ryuk | 0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f

Analysis

max time kernel
175s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
19-02-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
Size

203KB
MD5

ea9759d8023c9f6f269fbd0875561783
SHA1

1c4c718294647cb7df8dae914100394f2668715a
SHA256

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f
SHA512

2be12260b22224132c27f60c8943303c89210d58b22acc5efce03fb379d912254493df9eee97a7d1777faf7bf5702537331373711690d9621e642cf698140e81

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process
PID 5788 created 3884	5788	WerFault.exe
PID 5812 created 2816	5812	WerFault.exe	StartMenuExperienceHost.exe
PID 5796 created 2712	5796	WerFault.exe	DllHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sihost.exe0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5804	2712	WerFault.exe	DllHost.exe
4724	2816	WerFault.exe	StartMenuExperienceHost.exe
4740	3884	WerFault.exe
4636	2712	WerFault.exe	DllHost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exeWerFault.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899090521310515"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe

Modifies registry class 24 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = b9c13f257225d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b3ce122e-0960-4404-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000af3c681a7225d801e1d0b11e7225d801e1d0b11e7225d801259204000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005354b44a2000323435363335623864306634626438663565346466646362613761626362386439323930393630393537303537376133313130633233613463626139323730330000b20009000400efbe5354b44a5354b44a2e000000000000000000000000000000000000000000000000003b2f0800320034003500360033003500620038006400300066003400620064003800660035006500340064006600640063006200610037006100620063006200380064003900320039003000390036003000390035003700300035003700370061003300310031003000630032003300610034006300620061003900320037003000330000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e49f2501000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32343536333562386430663462643866356534646664636261376162636238643932393039363039353730353737613331313063323361346362613932373033000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d62142cd4a9083ec1182d05e446572696abad9b5dc40371b4eb595e9fc647d27d62142cd4a9083ec1182d05e446572696ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\a36dbd55-b616-47e9-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c15b5318-ad8f-45cc-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000ba5641f7225d8013b52751f7225d8013b52751f7225d801df0100000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005354b84a2000666334316531613961626566333839333562643065303962663537653039306235613238616237346434353835353861396461353036343566663537306235360000b20009000400efbe5354b84a5354b84a2e000000000000000000000000000000000000000000000000008e794000660063003400310065003100610039006100620065006600330038003900330035006200640030006500300039006200660035003700650030003900300062003500610032003800610062003700340064003400350038003500350038006100390064006100350030003600340035006600660035003700300062003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e49f2501000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66633431653161396162656633383933356264306530396266353765303930623561323861623734643435383535386139646135303634356666353730623536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d62542cd4a9083ec1182d05e446572696abad9b5dc40371b4eb595e9fc647d27d62542cd4a9083ec1182d05e446572696ace000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = e75b13247225d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\245635b8d0f4bd8f5e4dfdcba7abcb8d92909609570577a3110c23a4cba92703"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1336f09f-3481-4f5d- = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1248b1e8-66aa-4395- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b250cb68-4211-4c06-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1c43c6fd-894a-4d17-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\005124b3-5e47-4827-	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exesihost.exeWerFault.exe

