ryuk | 0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad

Analysis

max time kernel
184s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
19-02-2022 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
Size

207KB
MD5

36dfbe051ab87906b8de92085335bddb
SHA1

932d13cc4f14f33825d236cb7ed8c50314f73365
SHA256

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad
SHA512

3ad79c11e252513f651c2aa066668aeb263e51643eaa15766853ae764b2fd2b65f9f631b9e701c9b1c4f05232e9b87b3cc33d84fec4930f523c45a411356eb21

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process	target process
PID 4544 created 1608	4544	WerFault.exe	backgroundTaskHost.exe
PID 2732 created 2888	2732	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sihost.exe0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4788	2716	WerFault.exe	DllHost.exe
5884	2888	WerFault.exe	StartMenuExperienceHost.exe
5876	1608	WerFault.exe	backgroundTaskHost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeMusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exesihost.exeWerFault.exeWerFault.exe

pid	process
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
2188	sihost.exe
2188	sihost.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
2188	sihost.exe
2188	sihost.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
5876	WerFault.exe
5876	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
2188	sihost.exe
2188	sihost.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exesihost.exeRuntimeBroker.exeStartMenuExperienceHost.exebackgroundTaskHost.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
Token: SeBackupPrivilege	2188	sihost.exe
Token: SeShutdownPrivilege	2964	RuntimeBroker.exe
Token: SeBackupPrivilege	2888	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1608	backgroundTaskHost.exe
Token: SeBackupPrivilege	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
Token: SeRestorePrivilege	4788	WerFault.exe
Token: SeBackupPrivilege	4788	WerFault.exe
Token: SeBackupPrivilege	4788	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exeWerFault.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1976 wrote to memory of 2188	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	sihost.exe
PID 1976 wrote to memory of 2208	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	svchost.exe
PID 1976 wrote to memory of 2252	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	taskhostw.exe
PID 1976 wrote to memory of 2520	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	svchost.exe
PID 1976 wrote to memory of 2716	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	DllHost.exe
PID 1976 wrote to memory of 2888	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	StartMenuExperienceHost.exe
PID 1976 wrote to memory of 2964	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	RuntimeBroker.exe
PID 1976 wrote to memory of 3056	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	SearchApp.exe
PID 1976 wrote to memory of 2476	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	RuntimeBroker.exe
PID 1976 wrote to memory of 3360	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	RuntimeBroker.exe
PID 1976 wrote to memory of 3948	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	RuntimeBroker.exe
PID 1976 wrote to memory of 3520	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	backgroundTaskHost.exe
PID 1976 wrote to memory of 1608	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	backgroundTaskHost.exe
PID 2716 wrote to memory of 4788	2716	DllHost.exe	WerFault.exe
PID 2716 wrote to memory of 4788	2716	DllHost.exe	WerFault.exe
PID 2188 wrote to memory of 4996	2188	sihost.exe	net.exe
PID 2188 wrote to memory of 4996	2188	sihost.exe	net.exe
PID 2188 wrote to memory of 2092	2188	sihost.exe	net.exe
PID 2188 wrote to memory of 2092	2188	sihost.exe	net.exe
PID 1976 wrote to memory of 5184	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 5184	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 5192	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 5192	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 4996 wrote to memory of 5312	4996	net.exe	net1.exe
PID 4996 wrote to memory of 5312	4996	net.exe	net1.exe
PID 2092 wrote to memory of 5304	2092	net.exe	net1.exe
PID 2092 wrote to memory of 5304	2092	net.exe	net1.exe
PID 1976 wrote to memory of 5340	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 5340	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 5456	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 5456	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 5184 wrote to memory of 5436	5184	net.exe	net1.exe
PID 5184 wrote to memory of 5436	5184	net.exe	net1.exe
PID 5192 wrote to memory of 5432	5192	net.exe	net1.exe
PID 5192 wrote to memory of 5432	5192	net.exe	net1.exe
PID 5456 wrote to memory of 5588	5456	net.exe	net1.exe
PID 5456 wrote to memory of 5588	5456	net.exe	net1.exe
PID 5340 wrote to memory of 5596	5340	net.exe	net1.exe
PID 5340 wrote to memory of 5596	5340	net.exe	net1.exe
PID 4544 wrote to memory of 1608	4544	WerFault.exe	backgroundTaskHost.exe
PID 2732 wrote to memory of 2888	2732	WerFault.exe	StartMenuExperienceHost.exe
PID 4544 wrote to memory of 1608	4544	WerFault.exe	backgroundTaskHost.exe
PID 2732 wrote to memory of 2888	2732	WerFault.exe	StartMenuExperienceHost.exe
PID 2188 wrote to memory of 5968	2188	sihost.exe	net.exe
PID 2188 wrote to memory of 5968	2188	sihost.exe	net.exe
PID 2188 wrote to memory of 5980	2188	sihost.exe	net.exe
PID 2188 wrote to memory of 5980	2188	sihost.exe	net.exe
PID 5968 wrote to memory of 6100	5968	net.exe	net1.exe
PID 5968 wrote to memory of 6100	5968	net.exe	net1.exe
PID 5980 wrote to memory of 6104	5980	net.exe	net1.exe
PID 5980 wrote to memory of 6104	5980	net.exe	net1.exe
PID 1976 wrote to memory of 4500	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 4500	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 2116	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 2116	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 4500 wrote to memory of 2576	4500	net.exe	net1.exe
PID 4500 wrote to memory of 2576	4500	net.exe	net1.exe
PID 2116 wrote to memory of 452	2116	net.exe	net1.exe
PID 2116 wrote to memory of 452	2116	net.exe	net1.exe
PID 1976 wrote to memory of 1288	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1976 wrote to memory of 1288	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe
PID 1288 wrote to memory of 2172	1288	net.exe	net1.exe
PID 1288 wrote to memory of 2172	1288	net.exe	net1.exe
PID 1976 wrote to memory of 1896	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5312

