ee0aff3d1e48192c78a3d2cf4b70fd350c12c474f1fd6d4c1842184e5ba309493f7e88275

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat.RYK

MD5 274aa7e3202a439d8d9c6ddcfbb23f4b
SHA1 f0444dab580fcc4e1de3da088afe5bb63b3292c0
SHA256 cbec33cd951582ccbe54f1176ce1f28d6170e7688252e6c58df18d5ba4a05cbc
SHA512 adfae194bfb99e0b6d1635802342fbcbba714a4c69a7692301dae2e5839220adf5d1ea4de20bad5c806b5550138311c6ddb1498d7f7a06f9fc4b28b4a7fb4f87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History.RYK

MD5 9bc9fc64b18e84f85dbf1ceb9c74bf05
SHA1 ab0b0933955ce1ece84b88ff2bc87e6c82dbe71d
SHA256 892e03f9ed5b6b9069ca30447b729f8c8f791dc25e211c3d3d9b98b845819fef
SHA512 b12bc9446983de4a9526f2ddba4948c2b86034614aad995006c8f13645ff54d025770de7febfe6a05a9323e2bf1845d39bc2724924801f6d0e0204a6e9cbd2c1

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.RYK

MD5 69035e285860bbe858e39fae05be26f2
SHA1 ff57fe8e5751baa3a5a0b3e7b0e6ef5d7a016040
SHA256 ab4b4cc19a94c9ff10bb88d576d81467712099f4214c0ff4960b0706c71cf13c
SHA512 40bef3bb982980355659bf16ddd18cb6baebef9470efa9635b0ab14929c9aca09eddd240038402040cddfb437ae2561988d89cf41ca4209973adc0b6d6f419ae

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data.RYK

MD5 aeb09fd4fbe86867920ac1fd47365767
SHA1 871b052a66a6f6410476b3c4417f8316a1b986f9
SHA256 6fa57104b01096140bce311c5837b7e5cb22d8278b3e2783e54ff19af242cb09
SHA512 6fdd64705a5e792bbf0d968764fef3fbff84543064525ec04a50c1b30b9de71d8c9fe1c335cc22aaa333d5b10a9bf701a8b797fb1bbc28e3fe470bae55b591c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index.RYK

MD5 91682aeb7b831e3bfda35006134cd5da
SHA1 804796f44f93bc499662a791303acd6ece119af7
SHA256 390b7e557534564ff30bae64b0c88186c8e9c0c2e3e4cc3cdaf794ac31ab41e3
SHA512 4b42323ae388ed0de23951a05c0954363730b20bb639a71c70cf077f7e93eaa111574cb4aa544030f012253f968e8f9d51e24b66298749a63ad1d7e0183be5bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3.RYK

MD5 b3f98057118474450323a2175a8c0f6c
SHA1 838f3e2fb00b60311bdb1ba325325e9842199a21
SHA256 f6f92827e36f79c4b66e37460d21e6b7fc908d8618fc3fbde6ba741426dc42cf
SHA512 1aaa5f17fac5aa16c95c0f9fa602d6aa972ec01c5c1c51bc7a367aa6d751dc46885c09b7d338330f9ef7543b7f3dde1e43042a73b9db95b54a76ae494c081fac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2.RYK

MD5 b491f4a6fe91cebb9df00c047347c49d
SHA1 df5e7040cb1d78849524c3dd0e25bda199193c76
SHA256 a8526f8be71794296f2aca8bfb24760276127d73bc44d5e85169d147a7e65a60
SHA512 26dca3beb0432ab12ddb76e7747cab1577da244abe77ba849c2a209de113a9efcc809594c81b1722c96c0727a367eb3c6744e66e5584e40fe124532f6a7ed5c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1.RYK

MD5 90b01ac19a137876c6a18ccf2f51e7f0
SHA1 3b84484f9dce26d890b0be2420e86f5305b89849
SHA256 3afce7fea21cacb8f32d934f9ae45c61594644ece06c0e53dfe6a3d34908608e
SHA512 055b8b8aada53b1c6966b3ce9e50f752161d1f7a8fe92e0e12b9a18395df5cd36b9250edeb417864a438f47f6ca344644817b17482c78ff46c0ab79e924ba525

