ryuk | 9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd

Analysis

max time kernel
196s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
Size

202KB
MD5

547f87db796b69e28453b142e9da9ed4
SHA1

019faca2d3d5675a6d6bbcd00629c8fe33d54705
SHA256

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd
SHA512

682e6cb1d510119c9897ed25a62bc436be21e3f00deccf952897b234e36444c2ebd85ef906086dfc432a491d4f3c9a63d1ab2c0e23626ac71a863521109d1eb5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 5644 created 2740	5644	WerFault.exe	DllHost.exe
PID 5552 created 3684	5552	WerFault.exe	backgroundTaskHost.exe
PID 5560 created 2916	5560	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5544	2740	WerFault.exe	DllHost.exe
5948	3684	WerFault.exe	backgroundTaskHost.exe
5020	2916	WerFault.exe	StartMenuExperienceHost.exe
5032	2740	WerFault.exe	DllHost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exesihost.exe

pid	process
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
2224	sihost.exe
2224	sihost.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
2224	sihost.exe
2224	sihost.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
2224	sihost.exe
2224	sihost.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exesihost.exeStartMenuExperienceHost.exebackgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
Token: SeBackupPrivilege	2224	sihost.exe
Token: SeBackupPrivilege	2916	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3684	backgroundTaskHost.exe
Token: SeBackupPrivilege	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exeDllHost.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1760 wrote to memory of 2224	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	sihost.exe
PID 1760 wrote to memory of 2244	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	svchost.exe
PID 1760 wrote to memory of 2296	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	taskhostw.exe
PID 1760 wrote to memory of 2536	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	svchost.exe
PID 1760 wrote to memory of 2740	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	DllHost.exe
PID 1760 wrote to memory of 2916	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	StartMenuExperienceHost.exe
PID 1760 wrote to memory of 2980	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	RuntimeBroker.exe
PID 1760 wrote to memory of 3068	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	SearchApp.exe
PID 1760 wrote to memory of 2772	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	RuntimeBroker.exe
PID 1760 wrote to memory of 3496	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	RuntimeBroker.exe
PID 1760 wrote to memory of 2924	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	RuntimeBroker.exe
PID 1760 wrote to memory of 3684	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	backgroundTaskHost.exe
PID 1760 wrote to memory of 4948	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 4956	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 4956	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 4948	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 2224 wrote to memory of 4972	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4972	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4996	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4996	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4284	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 4284	2224	sihost.exe	net.exe
PID 1760 wrote to memory of 4664	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 4664	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 4392	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 4392	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 4956 wrote to memory of 5152	4956	net.exe	net1.exe
PID 4956 wrote to memory of 5152	4956	net.exe	net1.exe
PID 4948 wrote to memory of 5160	4948	net.exe	net1.exe
PID 4948 wrote to memory of 5160	4948	net.exe	net1.exe
PID 4972 wrote to memory of 5144	4972	net.exe	net1.exe
PID 4972 wrote to memory of 5144	4972	net.exe	net1.exe
PID 4392 wrote to memory of 5168	4392	net.exe	net1.exe
PID 4392 wrote to memory of 5168	4392	net.exe	net1.exe
PID 4996 wrote to memory of 5176	4996	net.exe	net1.exe
PID 4996 wrote to memory of 5176	4996	net.exe	net1.exe
PID 4284 wrote to memory of 5184	4284	net.exe	net1.exe
PID 4284 wrote to memory of 5184	4284	net.exe	net1.exe
PID 4664 wrote to memory of 5192	4664	net.exe	net1.exe
PID 4664 wrote to memory of 5192	4664	net.exe	net1.exe
PID 1760 wrote to memory of 5328	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 5328	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 5336	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 5336	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 5328 wrote to memory of 5492	5328	net.exe	net1.exe
PID 5328 wrote to memory of 5492	5328	net.exe	net1.exe
PID 5336 wrote to memory of 5500	5336	net.exe	net1.exe
PID 5336 wrote to memory of 5500	5336	net.exe	net1.exe
PID 2740 wrote to memory of 5544	2740	DllHost.exe	WerFault.exe
PID 2740 wrote to memory of 5544	2740	DllHost.exe	WerFault.exe
PID 2224 wrote to memory of 5696	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 5696	2224	sihost.exe	net.exe
PID 5696 wrote to memory of 5752	5696	net.exe	net1.exe
PID 5696 wrote to memory of 5752	5696	net.exe	net1.exe
PID 2224 wrote to memory of 5772	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 5772	2224	sihost.exe	net.exe
PID 5772 wrote to memory of 5824	5772	net.exe	net1.exe
PID 5772 wrote to memory of 5824	5772	net.exe	net1.exe
PID 2224 wrote to memory of 5848	2224	sihost.exe	net.exe
PID 2224 wrote to memory of 5848	2224	sihost.exe	net.exe
PID 5848 wrote to memory of 5900	5848	net.exe	net1.exe
PID 5848 wrote to memory of 5900	5848	net.exe	net1.exe
PID 1760 wrote to memory of 5976	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe
PID 1760 wrote to memory of 5968	1760	9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe	net.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2916 -s 3020
  2⤵
  - Program crash
  PID:5020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2740 -s 860
  2⤵
  - Program crash
  PID:5544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2740 -s 860
  2⤵
  - Program crash
  PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2536

