ryuk | 8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0

Analysis

max time kernel
173s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
Size

206KB
MD5

0b8e9a08a7589c90266cf4cc724614f9
SHA1

eed7f84bbaa034d377cbb1f394c7b8c27f3fbd4a
SHA256

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0
SHA512

fc7df8d676f07251113636954b9b97e648bdaaee22412cb7fb92ae270944759f852c77d226c0227dc0c5e4a7c10d2e1ce16c60a095427a5ae503c293856c2dad

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1432 created 2736	1432	WerFault.exe	DllHost.exe
PID 4548 created 3360	4548	WerFault.exe	backgroundTaskHost.exe
PID 1564 created 2832	1564	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4632	2736	WerFault.exe	DllHost.exe
5852	2832	WerFault.exe	StartMenuExperienceHost.exe
5844	3360	WerFault.exe	backgroundTaskHost.exe
5860	2736	WerFault.exe	DllHost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exesihost.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
2172	sihost.exe
2172	sihost.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
2172	sihost.exe
2172	sihost.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
5844	WerFault.exe
5844	WerFault.exe
5852	WerFault.exe
5852	WerFault.exe
4632	WerFault.exe
4632	WerFault.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
2172	sihost.exe
2172	sihost.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exesihost.exeStartMenuExperienceHost.exebackgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
Token: SeBackupPrivilege	2172	sihost.exe
Token: SeBackupPrivilege	2832	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3360	backgroundTaskHost.exe
Token: SeBackupPrivilege	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exenet.exenet.exesihost.exenet.exenet.exenet.exenet.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3844 wrote to memory of 2172	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	sihost.exe
PID 3844 wrote to memory of 2192	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	svchost.exe
PID 3844 wrote to memory of 2240	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	taskhostw.exe
PID 3844 wrote to memory of 2548	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	svchost.exe
PID 3844 wrote to memory of 2736	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	DllHost.exe
PID 3844 wrote to memory of 2832	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	StartMenuExperienceHost.exe
PID 3844 wrote to memory of 2896	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	RuntimeBroker.exe
PID 3844 wrote to memory of 2976	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	SearchApp.exe
PID 3844 wrote to memory of 2868	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	RuntimeBroker.exe
PID 3844 wrote to memory of 3392	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	RuntimeBroker.exe
PID 3844 wrote to memory of 1392	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 1392	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 544	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	backgroundTaskHost.exe
PID 3844 wrote to memory of 3876	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 3876	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 1392 wrote to memory of 3416	1392	net.exe	net1.exe
PID 1392 wrote to memory of 3416	1392	net.exe	net1.exe
PID 3876 wrote to memory of 3472	3876	net.exe	net1.exe
PID 3876 wrote to memory of 3472	3876	net.exe	net1.exe
PID 3844 wrote to memory of 3360	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	backgroundTaskHost.exe
PID 3844 wrote to memory of 1952	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	RuntimeBroker.exe
PID 2172 wrote to memory of 2748	2172	sihost.exe	net.exe
PID 2172 wrote to memory of 2748	2172	sihost.exe	net.exe
PID 2748 wrote to memory of 3620	2748	net.exe	net1.exe
PID 2748 wrote to memory of 3620	2748	net.exe	net1.exe
PID 2172 wrote to memory of 3440	2172	sihost.exe	net.exe
PID 2172 wrote to memory of 3440	2172	sihost.exe	net.exe
PID 3440 wrote to memory of 3256	3440	net.exe	net1.exe
PID 3440 wrote to memory of 3256	3440	net.exe	net1.exe
PID 3844 wrote to memory of 4972	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 4972	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 5004	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 5004	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 4972 wrote to memory of 4748	4972	net.exe	net1.exe
PID 4972 wrote to memory of 4748	4972	net.exe	net1.exe
PID 5004 wrote to memory of 5588	5004	net.exe	net1.exe
PID 5004 wrote to memory of 5588	5004	net.exe	net1.exe
PID 2736 wrote to memory of 4632	2736	DllHost.exe	WerFault.exe
PID 2736 wrote to memory of 4632	2736	DllHost.exe	WerFault.exe
PID 4548 wrote to memory of 3360	4548	WerFault.exe	backgroundTaskHost.exe
PID 1432 wrote to memory of 2736	1432	WerFault.exe	DllHost.exe
PID 4548 wrote to memory of 3360	4548	WerFault.exe	backgroundTaskHost.exe
PID 1432 wrote to memory of 2736	1432	WerFault.exe	DllHost.exe
PID 1564 wrote to memory of 2832	1564	WerFault.exe	StartMenuExperienceHost.exe
PID 1564 wrote to memory of 2832	1564	WerFault.exe	StartMenuExperienceHost.exe
PID 3844 wrote to memory of 5952	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 5952	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 5964	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 5964	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 5952 wrote to memory of 6052	5952	net.exe	net1.exe
PID 5952 wrote to memory of 6052	5952	net.exe	net1.exe
PID 5964 wrote to memory of 6064	5964	net.exe	net1.exe
PID 5964 wrote to memory of 6064	5964	net.exe	net1.exe
PID 2172 wrote to memory of 6128	2172	sihost.exe	net.exe
PID 2172 wrote to memory of 6128	2172	sihost.exe	net.exe
PID 2172 wrote to memory of 6140	2172	sihost.exe	net.exe
PID 2172 wrote to memory of 6140	2172	sihost.exe	net.exe
PID 6128 wrote to memory of 5436	6128	net.exe	net1.exe
PID 6128 wrote to memory of 5436	6128	net.exe	net1.exe
PID 6140 wrote to memory of 3832	6140	net.exe	net1.exe
PID 6140 wrote to memory of 3832	6140	net.exe	net1.exe
PID 3844 wrote to memory of 2800	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 3844 wrote to memory of 2800	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	net.exe
PID 2800 wrote to memory of 3488	2800	net.exe	net1.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:544