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0.RYK

MD5 7f63de0e925f950a9d8eed217463c3fc
SHA1 e5c92b4b1931ba35e5ad0d342b571b7e0e6d6d54
SHA256 1862733ce98c66f25cd9007217d9b35bc08c29801113bf702e25042fe51d2f92
SHA512 5875d8e3b6687ffbb04838e7dde8b49507605d4859591506e1796734353169fc19b25e03628d241429dd321f0c2752482ab483c9b6c2a7e2621ff0ce4558ea4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.RYK

MD5 474a8e81d38900f391fb21fcd5e0ea22
SHA1 f080a4b1ea76511a5a26a1e17e047fe26f26c568
SHA256 fb3db0b8d6f7d7b38e5cfa6f16521ef794ee1098089ceec45c5f6659dbea32ab
SHA512 8d433db32d88ffb87ba333e8dd69f8ac9590ad52e07ef2ddffd7c50950348d2aed578db4c9b0af39a97714a05f8df680d946019bd0aff8b3559e0a8335442422

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences.RYK

MD5 6c0d644d6702c1308a86bd49a14b1882
SHA1 b4e5c81753f39fc5ec8224be13839be0fd126bac
SHA256 c9bb33c080cd820edcfcbfa6a139dbe27deb75672b0a34f590f251dd3e51806f
SHA512 8b4660353e135d6756dfa0ad6feeb19056fd7d7c51d906cbc55bdea7bf5fbebb3c6784ffde58506b1ebf63818aee77a8662f4f7aeba723606e655db0a75aa95b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\RyukReadMe.html

MD5 e5a0d49ea2478881d00f2043e603c9dc
SHA1 3debe0b34a7edf304a912ecc51a086a31c86c2cc
SHA256 5d33dae470c63e482dbe483b9376b3a5a11348cbccc41896ba80994e0a97a58c
SHA512 99c5c3e24c7e5530a139aa4a0281f2f4bbabc996c3c9fcf7dbf502b22192fff8724b355cae6e74324ef3302ae6d1adadbafa7ef1eb39049f12695c4fb72286cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK

MD5 6f92c08c9ad6cb0b0f066c9f344c9f00
SHA1 da85f28c7691618aa6411f6ec2b3752360d4a01d
SHA256 5be934968d0ef20bb3c40e2023f47b97a7e1fc901528f487ce3689c31a9b2814
SHA512 63aa65ce074fb4f0e9ef41f199c3ab3e6df64c7e7424ddb4dda1880adc9560506acf694eb71fd524a464bc529f0b33027f2b8ba94a47c9b4eaf661821ff1fa21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences.RYK

MD5 8027020ab8f37590e19e63918faae205
SHA1 849dce716dbee71eb8e50362f44f44948bac7b32
SHA256 b71b35cfa94dca9b2996dffa2368895276954d8c98288e85a4876990b1f0078b
SHA512 265db3637c0d54abc0d3add55133594821742aa4f765987a74ef736b072432502397fcd52c86a15ba1fc86141f24db1c2537e488127f977ba005c922bc3dccbd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 53e5e8009d5f518a971c2b723f31fe44
SHA1 510b8c780509e8a34b3d7b78c07e9e21b47e08ae
SHA256 ea4d834a70eb7b8af48932bc25038693c2dff764433e36548569a69fa3e63a42
SHA512 71bd04a7df5beaf937d6c224c67967f85d8f9face1d607099c4f920a3ff3f17863a26acb4c856498314c82a9a85b2b31b67b00150618c6c5c608d7dd1a74db44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data.RYK

MD5 88426a8668533bbbaddb97d6cd63f3e0
SHA1 9c161c9404949e99d9797c3d8f0b0a7630c4e310
SHA256 9f0fe99c93fc3c8a0db9ed9bdf462190932754e6e3d7d200acf0a5ebb05d1e5d
SHA512 a97c3b1b2f801650395422b0bbb9cfeccb8b995f61cb6b3361fb546199fd7a09457ad6b7637b84945460dd3a6ef8d5292f08068ce6849e696abb897c166baf95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 6177ebe738bbe57d483f9ad29d41ff53
SHA1 258772bf1b4d16fff4c42055159e87ad70f1a30f
SHA256 769c9a359617c0412b6804af516cebad8fb86b7f03dc74471a0f1b85a447b302
SHA512 48786d5a8f81e68abd4636912342da81c3a7a244a93f7fe99ef9a9a764f7d227561cc9168e097f3b7943c5dc2919895112897a32fbf351ce4cd6da8e6a5026ed