Analysis Overview
SHA256
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
Threat Level: Known bad
The file 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 08:42
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 08:42
Reported
2022-02-20 09:30
Platform
win10v2004-en-20220112
Max time kernel
175s
Max time network
174s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.363589" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.068267" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899994038151645" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
"C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe
"C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe" /f /reg:64
Network
| Country | Destination | Domain | Proto |
| US | 72.21.91.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 72.21.91.29:80 | tcp | |
| NL | 184.29.205.60:443 | tcp | |
| NL | 184.29.205.60:443 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 51.104.162.168:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| N/A | 239.255.255.250:7 | udp | |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe
| MD5 | ffef678beca8ee60200bc88809d89630 |
| SHA1 | b31070af1ac3e088dfc6f1599f8d12edb1b16783 |
| SHA256 | 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689 |
| SHA512 | 54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3 |
C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe
| MD5 | ffef678beca8ee60200bc88809d89630 |
| SHA1 | b31070af1ac3e088dfc6f1599f8d12edb1b16783 |
| SHA256 | 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689 |
| SHA512 | 54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | 53e2416d8cf9638c4a29fa19c7e0b5e3 |
| SHA1 | 04bd216dfcc32ad1935947f099bda769db211f10 |
| SHA256 | 3521a955709f2613a42760a1e2ce7d87682f950d9a9c334c6f449171baea538a |
| SHA512 | df469e4ffbb5d1d0c70c4b5e00962340cfca0ef65206bd1b00949ec7fd59246d29e2173b22ec5581ad25442d7aa3c78ebbd305e7587d57ab9b42167c37f6327d |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp
| MD5 | 4eee2db2f7569eca90aba81156c6975e |
| SHA1 | 646b5d2984d1fb5ad1297649bce517ef578cd74f |
| SHA256 | d52f0c6633f9b174e1cf42f9543a43627fc1bd2731dffea61b1c077d6870e9d0 |
| SHA512 | 9662ff0fadb5b2471a4b88c41207da66899b689e149aadcc81b546271a95f644148a8579abe3c6658b29116edcd4d220ef28fde9b9aa12acdcc25b8f0b17163a |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
| MD5 | eca0ea643cc1d7235f749a1c5f33b8ea |
| SHA1 | 8cf3303534e8c9d1543032cd43c404ac3ce71150 |
| SHA256 | 16b88815ad00b93638c9b1a13bd9c7065af2e9023c5fcaf9e04da7d6858a92b9 |
| SHA512 | 2a29ec1b990518780538b5f7a125667df2e5a4ee7ce5748c9aaab04ae14b624f440aade2aa8c3636246364098c46206f5342f02ea1cc987663f4bae6e3c37047 |
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | a450c82a4d7662641302c9ddd6c61ef9 |
| SHA1 | c556f22c1d39b86ad8afac90a6ef35c6402db46b |
| SHA256 | 81df3791d084662b18571ff68904d5133136f1d1e8922c5175e8d35314d0f5b8 |
| SHA512 | d5d2dc28c9b9c94eebf9d97463e84779851160f52f5c39a5b88b2d13ccf4abb0076004b77a11739469c43dec71522c9197591255d558684c263f7b586af653d5 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 2fe9393b0a7e18dd0a91e54162d67812 |
| SHA1 | 5e0490386f71890585b2139bad77539662b83274 |
| SHA256 | f6513ef4dd765843620e61d3cd63346278010645dfcd3ff9896e1bba24fad8f1 |