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5304

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6104

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:5964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2208

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2716 -s 924
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2888 -s 1316
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3520

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1608 -s 3236
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5876

C:\Users\Admin\AppData\Local\Temp\0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
"C:\Users\Admin\AppData\Local\Temp\0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5432

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5596

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5456

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:452

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3504

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6056

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5724

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 1608 -ip 1608
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 2888 -ip 2888
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:5424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5
d823c22dafc91400650a0971fc31bd3b

SHA1
97a005d8869ba5698e169e29fa7b175078744d74

SHA256
0fdac255fc04874b3fddbbe280e219355635aa2606149e3f3d095958ea94ddf2

SHA512
e7ca91524a0ae3af607437a2fdbe5cff094cdcabcc8242ec8c1e99b82484b96d881b8ff6d29d368a3f9dab974f3c535bbaa0613483c9e705d6b29d82cb3176b4

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5
12ed114775f7af0d7b28dc6d6d190213

SHA1
193512e58dacc82e9ad1d86bd03d67c7edb806e9

SHA256
39f45e9a8a7e83b701bb409c0edb662bc59baa30e02a590aadc68641daebf5c0

SHA512
8402bb4f0f3720063049f0027e0aa8e842dcb783ae587e140029605ea98c6e089c4eb5d60c93334c8232b397030a1c186c2568b79bd0a0517227020d4fb93499

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5
2730f17836a7ddad6a9e130efba8cd97

SHA1
679c771b41be360cad94a815a4d4002670353282

SHA256
306b11d494683692da14fa486e8871f9d651ec3a235e5eedf47f769d08f7f33f

SHA512
97c4569bd83e4353b0d686959ea54ca680e748421b92a7d34105eaf4af5be818f516b832ce14cf8f4dcd0fb699b3cabb7f561b5127f87d47e43b9556d21c7dfd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
3fd936e104df16d380899af4ae3255dc

SHA1
51f246fe251e30b4453efa5ad509a47f4fc8b424

SHA256
73862ae694d297b767f65d77f95698c5f4b12fe2f2296d50965d6cedcfc6181b

SHA512
db6a57da66a234b9758fc2d4427b1d5319c563ad1aef5fe27d196bd034780086ec853980fdcb0435a8ec701b9cb05b3e6bfa6c6c155242f70957e8b56e219b38

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc

MD5
258efda705ed04eb3640018fa42a8b46

SHA1
ed14508f2a79593d5ff806cd8da72ec8e63eaac8

SHA256
fc4e0be4178b3cdf358a05ebafd0048998a09ece3e358779beb91f7339dc1ee2

SHA512
2f2854f97e6dd4f7972ffdcd6613e59f23e8adc3c96c6abed5fd72a65317103332ace64ebe7b6f9567f2395b167ac4e22a9f28f81227f3ae607ce5a0bcf0b64a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5
22778342c4445b68896949f974c4987a