pid	process
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2204	sihost.exe
2204	sihost.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2204	sihost.exe
2204	sihost.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
4740	WerFault.exe
4740	WerFault.exe
2204	sihost.exe
2204	sihost.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exeRuntimeBroker.exesihost.exeStartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
Token: SeShutdownPrivilege	2948	RuntimeBroker.exe
Token: SeBackupPrivilege	2204	sihost.exe
Token: SeBackupPrivilege	2816	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3884
Token: SeBackupPrivilege	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exeDllHost.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2896 wrote to memory of 2204	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	sihost.exe
PID 2896 wrote to memory of 2224	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	svchost.exe
PID 2896 wrote to memory of 2276	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	taskhostw.exe
PID 2896 wrote to memory of 2528	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	svchost.exe
PID 2896 wrote to memory of 2712	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	DllHost.exe
PID 2896 wrote to memory of 2816	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	StartMenuExperienceHost.exe
PID 2896 wrote to memory of 2948	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	RuntimeBroker.exe
PID 2896 wrote to memory of 3024	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	SearchApp.exe
PID 2896 wrote to memory of 2172	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	RuntimeBroker.exe
PID 2896 wrote to memory of 3372	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	RuntimeBroker.exe
PID 2896 wrote to memory of 2932	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	RuntimeBroker.exe
PID 2896 wrote to memory of 996	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	backgroundTaskHost.exe
PID 2896 wrote to memory of 1724	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	backgroundTaskHost.exe
PID 2896 wrote to memory of 3884	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
PID 2204 wrote to memory of 4704	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 4704	2204	sihost.exe	net.exe
PID 2896 wrote to memory of 4760	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 4760	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 4584	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 4584	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2204 wrote to memory of 4512	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 4512	2204	sihost.exe	net.exe
PID 2896 wrote to memory of 5328	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5328	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5336	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5336	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2204 wrote to memory of 5348	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 5348	2204	sihost.exe	net.exe
PID 5328 wrote to memory of 5508	5328	net.exe	net1.exe
PID 5328 wrote to memory of 5508	5328	net.exe	net1.exe
PID 5348 wrote to memory of 5576	5348	net.exe	net1.exe
PID 5348 wrote to memory of 5576	5348	net.exe	net1.exe
PID 4584 wrote to memory of 5584	4584	net.exe	net1.exe
PID 4584 wrote to memory of 5584	4584	net.exe	net1.exe
PID 5336 wrote to memory of 5592	5336	net.exe	net1.exe
PID 5336 wrote to memory of 5592	5336	net.exe	net1.exe
PID 4760 wrote to memory of 5600	4760	net.exe	net1.exe
PID 4760 wrote to memory of 5600	4760	net.exe	net1.exe
PID 2896 wrote to memory of 5608	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5608	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 4704 wrote to memory of 5700	4704	net.exe	net1.exe
PID 4704 wrote to memory of 5700	4704	net.exe	net1.exe
PID 4512 wrote to memory of 5708	4512	net.exe	net1.exe
PID 4512 wrote to memory of 5708	4512	net.exe	net1.exe
PID 2896 wrote to memory of 5732	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5732	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 5732 wrote to memory of 6008	5732	net.exe	net1.exe
PID 5608 wrote to memory of 6000	5608	net.exe	net1.exe
PID 5608 wrote to memory of 6000	5608	net.exe	net1.exe
PID 5732 wrote to memory of 6008	5732	net.exe	net1.exe
PID 2712 wrote to memory of 5804	2712	DllHost.exe	WerFault.exe
PID 2712 wrote to memory of 5804	2712	DllHost.exe	WerFault.exe
PID 2204 wrote to memory of 5936	2204	sihost.exe	net.exe
PID 2204 wrote to memory of 5936	2204	sihost.exe	net.exe
PID 2896 wrote to memory of 5944	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5944	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5952	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 2896 wrote to memory of 5952	2896	0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe	net.exe
PID 5936 wrote to memory of 3748	5936	net.exe	net1.exe
PID 5936 wrote to memory of 3748	5936	net.exe	net1.exe
PID 5944 wrote to memory of 4016	5944	net.exe	net1.exe
PID 5944 wrote to memory of 4016	5944	net.exe	net1.exe
PID 5952 wrote to memory of 1448	5952	net.exe	net1.exe
PID 5952 wrote to memory of 1448	5952	net.exe	net1.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1724

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2816 -s 2568
2⤵
- Program crash
PID:4724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000
2⤵
- Program crash
PID:5804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000
2⤵
- Program crash
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5700

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:3748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3736

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:6348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:6544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6728

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6924

C:\Users\Admin\AppData\Local\Temp\0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe
"C:\Users\Admin\AppData\Local\Temp\0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5584

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5600

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5592

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6000

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6008

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:1448

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:4016

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5480

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5452

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4808

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2984

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:6376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:6552

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:6408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:6528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6560

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6772

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6892

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6936

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 2816 -ip 2816
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 2712 -ip 2712
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3884 -ip 3884
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3884 -s 2528
1⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5
5aab33c21f9d87fa34f044acc008508f

SHA1
92a515bd91f41d3d7b6caf2a78c22347c92e2eff

SHA256
4618959d1dd11f636deb39fce22b4b07501d1ef217a64e7043ba8fd18c179530

SHA512
bd839d3dfa89e2fcc49f1f90bf185ab8d0a1ed6edd41636051509aa9695a26d24bcb7fa303485a0cd39329f7c0fe6be4a6474421f3872fd17c622342a8964ff2

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5
b3131c898ab35d8e2eca7f4932d224d6

SHA1
61aaf21e714c14d2b813278a4842a908d3f02c16

SHA256
1e0d0e30642f136dffb0c0080b5db2f076d7981929f0b446916607d5c32453fe

SHA512
7e0b60e030b26063026b98d4888a9e88bb742f9a417ecd6daf1b093385fa0b3251be3fa8f170179da86dbd3ba6f634ffb3bc9e0a5375fefd1b5271788d25d673

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5
71024abfa89e5d4e06c8bd6d7fea4d2d