| SHA512 | c48e9927251a8db3d30eceaa59e449b5bd001f0c05abce2d3137842d1d4af865aaac993619024c682f107c10f81dbec5cc4dc390eef9ceabc6c1e8c6beefd0a0 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
| MD5 | f143bb6b96f15b5a597181375bcd0877 |
| SHA1 | c2b7d3a7102675f87478e65e34e20c9f4889f9dc |
| SHA256 | bf0a61e7351820315d0e983fe14e7dbdf33bb7e449a8c221e3c47cccb8719e41 |
| SHA512 | e40e597c0602d92e8e3c86848b693270930d3badb83e417aa2e0a69143c8a929e8da1d91cb0c600f65d6fb63d039a4994c7bec22a2a50bd79875e8a79b9fe49c |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
| MD5 | 5b6853a3412614c22c517a91a7e31ba5 |
| SHA1 | 3c02cabf8f964e61d9a6a7253a6e66201ba2dedf |
| SHA256 | 223e1b7aad14231f4663d8f9f70c38dd598846b2d8a36810a8a5b2adbb78cbfb |
| SHA512 | 19d225e93317a6b7d913dd7ab973c1ceb7f8f41779946034d6796b3c4db1343b79aa023145e576388fb77affad148c854ab2a594286cb3378c2cf9750609c040 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
| MD5 | 2ee758d82b61c2b8e18b017f91594db8 |
| SHA1 | b92d127c044f57ba7286b93eaefe379cd00d5015 |
| SHA256 | 39ab72099a2bc1459b3fc046e1db47d66ebbdd733f43a5025d388b70cf0c2dfa |
| SHA512 | ceab2da9dd152cac2e0c327218d2152488609b0d411ceafe1911f474087f44bf6cf0c2591e06a2eac87488f171b0c68d63ec6074c1bdcd1d7f98848bfd836498 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\3D Objects\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol
| MD5 | 3bdb238cf559c8b6b3ea791c8c15d8f0 |
| SHA1 | 7d3e3b110f0c5be8314d6498efa4df4d53186fe9 |
| SHA256 | 15fce195c7afc38d37385cbd19a3f7593102e039f80edac3044bf08c85860283 |
| SHA512 | cf2a0f3487f54002d0a3ee301e824a911d4d768ae9aaf8bb0f6a6dc7e9141af414a81506a93fff57a4ed78991748ca68238fdc5b5214aa769a80a4595187734e |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx
| MD5 | d30d5110e7346b232a3031ecb2cd2729 |
| SHA1 | a7fce1e8c86e2be30fa9c1dc557174ba59778fae |
| SHA256 | 23c7443ca856c1c431f6c85df372e9b782f4f5bde8cd8a65f81dcff3efbe1a96 |
| SHA512 | 1bf877244d7f36d6d6e3d44fd5e8ba62e7e6fa7ac616af8914d8822d0b80af679efacf49b02219d512a5d502661b345aa4ee4437525bf3ca0b94bafa3bdafb23 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | d06e305bd606fb6078d809430c9553e4 |
| SHA1 | cb18cea84fe393d852589545b1d211927a673cec |
| SHA256 | 48740fdff1acd64152028335af8e928a6f0dbcb0c9049a02160eb63a911abec6 |
| SHA512 | 52351770952e2b751457f9c491a4628ff5d2d61a564ccf0b834a1e47f2f2d700e7fbfd045182f5686c03e648df517e21275233ab79285b41c8bb40652f245d11 |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 08:42
Reported
2022-02-20 09:32
Platform
win7-en-20211208
Max time kernel
173s
Max time network
82s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EahlAUB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EahlAUB.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EahlAUB.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
"C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"
C:\Users\Admin\AppData\Local\Temp\EahlAUB.exe
"C:\Users\Admin\AppData\Local\Temp\EahlAUB.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EahlAUB.exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EahlAUB.exe" /f /reg:64
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1036-54-0x0000000075531000-0x0000000075533000-memory.dmp
\Users\Admin\AppData\Local\Temp\EahlAUB.exe
| MD5 | ffef678beca8ee60200bc88809d89630 |
