Analysis

  • max time kernel
    175s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 08:42

General

  • Target

    320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

  • Size

    190KB

  • MD5

    ffef678beca8ee60200bc88809d89630

  • SHA1

    b31070af1ac3e088dfc6f1599f8d12edb1b16783

  • SHA256

    320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

  • SHA512

    54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 49 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2228
    • C:\Windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
        PID:2296
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k UnistackSvcGroup
        1⤵
          PID:2244
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2744
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:2904
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
              1⤵
                PID:2528
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:2984
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:3064
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:2628
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:2572
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3324
                        • C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
                          "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"
                          1⤵
                          • Checks computer location settings
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3808
                          • C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe
                            "C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe" 8 LAN
                            2⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1580
                            • C:\Windows\SysWOW64\icacls.exe
                              icacls "C:\*" /grant Everyone:F /T /C /Q
                              3⤵
                              • Modifies file permissions
                              PID:1872
                            • C:\Windows\SysWOW64\icacls.exe
                              icacls "D:\*" /grant Everyone:F /T /C /Q
                              3⤵
                              • Modifies file permissions
                              PID:1276
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c "WMIC.exe shadowcopy delet"
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3904
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                WMIC.exe shadowcopy delet
                                4⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1188
                            • C:\Windows\SysWOW64\net.exe
                              "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2268
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                4⤵
                                  PID:3464
                              • C:\Windows\SysWOW64\net.exe
                                "C:\Windows\System32\net.exe" stop "samss" /y
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1404
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop "samss" /y
                                  4⤵
                                    PID:3120
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe" /f /reg:64
                                  3⤵
                                    PID:4440
                                • C:\Windows\SysWOW64\net.exe
                                  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4068
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                    3⤵
                                      PID:1860
                                  • C:\Windows\SysWOW64\net.exe
                                    "C:\Windows\System32\net.exe" stop "samss" /y
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1780
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop "samss" /y
                                      3⤵
                                        PID:1052
                                    • C:\Windows\SysWOW64\icacls.exe
                                      icacls "C:\*" /grant Everyone:F /T /C /Q
                                      2⤵
                                      • Modifies file permissions
                                      PID:2304
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c "WMIC.exe shadowcopy delet"
                                      2⤵
                                        PID:3308
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          WMIC.exe shadowcopy delet
                                          3⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4376
                                      • C:\Windows\SysWOW64\icacls.exe
                                        icacls "D:\*" /grant Everyone:F /T /C /Q
                                        2⤵
                                        • Modifies file permissions
                                        PID:3748
                                      • C:\Windows\SysWOW64\net.exe
                                        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                        2⤵
                                          PID:3608
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                            3⤵
                                              PID:4320
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
                                            2⤵
                                              PID:3232
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
                                                3⤵
                                                • Adds Run key to start application
                                                PID:4464
                                            • C:\Windows\SysWOW64\net.exe
                                              "C:\Windows\System32\net.exe" stop "samss" /y
                                              2⤵
                                                PID:4248
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop "samss" /y
                                                  3⤵
                                                    PID:4352
                                              • C:\Windows\system32\backgroundTaskHost.exe
                                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                1⤵
                                                  PID:408
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k NetworkService -p
                                                  1⤵
                                                  • Drops file in Windows directory
                                                  • Modifies data under HKEY_USERS
                                                  PID:1904

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

                                                  MD5

                                                  93a5aadeec082ffc1bca5aa27af70f52

                                                  SHA1

                                                  47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

                                                  SHA256

                                                  a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

                                                  SHA512

                                                  df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

                                                • C:\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

                                                  MD5

                                                  eca0ea643cc1d7235f749a1c5f33b8ea

                                                  SHA1

                                                  8cf3303534e8c9d1543032cd43c404ac3ce71150

                                                  SHA256

                                                  16b88815ad00b93638c9b1a13bd9c7065af2e9023c5fcaf9e04da7d6858a92b9

                                                  SHA512

                                                  2a29ec1b990518780538b5f7a125667df2e5a4ee7ce5748c9aaab04ae14b624f440aade2aa8c3636246364098c46206f5342f02ea1cc987663f4bae6e3c37047

                                                • C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\3D Objects\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

                                                  MD5

                                                  2ee758d82b61c2b8e18b017f91594db8

                                                  SHA1

                                                  b92d127c044f57ba7286b93eaefe379cd00d5015

                                                  SHA256

                                                  39ab72099a2bc1459b3fc046e1db47d66ebbdd733f43a5025d388b70cf0c2dfa

                                                  SHA512

                                                  ceab2da9dd152cac2e0c327218d2152488609b0d411ceafe1911f474087f44bf6cf0c2591e06a2eac87488f171b0c68d63ec6074c1bdcd1d7f98848bfd836498

                                                • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

                                                  MD5

                                                  5b6853a3412614c22c517a91a7e31ba5

                                                  SHA1

                                                  3c02cabf8f964e61d9a6a7253a6e66201ba2dedf

                                                  SHA256

                                                  223e1b7aad14231f4663d8f9f70c38dd598846b2d8a36810a8a5b2adbb78cbfb

                                                  SHA512

                                                  19d225e93317a6b7d913dd7ab973c1ceb7f8f41779946034d6796b3c4db1343b79aa023145e576388fb77affad148c854ab2a594286cb3378c2cf9750609c040