SHA1
c4b49e39d3b0247d625bea872fab66dd31d49a4b

SHA256
025a53a737b9691d5f24d2137725dacfe0b5d3c300dde268e2eea250be7337d1

SHA512
760523b082a66a8f74205217a3466adb1043030daba42fb059fe5f8ded9d6fb77bf19cbeee8b95a0ca55416cfd339cebfb297c3ceb940c9e34ca0e53d1b57951

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5
ad9a9328b3156ab54cf6c1852c62fed7

SHA1
3fc37e1fe0bbe73b32163e9fef86089c1c237381

SHA256
e9040c47c9726fb5fce8f5bd44d8ac38fcefd7136d0e43b4cc3872a682edb5b6

SHA512
74510bc83bba4bcacd0a9783a9b11fabfc90c863d1a3b4b3b6b9896416352104df3a554751f714204d913bfd13a6e3fc2c89d74e5b4075ae2ddc5740801c5810

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5
276ce20ef63bab7c21612b73bd407c1f

SHA1
80d016dae3dcf1618393662d44a96d4bace40df7

SHA256
bf13881277db3b25ae10c62c84ce63b5252f7e1fc3e0ab0f00f07f45cbde8b28

SHA512
001055a0e49a692574732dd1e06bf46c619372dd260076947417f6841e66df189f1be98d72d30a6fec1da6cc2cebcd700bec86fae36c8b185aab05adcbd54bd4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5
3ece9861f671ad7bc5ddfee965997f4e

SHA1
bd70c0d70b28a4a82df7c93f985230331aff8f93

SHA256
61702d00c0260016610ef0aac07cc932f581f5e34c142e8ee36cb43b66cba160

SHA512
4dddce3583b0b48289313046700274965a0d10ae80a48337cdaea8cb679dba9c251e40e0656985b0abc250b5e8416ea50cfa08e075abf4eada341c58a1be276e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5
818648ebb52fe90bab0fe3fa2fce27f9

SHA1
c6df568ddbd8057515b5f6594a323c5cc99c00b0

SHA256
c95b83391c65a2c6fb4fb4c9a13e340769684217946eb6c1f9086b3e4ada8a5b

SHA512
1547d518947abb9c0e0921928d73f09d0f258b6b2854c9aa9e0ff5d7dde8a4c6089ca4f2936601b36a51062a2523fe9f2bb6e824c6d5f7f5bac0fb73a2ad06b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\StructuredQuery.log

MD5
67759392941c42f11c6fd2c955038810

SHA1
752a7daa7b5bb682de55bb933af02dd6e3e05f76

SHA256
71de014acff7a6826a8e66b2ee775926a03be6d7251b1da39b2720af8b90f5d7

SHA512
017413d181842eb44b366a956caa1e9dbe5be65092c5afe9225e08102d5dd45410c00c10425267a35642fde3785823bc71cc03b158b4f9bd1471901bdd60e1d1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5
fd36f8e894debf9d4b840d0b57787558

SHA1
e24d00cbb3a0e50346ca632288199e94c09918e7

SHA256
4a84f8f1e3e46d1935701484c7c0f1f5c40bd17d5b332a553e390e9a09940ca1

SHA512
bf44dfe31f92ec7d7829afca525f6a4b933a7a3965b087351c1b4f52d7b55db348c570b3a25c8f0ba722bb0a83a97bd002ca4ebf9fcaa70d60eea0ef04e65e73

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5
d67f82d1fa99e724a56cfa02bd588a85

SHA1
672fb024ad8db9e75a17eb410b6b4c0d47cd74d2

SHA256
1173c6bf5c2b51511ef05957af9ce661e0a150cfabd745efe4f032182950127d

SHA512
7652611bafbaf401105cd974dee9903eda8aae1a99caa0db154114a66389ddc6fe40c0a4d7028d933a1a3bdc2060cf1dedb8e5409c11558fdec950d194393e0b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5
dfd0c1f56c05b8940718b46adf6ecc31

SHA1
3299b5936752f06fb01cf78524a867709eb2db7b

SHA256
99702c24608872a9b3c34a27962d96b2b88786b499a7a422a446bf1b0efc0149

SHA512
b85f80511533a7277f1df12f7b209dee70c7dbbc3d658b10b6d7ea3a54b00b84650d264332fad29efc79a0f3a6c340462614c4ba7ccb03e5fa76c7ac0361f033

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5
4f448c49c82c5bcd76d77ed1c06cf66d