| SHA1 | b31070af1ac3e088dfc6f1599f8d12edb1b16783 |
| SHA256 | 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689 |
| SHA512 | 54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3 |
\Users\Admin\AppData\Local\Temp\EahlAUB.exe
| MD5 | ffef678beca8ee60200bc88809d89630 |
| SHA1 | b31070af1ac3e088dfc6f1599f8d12edb1b16783 |
| SHA256 | 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689 |
| SHA512 | 54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3 |
C:\Users\Admin\AppData\Local\Temp\EahlAUB.exe
| MD5 | ffef678beca8ee60200bc88809d89630 |
| SHA1 | b31070af1ac3e088dfc6f1599f8d12edb1b16783 |
| SHA256 | 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689 |
| SHA512 | 54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3 |
memory/1116-59-0x0000000030000000-0x000000003016F000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | c009773b92fa4ac352c1cddb7df971df |
| SHA1 | 2269b27ff10965e630c1997bd9c0aeef9f9b0bb6 |
| SHA256 | 34126555087d367da3550a159fbc7c42fd80c22c98659deaae8bdc2382350885 |
| SHA512 | 1d17896ce6c0f02ae92c5c28b0491438019716b1840d7d736ca4d343f15ec368592eeef6cc8bcf74142e1ffb306b323d46cb9360045f4706728ab714f0052f57 |
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 6950f1a98fac71ea5339ef90412a213b |
| SHA1 | 5c6231c22d90624dfaed77bc976b2b234f3da281 |
| SHA256 | 18a0ba8a8ac6d6ace13a854a29d9446ac7664d02609b9f0f7d50ac32f327ca88 |
| SHA512 | dba0b21102a838213279281b32b404925ba25511f04b4a5449ec97e6f4cfcf50b4706852cc437c10845998732847409d70eab76f3e75058484056d975ae4f626 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 6fd38b5b07181d4c792dfa176fcce77c |
| SHA1 | 1c2e6ea2cad6a2bdcc9bb7ff76e645cb229b07fd |
| SHA256 | 10d37b9683c0bdb03eb30bd4b2f23404ce6b5dbfc7d34dd36e7f86e31f4d363b |
| SHA512 | d19f2e5d1faff11f129be60088fd7e0153fa2d26c1b1fcbb9320d3a8d83e7b0c0407d33aca94d66096efa7adf4bfa4135b83c69a94e085f4f677eb72ccf2e0f3 |
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | 5468e76cd38c7bbaf4959a186945e005 |
| SHA1 | bbd633efe128fec360cd8890682240d6845439d3 |
| SHA256 | f1bc03f95cf0a90c07aee982c33c1ec15afeea71a0375413357561b080d728a1 |
| SHA512 | a8191d1778b5883b9bc7d8a8fdddaf68f0705ca2470a04f181027d1e94e98e762de346b92bbc9669e3241908a093e33863af837876057afdfe9cac7d4d946a02 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\T9SSAR8Y\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
| MD5 | 00dab1fc8aac14d2e888cedeeb52a9b3 |
| SHA1 | 970f1e3b94d2c5b84bdea87a948f2b3b1074bb00 |
| SHA256 | 41f724b26f0281dd45d47246ddc11a20e1be11a0abcf41aa08bc91d9215d2af2 |
| SHA512 | 142dc2dc4effb9564319ba368eb133f26ab9370b8f658e5da14a48c3726d94c0131e6a2f428629caa53a810614c5e8d434ed29850ceea932461559d4df9fb97e |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | 828544af59de0d43b4a97574184aea19 |
| SHA1 | c1ee6a9f6d32f89f0baece05c1d7d5547b15c878 |
| SHA256 | ad2d065f595e0d3f8ef1c8b72d1d20a9b81e3461eb537147217ae9b059c3d07a |
| SHA512 | 75bce7f8274f54d544e9a4ee8b0240f51e242fc6f3e7355106bc9f0f710466b510830413626908fad874690092f44324aed0c16836c06f5bc6051cabffd97ce7 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TN1O5RR8\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QDAZQ7UR\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N4BWCEPN\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1HZZ20GT\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.RYK