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5144
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5176
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5184
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5752
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5824
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5900
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:3288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:2860
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:4084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5760

C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe
"C:\Users\Admin\AppData\Local\Temp\9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5152
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5160
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5192
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5492
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5500
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:5976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:6052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:5968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:6064
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:344
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4432
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4320
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5108
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:6048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:2236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:2972
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:4328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3780
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:5116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1620
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2360

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3684 -s 1876
  2⤵
  - Program crash
  PID:5948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3684 -ip 3684
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 2916 -ip 2916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2740 -ip 2740
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5644

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5
4febf9afd7cdb316f967ba2ab7f9f8b7

SHA1
f8b3a33e042b0f24768a2fd29dc32ad26667f47d

SHA256
ba28ffb4b42810c1b5f36e5c1d4c3835fcea10f899dc31f40b3ec3bf53cd8389

SHA512
6759eeff71e506ae160f431267d0903738ee1206d523d2ab59ae10cab987200f9ddf0120cee0b5c02de4172a9ac665ca9ec0a85d36a8735b7454d5fd67e877ac

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK

MD5
42d4b51fa45b148303bc2e93274e3655

SHA1
3219b22157e834eb606e25484d8125b118ab4eac

SHA256
d0567cf143006f1e15f121c718c4055b2ef68e46f6e241253bdd7031121a4c12

SHA512
bfc420b8dabf6250276ec0dc6a0e34a5366328c16cdf3ef4a380dbf1194c7991269b98b09501e4f2a5ac0cd8a1b2f5998f67efb4c223d2b538df1af12dcc50c3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5
c89afd9824956915ac6c4507886c4ad6

SHA1
3d9243cc2a2ee69782450d535ddd7d59023d299b

SHA256
2120ebe4b231c331bf7e871efe50e8d43d5f4e7a71debdd476d241cdcac41c75

SHA512
43e795001f99d0ab2851a6538633d14e7780df7994c34b1fee53a1c8d964d394d82fc53c1d64b01d98cd81451fc9ac68af1f7845a4dffe03af72b3b12b49524d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5
7e850c7a71bb21815751c8376f73f2e7

SHA1
2c3fe097923d8290057ecc55505762d9d9c5aa37

SHA256
6b0bd533af3eae9cb4cff9468e486d36ae9a49001c35cfa98851d224c07e2033

SHA512
34afa7d1af4b9d69b72c055b3eedc10b74d72de8f347050132c079ae7ae1d80c1d916a9dd904b624c95f16ae8a73fa5f8002fe81e74ef2f6a1dc9b388ced5287

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5
6f707defba742496a3dc8ecd90e655de

SHA1
64ffda51b092d5d515582c1ea36821d678dc1900

SHA256
e2d229ce1854e6c68de85a5ad5cbc55374b2d537b8140b63e5f40c9b576eb9ee

SHA512
4b3c43526395275dbb7260e659c563888734b5059d3820531e2fda355ea03c2aef33ec1fe238f1e07cf67ce12de73ccaeb3bbfab1f2958b3687f66e77b0f7939

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5
9fca9a8f21ac2d7d41df80346b1c4aa8

SHA1
eb63c3c90a460c278f7a893bad1b3d0f44358c9a

SHA256
065d5d0ee2650f0dc24efb5e5d259293549b27d2fbc905abf6810c6510c977e8

SHA512
032c3ee7399b42882ffadd37bdeb1c0b5f2ddf7ae7166419e39593dcbbbe58551a7a80a209248171a488790069a128835c3004a46a33ab8f0880eac2c1aad353

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\DC\UserCache.bin

MD5
a0ef6df6b90db1ae8abe10e0423f396a

SHA1
e5aeb001d4c37e7cbd3d83bf5e4d43f6beca61ca

SHA256
908ab4b3bc6144ad113ebad45ed5982c4b2062236a87029aeba96e313d9d62a7

SHA512
c1a439109b5d939c75f4fc1ca3728ce0a1d8925a17e1affc665a3dcb1344d8e80dad50e1bfad3b40f533ad46a41b9efebfb5a1424b9354e7a62ae1ea7f1f40f4

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5
2791851bdfa0f6b7a0d9b556d02f1157