SHA1
1f7936d98eaaa5c88337ccd06d97018db0266bbc

SHA256
569931958f504840412303efc42c7a29d99a6127f674575d3be2766b52105fde

SHA512
9187359904edd3bd6be2d4c7dad12007c60fccd9f6330140a429e3e26373e6c674bf7f6a07d042c930d0b667cc94f98700f6e13d7b1cb0d1c64dfc7836854d3c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5
c6c889ed451fbd17a5832f81f0ce6a0a

SHA1
4772b005d94cdc932378fa1f4d813f039c0f9543

SHA256
26afb594f533afea6b59fcfe5264020b9bef82fb0ce6b18f5cf130475df713ca

SHA512
ac5cf358704685fbf75311f594014334658e879765ed9d90d8d15ff982f0fdac4ff268dd24b14a5a68b5fbb3e188cc72f2fca1fba64f7dfe974a81b1fd1ad289

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5
9e4d9b69eacb0e6e311bbad0409035e8

SHA1
714cb624ca4b3eb50ebc9c30fb69401eb9cce476

SHA256
b7c4bb7d3985fd84f2c1438e779794bc0798d9b27ac27351e10722975c036cb1

SHA512
6ef7288bc02e960286aaebe39417c1cbcb4bb39266871d4d128a900b345fd172bd06d0221026af0cc62f76eb2c5d3afe6853df6dc1bcfb34486579d270db5dc9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
5772aef5f32aaed9439bca8d9f5efafe

SHA1
75d929a9b80ac6336eae60674a29b82806a12ed6

SHA256
18bdb1b1fc0278234247b7026c24bfe839d6b28f7fdd611b39b6e6f3fbc4aa10

SHA512
88b76b697e5550b48f1f11998f06293083860a7dc35fbc99f384b1feabcb666bd75ee8a31cd40169423c9e73d0532b4c95b0a85bb10d32aaf578f79b7992a9c5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
abea4dd96e183799b7a1c0320e243912

SHA1
c3d72c55fcdb3acce6a1414f0bb29bb08150184a

SHA256
a4bf81476be510853d4fa262afb8f3a268736dbcfd956c832ad1af2624fae42e

SHA512
7e36988b760e26995ae13df018bf983a0b21c49037de03f9698ca16e4366fbf55d74a1e1fc2dc1452accaea4914cec8e3e0179d4d224c6ba6d1f714c6386185c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5
da667743943567d497c0b55886d38e66

SHA1
afc770e8d625e1c7cb9f82eb8040f4abd25e1426

SHA256
70289335e59875799449667fcd943dfac1eb80c4453c9632567f2a3aaeda3194

SHA512
87ec7e65000fef8b2258d513c76c992e58272fd6deceee7a239d82f65843193c1fc205da7fe154757531f9b7c5cfd4dffb98a44da9728111f3513683b2c89205

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5
ea98fe0b443da5094e9f9168cd8ae35e

SHA1
9b4e5239d62c14cbfffc367f90f4be952f17b1bf

SHA256
43d40341f96dded313e78193e7717190e9effc23b89090ea8c28295865bffeba

SHA512
efa1eba7c26735144115bb6c3cd9cd84493bb5f5cb1039c29293e3b765537d69fa5d806f494be672e79ab17380d239b3fa2c2797df908da177925a5d08e72980

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5
347bda7735182647f013144623cbedf3

SHA1
00196bdb4b03bbd82c2d42004098c75bc6e93502

SHA256
bc482b2438f0f98172b3e8eb6deca6410f00bc257edce6d65de8b072f2cfa2c3

SHA512
f0c0980e965e1f76bbcef5f20e6b1443fe71c1370c2446e5a5278cc2fed5a44f1207c1de4ea0c8c0b810f37b0758c305af9a4d58cd77fcfef7cee82865141bb7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5
18f0d9189db8a914abe62fdc8c9cfadf

SHA1
fc84c4d753dfcb127dbc4e78e77baeea87eb9b01

SHA256
d128509a481602fdd905e4c1b0565e1597ce5a2eadf2ec644ce50f4efda99c5b

SHA512
160f28e8324b5c3bd3b203da0c14bd69744154b8104d25e203cbdb4b03730cacea774e8f712482c6fe5874d589793dd66ad10a46b2d4c3255eaa19383ad7e9b1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5
24780360f45c8763a4ef3b8262b5968b

SHA1
7bb084fcba394e518dab05da53571580e696d539

SHA256
ca8d59e4a407e10e78bf6e476018947bc14ea47f2ec59c824e3295e08f1e373f

SHA512
5fc2daf9ba8a505d89e216f4d215f1c13f4653f75c999b4a89fd0cfd6fc940fd2ff25c243fd96e0b5a961f84285b4a30495a55c5aaee0ad470b636386f2d83ff

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5
69df5acb887402fd78c8854040fd4f14