                                                • C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

                                                  MD5

                                                  f143bb6b96f15b5a597181375bcd0877

                                                  SHA1

                                                  c2b7d3a7102675f87478e65e34e20c9f4889f9dc

                                                  SHA256

                                                  bf0a61e7351820315d0e983fe14e7dbdf33bb7e449a8c221e3c47cccb8719e41

                                                  SHA512

                                                  e40e597c0602d92e8e3c86848b693270930d3badb83e417aa2e0a69143c8a929e8da1d91cb0c600f65d6fb63d039a4994c7bec22a2a50bd79875e8a79b9fe49c

                                                • C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

                                                  MD5

                                                  a450c82a4d7662641302c9ddd6c61ef9

                                                  SHA1

                                                  c556f22c1d39b86ad8afac90a6ef35c6402db46b

                                                  SHA256

                                                  81df3791d084662b18571ff68904d5133136f1d1e8922c5175e8d35314d0f5b8

                                                  SHA512

                                                  d5d2dc28c9b9c94eebf9d97463e84779851160f52f5c39a5b88b2d13ccf4abb0076004b77a11739469c43dec71522c9197591255d558684c263f7b586af653d5

                                                • C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

                                                  MD5

                                                  2fe9393b0a7e18dd0a91e54162d67812

                                                  SHA1

                                                  5e0490386f71890585b2139bad77539662b83274

                                                  SHA256

                                                  f6513ef4dd765843620e61d3cd63346278010645dfcd3ff9896e1bba24fad8f1

                                                  SHA512

                                                  c48e9927251a8db3d30eceaa59e449b5bd001f0c05abce2d3137842d1d4af865aaac993619024c682f107c10f81dbec5cc4dc390eef9ceabc6c1e8c6beefd0a0

                                                • C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp

                                                  MD5

                                                  4eee2db2f7569eca90aba81156c6975e

                                                  SHA1

                                                  646b5d2984d1fb5ad1297649bce517ef578cd74f

                                                  SHA256

                                                  d52f0c6633f9b174e1cf42f9543a43627fc1bd2731dffea61b1c077d6870e9d0

                                                  SHA512

                                                  9662ff0fadb5b2471a4b88c41207da66899b689e149aadcc81b546271a95f644148a8579abe3c6658b29116edcd4d220ef28fde9b9aa12acdcc25b8f0b17163a

                                                • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx

                                                  MD5

                                                  d30d5110e7346b232a3031ecb2cd2729

                                                  SHA1

                                                  a7fce1e8c86e2be30fa9c1dc557174ba59778fae

                                                  SHA256

                                                  23c7443ca856c1c431f6c85df372e9b782f4f5bde8cd8a65f81dcff3efbe1a96

                                                  SHA512

                                                  1bf877244d7f36d6d6e3d44fd5e8ba62e7e6fa7ac616af8914d8822d0b80af679efacf49b02219d512a5d502661b345aa4ee4437525bf3ca0b94bafa3bdafb23

                                                • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

                                                  MD5

                                                  53e2416d8cf9638c4a29fa19c7e0b5e3

                                                  SHA1

                                                  04bd216dfcc32ad1935947f099bda769db211f10

                                                  SHA256

                                                  3521a955709f2613a42760a1e2ce7d87682f950d9a9c334c6f449171baea538a

                                                  SHA512

                                                  df469e4ffbb5d1d0c70c4b5e00962340cfca0ef65206bd1b00949ec7fd59246d29e2173b22ec5581ad25442d7aa3c78ebbd305e7587d57ab9b42167c37f6327d

                                                • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol

                                                  MD5

                                                  3bdb238cf559c8b6b3ea791c8c15d8f0

                                                  SHA1

                                                  7d3e3b110f0c5be8314d6498efa4df4d53186fe9

                                                  SHA256

                                                  15fce195c7afc38d37385cbd19a3f7593102e039f80edac3044bf08c85860283

                                                  SHA512

                                                  cf2a0f3487f54002d0a3ee301e824a911d4d768ae9aaf8bb0f6a6dc7e9141af414a81506a93fff57a4ed78991748ca68238fdc5b5214aa769a80a4595187734e

                                                • C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\IconCache.db.RYK

                                                  MD5

                                                  d06e305bd606fb6078d809430c9553e4

                                                  SHA1

                                                  cb18cea84fe393d852589545b1d211927a673cec

                                                  SHA256

                                                  48740fdff1acd64152028335af8e928a6f0dbcb0c9049a02160eb63a911abec6

                                                  SHA512

                                                  52351770952e2b751457f9c491a4628ff5d2d61a564ccf0b834a1e47f2f2d700e7fbfd045182f5686c03e648df517e21275233ab79285b41c8bb40652f245d11

                                                • C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

                                                • C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe

                                                  MD5

                                                  ffef678beca8ee60200bc88809d89630

                                                  SHA1

                                                  b31070af1ac3e088dfc6f1599f8d12edb1b16783

                                                  SHA256

                                                  320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

                                                  SHA512

                                                  54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

                                                • C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe

                                                  MD5

                                                  ffef678beca8ee60200bc88809d89630

                                                  SHA1

                                                  b31070af1ac3e088dfc6f1599f8d12edb1b16783

                                                  SHA256

                                                  320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

                                                  SHA512

                                                  54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

                                                • C:\Users\RyukReadMe.html

                                                  MD5

                                                  bff5fb0064af3544d547b5a15c5ff617

                                                  SHA1

                                                  8655be3a67bbecc340e0bc6fe77a384c496d6372

                                                  SHA256

                                                  f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

                                                  SHA512

                                                  ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3