SHA1
4d686190807931a57a84737ee92139c556089c3b

SHA256
c13b245297d1abfe47667f0bde57d6819ceb118c81cd1fc9070e23b57d391138

SHA512
8689e717b8c1520c5ac29fda5bbf2a9ff1b3835d85af8b891d1e9b9088d54cde619710701e6d481fe4ba9343dc10b0b7b3428cbbe93ed0533b8bb9d4e47c0164

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5
12567ca3d332f9f955d83d0c5de5625f

SHA1
19f889c9e0c888e69775c9b684121b1f16a72aa6

SHA256
b7b7a7a80f5087141c230cedef0cceab82dc2d9d5f4b7bae71d39366c63fc747

SHA512
7be9d7db659c45bd99414900aeaec723532f9833b969f8666cb2755929547656e2824cc350d93a53fdbc0bd1414c863bfbd6d3003f755e8e2d761a35058d8844

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5
9001fb319c41dcaa9791f9d6a0121308

SHA1
471620e0fa347e8fab4645ca133eed1e9e8f651a

SHA256
1bb537aa4a68469918a5229a499c606d9f841dc984c991de5d8ee0fe27d2676f

SHA512
873dec906d2fe7aedba2cf1d10515c1ff115800c30d27e283c099807688c7e517b98f909ae82266efc65c594e403a282aee28f7d5d6fc016829c55004474a128

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline

MD5
d839e4af8166ada6060fb8a121d8bd8a

SHA1
608d05f518210eff759e1d2d1f7c7930ae47c23e

SHA256
826216819172cf03f5cdadd2943f32da2ce82e7fb16259c13e1df9c6ace07caf

SHA512
e2654c98910c0d990f31432a57babb7962d5cd34544e9546b4ea0efb89de2a6362482a31564694126c96bf34bc25fcce04e34104d7dad3d3e6b7f18e65faf99a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64

MD5
a73f1db5fd43ffbaf572b9865f945cbc

SHA1
082893204e372edb2fea71b4db95bf2620ed8d1a

SHA256
041b48958f0da60c7bf3364489d12c6f03f26485047fc6cb692433555c0ace86

SHA512
b55e9f210a0ec28221c98701cea3d37ee388cf1020767792e91b4a0ad30b2114e0b779ee667969c6a103e784171baf5be45de51b2312ae3599af03f3252a1cd8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp

MD5
2caecdcbcc789062ba094b9391dba20c

SHA1
1868971dd48788338c17a2998daabd327283f4e3

SHA256
bfde5eddd4e274afedef5d91e518e441985ef9a0ee588307922789138ebd1283

SHA512
7173d3dcd72d683b64fa256d58a7bfd1490485173b048edd91eab1819c5c6ea08e724ed74eee48af437982f253a3fd18d46f938fab6ac9edeaf65a6b0bc75ad9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp

MD5
9ed7239cff220a87a12fad44f4baf96a

SHA1
893366c3c090e553d5112a96b4b0b290fee8ef0c

SHA256
c499b989fd14dd9f68531b615c100b2699f4b2c539415e4ec7780ed52abf7831

SHA512
8f978944ffeec995e016a5fd0a6f8756f97abbdde43ed366412de12a9828fc9776b2f06a83dcd0f1fc6d5c7165650b13c1de322c59486c78f80416c56020a482

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp

MD5
1a6bb739af6b27bea60a94272d55b7e9

SHA1
30d64e00de13a4efba08d2a769e39c8ea2431135

SHA256
60b70ce93b26f350c4d302b306882c41e1b33e88e6eaa49d579e07dd5f94ccb5

SHA512
fe6f1110b54f11e7f01f668d8533fa26eb000a6957e0c705eb58fe888ec0b98f9f2e081da5d5441a17048f4848b155202e48ecfd75b81ada9909c128f82c2485

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp

MD5
ac9018144cb64ec403779a4afcc5a959

SHA1
f14f243c738acc31a3e52b4aa6fdf9718650ef9f

SHA256
b552a2b009b6f9256053c6c0d3ceeb46e4edb9a7ff0c02e328861a4f5c1865e7

SHA512
ad344aa3dff7918430b4583e07956f86c7acee1e888b380652e26fd3924305098b2884da7d12021a01992ab04c88778dce8149ee1d029f17940aa5076cfb717c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5
20977b1726856644bbf22217bc52ede3