SHA1
801cf50220af33812cd14d070d4a1d82130308d2

SHA256
dc1739f7b38db1914e687289f8e769aed593ae6f47ae3ce34b50e38532f342f2

SHA512
d13a9c27f7dda8e1d9bf7245b4ed7e3aa58f2fecfaa7d9c645d1602273ac1eba0641a32839c809dfe1312bcbe4ced79886208fa2ebb3d5d9b03a3bdde64e27d0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5
20c87993500606968cc0e7d34917fc38

SHA1
89155088d21be6930e564f628d3a58402692d975

SHA256
4535ea6ce8df8b2e9200eb6287ebf6cb227260aa08aa99902165b02b96b1f267

SHA512
8e09302bbbc12da934001515243776dbe0e9d989e55569526d5fa45572a307cbf986620e620c741f6e56cdbdb5d5cac6a528bf07ce5f34876a20782f9e36f9cf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5
8f8649c9cab902b9e6bd06ad06fe1fdc

SHA1
9399702041f2463b2ec8f00cf0acfb0851d7d51d

SHA256
eddb5718239d4d3a044b243c0b064ab3ac1d9865b4c967b7bdb26d310ec1abdb

SHA512
5123d44f762efb247f0022da607045861def6d4ce406105dfc7c3a88df8fff92cfa2ac6cdcbb969a1e32919468da8edf442d6777383e99d8889544e8f5d4dc6d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5
63ed97357979b9cf8a3a7e25322670fa

SHA1
599f9eb72d17be2b4a3294d90dccc9a4e3f89041

SHA256
d9c6826625cb7c348ddc95a35009ffabe6ca2ab26cac48f3ced80c3375f15919

SHA512
6bde4c55c59e0c96b7f631485994b2ac45b4906c7bcbe3924f064b8caf510159937645fcc3eb9a95b6db69560af1a95da3f1fcebc09a6914688836a2cd99fba4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK

MD5
3e51458c512296b1d3cf8e9f94dcd3f1

SHA1
ab7221d133cf22150aebee663c4ffcb11240305d

SHA256
a51c138848391243d7de54b15ccf080d9b252d77e73432711a063be8f16199cf

SHA512
90a76938142f551bdb7a11c37767a07ac2318c7fa96dc0a638425ab9981f445a47e0fd453e1309fde82930c3f04a4f88a89e93f109aba4980dcfe0b6dced9bb9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5
693420f40ceecc5edc43557eea51c045

SHA1
c6bdbe0cb56ed7245deec204bb0d3d062bcd8425

SHA256
4a4ffe67ef91631ea5f531332c6722421c90ad535a0ed1e18009ad7d6abf4459

SHA512
2a86cf8a423857fa6fce0870e004d09456410c63704e3ecce6a4c8c72a602b56f4d5c080fd0833810dbeec70f44a099f4b3d1dd4d22dd74e8b22e3cba85170a7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\UsageLogs\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data

MD5
f15f33a88ac789ac0f7f1557bf1b830d

SHA1
43712edd89b622f6cbcda1c7920db08f8f5c43be

SHA256
9ab058737f9b2229b60221d79c9504c3c7905dc39c82073e96730d5557b78464

SHA512
b0ec52e4ecccbbbb59f71ab6145b559c961e00f9f55267426823c1554d0b822938b4af685e7780dddd6521e8a72fbac19f2ccf1f43ca0d321abac7d861d3a135

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Web Data

MD5
babf9bf87b0543ed8166fa0ee6ff96c0

SHA1
d3f16b2860a5d47ffc9a905314115244882531d9

SHA256
a77f47f822c024f058d551cbc97e23bb8e49efc86748fab25ae6cdac18102949

SHA512
38089ae1c099b7a44ee7df41d762ccad9f153ea15bc84937ff13e215f1ffc5d1bbb7e595fc51d18ca22d3a82b2d6c8765b9c4ab943a260c86554660ab2e936d7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\GameDVR\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LB\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LY\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-MA\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\Documents and Settings\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt

MD5
09dded3ea32b10a4b4a5c9a198fa6a42

SHA1
d94c61cbfb148d4bead68745a73a42f5c9c277c8

SHA256
43955f4614a6c78bc4c6ce715f38f90dbb411b2a0dea4b96ac8acb430e002587

SHA512
3170889a4f84d62c762a2e98d3b2228cf4fe0bad0b612af555c3e90b811267079fcab38ee36ba0a4d3ef2bc0bf7fee3204241ac3a54285425c324743d2d44c8c

Download Submit
memory/2204-130-0x00007FF611610000-0x00007FF6119A6000-memory.dmp

Filesize
3.6MB

Download
memory/2224-131-0x00007FF611610000-0x00007FF6119A6000-memory.dmp

Filesize
3.6MB

Download