SHA1
6026e5bf2f170a0560b4e4ffb73125a689920ed1

SHA256
b2dfda676a05fc962229a8c35c9003efdf92146d5d3dcb0bf7e67f1be080dfc7

SHA512
4cecac64c6cb744f211ead7c5877b36f0f41c0587811595b398a8781344b0d8122e5af1d9b7108a7ec14a1f1f3cd1f48a851c111c010b0fa1310386fb69e95c2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5
326314cab5b6df4004c7604dbfb761cd

SHA1
aadafd653445931f0d1dec75de8c6c511297a401

SHA256
7c2c5071a9c9bfa1ffd26c09e7ac1f702c73448663467484e2dbfc6985de0dfc

SHA512
1066fd46cd18322a70337a0e0524b5141d3d9cca29d716984a409e46ec384980bd33eb92becd052d2ef76cd84d840105055c2bb982cd33e968384b36d5abe0ae

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5
953efcf1fd39f986ef3b76b16594f002

SHA1
82c42799bd2a004ff51105a5c040351e658b5929

SHA256
8d7c9da10d2345ef6a681734b8ddd3061126159f450aeee8e8cfd5680f64a251

SHA512
4ac6635d4be0fb5c1390ca4d86d8883062a69c2673851d9a9f7d72dd4dd88bd0e44f729884de2a1e34bb79d8928cc8c712f570a2cc2da715f86297080bbabc2f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5
eb7ec654818317e0bc8e9ba61d665e41

SHA1
6326b4d2be7ea963ecf52c7cf36f74e0ce3d936a

SHA256
dcd57597b3795bcc6bd4b946f556bd3d1527e85770b56ca6e2731761e0acbc82

SHA512
c6d1f92b8961d93404c2ac2f4fee42211fac64227828b09c2927a79f3301e0b55afe6806444cbe22fd0ca9c34221761e30926563cbf0ceb7b34c867d6ce62f49

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5
e55c5f4b08a927f401a22fb898757d24

SHA1
1bc46f775e6a0f3fb46eb57006a5a9551f58afc3

SHA256
45a12749e14dbecfb04bce0bbe079428650175e9cb4a347d154e9ab7c389f94c

SHA512
e10b8d922bd104d72e608572c5fc4711033255a024965f579b7c3bfced92ed95c2a44d1f89ae232febebc7367e9671a5f648f5c93a14492ce99c63da578321c5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5
a7820608c60c73a968b1f7a8651c49c1

SHA1
a2bff5fcd3892710b204656855bdb316f7440fdc

SHA256
2c3eb5dd45b601574188fb14bb0a2bbf15693a2fe614e922498651b2d97d7783

SHA512
09b7b5522b4d0d9e13a137ff7c9c6b4797296a168baba1917ed8a5972320483f5f4a129e457c1f2fdab491c90ddeb9d36fec0ea021bbaf36db67e0aea9e0b0af

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log

MD5
9cad7c7800d5bea8f46a83d062aeb8e0

SHA1
de4c126e9486a2b00d1a354cacd531520d3f5406

SHA256
b3b457eae4ef6a68118073bd7acf5217f53622321544f840763062150542cec0

SHA512
060e6e676d68761fff0e5edeb67bdd24e1cb9224e353a64af08c90ed4877aa6698199e791d6ab85ce20786b83bcdc5fcf8e4c13d881836f4af88baf3b087b598

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5
6d97fd040f689240e2bb4504fea11420

SHA1
5bc58fcbf78cb4d1e15189c892e12b54c4a29b2e

SHA256
f81ae750125117ac660aa18713d3b5ea1e41b772942ff6368abe68a4d57ed126

SHA512
460fe3a78d07591810ef7791bb5916c14a2eba8e5ed9223154a7a803babba4333977b5cfb0fd110c9e774d8e514657e5faf81253526ab3465603948475cbd941

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5
d42087f74b4c66b7e6ebd3d4863aca67

SHA1
6ea0b89f2138b967b2679b2261c05477c94306a5

SHA256
daad6d06e5718672caf2f9625d982f9bda84c339b987373d0fd2b0bbf73e2dbd

SHA512
ebdf6053151f45abce2877083709f1e98bb174a21e17c44bed16a4047d016bc014aa665b00f580d626908d6aa59f6f988466e88ff8619305bb9d4499483c8bbb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5
9b4cc66c7a1cde53715657ab55c7ec3d

SHA1
086b5e135c5af5f437208e605ddbfc20de4c85e4

SHA256
d63f959a6c0ed8e865df7e5c5aea9c2993ed6486e71cb9cf743471e9faa8ca21

SHA512
a4fab6ede7c5f97e53c8287429bcc659ff657126787ccf9f7b3482564b7bd936e975cde89d9d30a24ab7c787fa79187025b30e79dbc0366b3b31c750ab5b5dbf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5
83c33df9e61b2595302bdbb09776cc9b