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3360 -s 3052
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2832 -s 2752
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2736 -s 392
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2736 -s 392
2⤵
- Program crash
PID:5860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2548

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2192

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3256

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5436

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3832

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
"C:\Users\Admin\AppData\Local\Temp\8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3416

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4748

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6064

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3488

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4160

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6160

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6344

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2736 -ip 2736
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2832 -ip 2832
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3360 -ip 3360
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
abf0d9bf3a26d0ecc6bbd7122fd54c87

SHA1
8c8c9bf5f8ea3ce2a0f75fd4d1fef89c3684c8e4

SHA256
1c58aa5df3df04eccc7c3f4706f207c71179a339a3713ddb15bdb12374fa2ae6

SHA512
5027fb9a8d37308279c963a0b2ee1c8820424625b7c3949d0f4c0bfaf45a81be5008089a6851e0c6b9a137852a03443ffe69367aeb7c981c24b9b363117302db

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
297f7b71e59cc99d3c5c11223354d719

SHA1
c8473fcac8e36734cf1cddb36147cdce6656f53f

SHA256
89f86d973947fcf628e6883d17091d6273190780bda52e388943b558bd170e7c

SHA512
aaa9482607165d3f7ce1a41c14bbac2d0b364da5228f2c7737ab92bd8d1c47caa283751059159bf9a2acd7b98618685905d53f262a96036d10aae99e94cab5ca

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
6c3a665ae1616c55a5346c001c885244

SHA1
9fcc2e1c3ea7b94cb149b5453b483f40df7de1ff

SHA256
478b0842aff35c707161b2d84de381cbaa87f3065c61435fac49ef3d387ca34f

SHA512
5fed407147ee0902270ac9c27877518817ab2f7788d57a0f75d6f46dcf095f64fbaa6b0ce032219d44eee45410a04cba80649eb266d307448bc60859eab6d55a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
481e3366de49767022ae2ddae685965b

SHA1
7564d8b40149c965510ef60dfddff8914ec12f43

SHA256
e13af340e0efb9340a23b355ef02de7642e590f91fb8faedf39f4c5681b5d5ca

SHA512
c8310f464c84747c567ba809a9bbb1f82617c1ed33affc5ddc567e01c96ecd8490c3a5fe249bef1e36f7ebc585cf9987da7064fd90adbdaecda0f14c475d6fcf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
247bdd817b0c40926bf4f5f43c93f43c