| MD5 | 04fcbfc317af5560851b9b2f00bda9d7 |
| SHA1 | a343593a67bec6097a86dc223c71fa43415f043a |
| SHA256 | 3193d131bf0547884ad0069cc7b6a6ae5fbf20f5e6dfd73a030aa798a7f47f45 |
| SHA512 | 63031f58c6aa924f23eb9396eb40170020cc81d4f46b16436a049137a8418a27bf31d598c1956921fb8b06d797ec0f6461e2bca595fe80a928286026b12574b8 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
| MD5 | 76ad8ebf6cf93aeaa71a3049aa55f095 |
| SHA1 | e66101748e677c370141281ee614da38f8cadbc2 |
| SHA256 | 953cd88e9d6c49e9eaa818fd0099608a61837f0ce249e14ac0c6a7a0b806d73f |
| SHA512 | 1793234c083c769773bff7d06df2f5dc7354d73024f943cbf3782155cd3aa08fb8e0b14590db9337d382997f44cf2370af785f43c1b9670444a0680dab5eef04 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
| MD5 | 6adf100766eceb703caab73e76d2dc09 |
| SHA1 | 971120820e22fe491d448798a6a6574380339a50 |
| SHA256 | fcb3c83726f100921c76d0bceffdc6165b2f81bd3fec0533225ada2c325b2a6e |
| SHA512 | b81d0066f63f368b441e7658cdcf69d96b02310adf0eace7cfbf4c2187f8d032305af119026687336994e8ad248eddd23ae1b83cd4ebd818eacb8a74cae99338 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | f96b49774735015691a370d0c6e1f2d7 |
| SHA1 | 749e41879558020850c34d07c0f64c28c4c72465 |
| SHA256 | 738c8e2fb7d4916dd3a8455595e82b1cb78f899be992c07db4624b9c66d4fc32 |
| SHA512 | 1636b8e3ee1793fbdb1656212a1a5904e3d2c905f5a636036878d2b6e957a71397940968c8063517748b71be1ee52c6de265007c0e1f82aee6efb4c90b650676 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | e0e94185f303e4d5f27b4086e96dffb0 |
| SHA1 | 56eb246e560aa67fca4c3afba239770762eb1731 |
| SHA256 | 6c4c6376a5a0e1f38b497b105a3bec3a9a9d8ecec79de765a64197f250231829 |
| SHA512 | 870fbd8aff47c93df7121d2c9fd2059af75a3d215109b09120135cc169878c84d10446259a20dac5a3ac16eec18f38c579c11428046f2c3f318099626095bbc5 |
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\IconCache.db.RYK
| MD5 | dfc64b45f0f3243b2741f43d76db9df4 |
| SHA1 | 6333a7a3fb531cc529f47e552feb467b29c0c13a |
| SHA256 | e3dd711fb1a5daf7f9676579de995a95dc639324fa3088d4a555209602505f6f |
| SHA512 | 4e3246ca5ac4ab69e868c9fe1481bc3005e51daa8de9ca0c01a1502e7fdee5e734d3f68a963c9241f6269fdd92d357f4e732b69dec32979cbb89c65f6104c0f2 |
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK
| MD5 | 19acf98f760ab820e401cd6684273504 |
| SHA1 | bd9efa4774f32c01931bff759f40054650a57104 |
| SHA256 | 8ca2ca8e59a5559ae919482881b2152adc248d7b5f7cf0821e7ea3eec30aeef5 |
| SHA512 | bd05c8c6332578e9c7fe0ccb66fc029e7383da0e92fa72af440d6021d23fd1441d75999ac6ffee564025a34747ed8bcebd7556040b003e1d824e846030afd334 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK
| MD5 | 832c6e43928c3f7f0dbb92b187a20d90 |
| SHA1 | e71681e2ade45b1ed4986a1b3985ad691c7de5ad |
| SHA256 | 9c967ee663b619d5d36355d3ad940d9b72822f94894ddd31d92a65facd504d46 |
| SHA512 | de3c99a98b6fdd06e935a75a5431c45705651d90a6f4e6a72f68e6b6f508ebb8f58a9df5075b217428e5441321876283241df73f3c4c06b473ef387e52820344 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
| MD5 | bff5fb0064af3544d547b5a15c5ff617 |
| SHA1 | 8655be3a67bbecc340e0bc6fe77a384c496d6372 |
| SHA256 | f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2 |
| SHA512 | ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3 |