SHA1
2570b95bcf9e36a5355bee21c1989330cfea0133

SHA256
00a875a1c698e99f7543d5ac881e582b0043460ddc7f8046dc2e9fdff007247d

SHA512
67427e7bf309692e54f150dfdf89864c9e00f915a9b9b19dd4d80f1a7d6ce0f85fac4e8888786f144b7956c2bb2949a14e38da17e4be2bcf0e81ffdf0766c879

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs

MD5
ef47fc599d45ca8486d635a4761bec85

SHA1
627a295700da8f5115392586fcb943d97e3c28dc

SHA256
0f143866f5d352f64f230e52729b6b469089f879f355c5e1263f49cac5a98f06

SHA512
0290501d86186a6d647517fc8bcc23ce0c5573e62e99d44e2876628d0d6a646f08693ed777dde70b54a0d31ff889e38990e601d3a504b5c1d45d76a9ca4c93e9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs

MD5
ef47fc599d45ca8486d635a4761bec85

SHA1
627a295700da8f5115392586fcb943d97e3c28dc

SHA256
0f143866f5d352f64f230e52729b6b469089f879f355c5e1263f49cac5a98f06

SHA512
0290501d86186a6d647517fc8bcc23ce0c5573e62e99d44e2876628d0d6a646f08693ed777dde70b54a0d31ff889e38990e601d3a504b5c1d45d76a9ca4c93e9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs

MD5
f0c224ef7d745880c95157a8e7a9dcf9

SHA1
1f4174a63d652ea1379813230d7c9aa75927dd4d

SHA256
1974ec26976d642b7542a61bb0f9988754e25fd05b4f3c6e1a68aff192b212b8

SHA512
c6fc5aa8ba3fc5271efc2cdc2e50471736dd22b02654ba7210808ff0e23a22458fdda0b6224062bb564a42cc9f4dbc7597df17f11dae4ec9bab0c15d9f1fbb42

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx

MD5
1dcf33fa2b9a77ad081d3134e0c0accb

SHA1
e6dc3616ecbf425005064de5f23f9087ad7ce38f

SHA256
b517b811f252a38002a7a8689b5f20613f3cb258fb60f1aad2d76de4b9175594

SHA512
6e54c987a87dc54a8d6369257dba0fdfcc647ac000f587e29d5ac8c6e5502cd97c1710149483658e112940541b76504fa894ffe233c133ce4590e2d71361d2cf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5
ae857d00690893189f59525b00d076d2

SHA1
0a0769d13d0624bc59a65a1d277a53a6786d59c6

SHA256
3462b2ac1e459155b137a708567c79d4b679c1b6712dbf3664f47d5076dcc1c0

SHA512
a9e5dd44287241b97978f075ea92fa3f4c04520313e4f48401dc9577d6d1d0157061e4c743af434b7cfc4201caa8b6eac8919365f4fd9104b27d3f9bdb2260d7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5
98cd502c2b3ed6b3745caef16d4d94f4

SHA1
638f0f165c8ea94ec060313f074dd6771cd54ce4

SHA256
947fc92bf472cc44b78fb90710135e1be6d40176d9af4f929458006c63e8fc49

SHA512
ef61d3b5fa40b6ee966d248f26840b310f37c7c84668566bc7164426ccc2ee75e9da3deb0361165b2e307ca3013831801ce45554387b09380de6c38435f3be09

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp

MD5
b007f0c69542f74b8777ad873168fc7a

SHA1
c7a4890485682dd943d4e46cfdef06f8a121426d

SHA256
9edb17b668dd7007487f5c9fb73dc0aae61b640993194a0b29ca9ad49dfc2b7f

SHA512
20361d5c824cbacd26ee6c1a790045cc6492e6c0e2efd04d450f809997aebec4920acc1dd6f2f05b75ba4ce005331f114c5e8f46bb45c4035654132f299d5879

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Documents and Settings\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
38cff8fc8d25dd1101f9262263e5ea63

SHA1
9504170d4fd4d8664425e0a9e6aecfa6ad228888

SHA256
bd57b52935681cb626256c26404cbdd7065af70005d94801c508c98a9d292863

SHA512
86c25950f7bc48b136f1805f4f8a1455c7bb6b6638cb52d132d9d8c4471efff3302a9af2c98a2b4688d1aeaca3075de6fca1a8034bf8a8afc07401da3aeb6647

Download Submit
memory/2188-130-0x00007FF6CAAB0000-0x00007FF6CAD8B000-memory.dmp

Filesize
2.9MB

Download
memory/2208-131-0x00007FF6CAAB0000-0x00007FF6CAD8B000-memory.dmp

Filesize
2.9MB

Download