SHA1
0cbfba391d2cce84ebbda89fda1fca3a6e40c2cb

SHA256
dfb2fe5cef735000d2d4fc3cf6236f81dc5c0b8c5407610e5847c81c92355928

SHA512
c67f5e9d543fec72294cb06cd1d1794b8c47b2980376d72929eeaa2cc3ddbee14fa4559ee879ad2135bbba4f86698edfc0a6286c037c891891526ef97eb886b0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5
f13b1a56dd4f6f59f01bc6034fce9b31

SHA1
7ab007921d5e3c77f3ee6ea84098b058f96d84de

SHA256
37cd9c96287782ee36ed6ba84451e99f402d10a3bf409abc3ddd0903719e3a53

SHA512
adad3d0060cb1b33cba4d6ff36a6eed6eeb033e15efc62e70fa174d167f6d51d8e7c1a1bfc4cd4fb14224c4a407a5888ed62ee6e1bb9e896135e824ff1530155

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5
0bf549b9efed1591cd302b97f9675c9b

SHA1
76bf3f6a83ced4d9b1fedd7bc1865b77292a750d

SHA256
24a50a649994e8a6eb2a38e160199f44781f7b5edccfc1c29d287f7ce6ba8500

SHA512
0186bd9c66554fe865931c605a8f2e3fcb50d05cb924e6a3e99d7e3273e28d114401499bc46038c4cc5da7b406e1750ba181a2f2fe44290365daae8b4262f5a1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5
1083974ea68035c2716e4816a9376c89

SHA1
7614e1ef713b03583f1361e158458662c7177bae

SHA256
23a95a95c09e40fea98952f3ee0b486cce5ab8b2e737cfc4e30b4231f5a241da

SHA512
32da0ac2807dd07bd528430a578dc3c5497922c678c71a7e745f611763786fa1a4096b8df9d18b1b01bc8a6de326d4d7d8c3154c150cbb2555bece3638c67cfd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp

MD5
ee20e5c356bfcccd822596332ece3a2a

SHA1
40f6e619d27e9be557961bd7f6c1934267e770e1

SHA256
2aa220008309688543286d287aac763b10f238cca5ccbc8b9a866edfefc2a95e

SHA512
4ba6e9708a405016c17730dac9776809e7d1a242d5381ca8c8c6ad7b7fc5f92dc4eaf67d1bf1e5f69909aad78f3e8b803991c2ad9ddc0ce39a6d1086cc0b1f2e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs

MD5
503851682a65b77c236f7e889e88151a

SHA1
3d7c71b3f601438e2deadc394859db1191b0e119

SHA256
75101b185474d0dc6a64cebda5512c656d3b245e3c12f031da8bd9a5830843e6

SHA512
6c56c4e7aded5167870e6b01693da616bd57c56590314d9eeb6427fcc568076e34ea7ea2903e711b37ff500ed5dda619cb5dc291d5cc1a5925c50e6fef2808e6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs

MD5
c9e17baca0abdd10f5d8c88f96b25974

SHA1
0e6dd2c5eff260f235b737781301068c9ba712f8

SHA256
cb80ff9aac8493bf101e9856fadf7deb35d95e145332cf9900703e84eb0025f9

SHA512
61fdf0eaf91cf875a3e7db8416c1b7310151aad6049451c664ec8cbd6d7808d9b8221d62f6fb9eef99e287e72ed5ed37b98ea0a1d74945be719f245933ff5515

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx

MD5
7320f1721023b05729bef23d1be3a29f

SHA1
394de0fd9720baf7d28e9e7e61612c2bc8eac812

SHA256
7eca20c523c7654f9cdab687f61bd3189af8674417c6932be6686e14f25c6ef8

SHA512
d1b3d760a51412b5e695f9f9015c75f95cd56424a4b0f1b00d1aa4442bb0f79b5d8ee42902d28b0c978ac5aa88fe315af94cece5acad2301b08fcbe1c1b48b64

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-BH\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\Documents and Settings\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt

MD5
ce8ea65435944d002b38721d593435fc

SHA1
005ca1257ae15a487effd424968cc89817bd458f

SHA256
ea83c203dde9f9134c53caab9c51e0b35fcfd8d296413de01bb4a3c32eea6e8d

SHA512
6f85318c4f2ee501cc60bd85dfbdfeb5506ca8899c80e039eb6d9c98b85ada4ba325fbc454b6c8ac81dc82ab4b00c42914095226acc52dc16912c087eacf9855

Download Submit
memory/2224-130-0x00007FF6B3E70000-0x00007FF6B4206000-memory.dmp

Filesize
3.6MB

Download
memory/2244-131-0x00007FF6B3E70000-0x00007FF6B4206000-memory.dmp

Filesize
3.6MB

Download