SHA1
3b40509782d62b11d5cdf7d496867031bbe6c030

SHA256
064be7b877719a2a6c0feb7bb842942aed965d18c0a8b8492e23854c8b0b8d63

SHA512
8a95552f866f1ddf961c122258dc21813369ab298f50979eb10f181387525c958d9b1f514bff58ea79868b2fa1a4da9ad8f23b688549a362d81152fd05aec7a6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
f4b779a3789d887a600c86e07e069c79

SHA1
372af8ddcbbc439eaa8f9caff0370ad27650748d

SHA256
a9917a4da4e2f5b15cec080fde7197402384a79f4a5a361550eab0e2980f2d74

SHA512
5bb38437ab8e7478b9f35d4b99f6a9edbc8d47ac676b35e0a43bd9b4a61a4e1524d9a0624c4ce8d902c3406ce4793224594b94f32539747181eef5e9784f18b6

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
05179235b73ec88197ce2cb5e9af7db5

SHA1
a54a01d10278b9c8d259e61e3391fc7543cd1e0a

SHA256
9db8810edb0be29f7a007ad17f8d6be76320298048b2905d7e782a451455d9c7

SHA512
95184c59f67ff073c06a2de9704a4603fe33d817502b1bc6ef3f70c825b0185ffc4709f06d63b16ec2a1efccecde1b3de251cb00a127366def9808819e34663f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
2560bffce65524cb873b196f122bd9b4

SHA1
1a21d67f17df854ce8f1e178d5d4c18cef354937

SHA256
17eeb49d5502ca3d63aedcd3d91a3f8aff2343f757bdd3d57ebd7f980f5c36c7

SHA512
fbaab054f1c62919aea2a984dbaa9aa8be81084a3ec75336a6fe443bff7533b4130c3bcdc55394941581be0bf1e38c607423eda7203974a31ac585e828fc2062

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
fd88fdbbbbdaa557a3eb04a9a0524c2e

SHA1
4248817ef804e0067cb2cae3f21e2a231bd0bd1e

SHA256
ca9cc84fa528bb647c04704f5c71b3aeba6d6e2af421d8feb144e059351abc55

SHA512
33f4adeb6bbb5d24b0dfb804fe2ad4aa0d20f0007df4561e04df9a635b32e2dd9ea3f826c05a3246e5a29a1d7fb49b261ef6b9c90bc86c907f9a9a6bec336364

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log.RYK
MD5
ef81800e53f39d2bf8e758dd235929ad

SHA1
a265814946802d2e6285f0646e44c2629deb4ab5

SHA256
d48141e816c325d954b2a197236f8ce6ce5af8d4ab25a6d816b3bd600ec06cdc

SHA512
709dd2074928c6d2751acd8439d074cbe1574945492beb03aab34e195bb0b8840052751def42f849586b751ff963e31122bc12fe28188799b4d48e8a7ae5cb58

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
2d96fa73767f164dbd3484a3d5be149c

SHA1
b0c4faf5f6afde0ac0def0eaf0c57bbdb8fb8a3a

SHA256
95d99cfa40677235e0022f4b6b2a1f81a21a95c4f1c1e4bceac02ea64ee2b430

SHA512
43a7053f8c9c9f78ff9e719830c0befb82485d10cd8211277c0567664c991806e57c33b179086a9be51726e09fd8586b6275a40535642d88b52d67432b9a27a1

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
MD5
9e8972ba54e3196da2df0c8c3840808b

SHA1
3564f6188c4b2f0d5144ae1b87e8eda31bc213c8

SHA256
b03218b7dd460b85618ac5df903e2b74066e2eda9ae9b310d756c164a9dab0f7

SHA512
a06924539310bc7893481852a3e6284a4c75b25a613a1e36a10731a1c3dc19b9faa410aec90a1b5fade6051dba9cbd1f3d07b95d5046d758cbdc4b7726838d91

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
665251586690147809610c7f405c4f9e

SHA1
c7ae18177dbc7663ecd139ef3c2e35aed3709884

SHA256
2df2ee5b604ac5538c77959038d7ddcab3c1ecbbd958b3a737e41942163d4dbf

SHA512
cb1215846a4229addc934522bac4df0dd05f23e2d405025371a82c87363014809fa2fefd227c069f031c6bd3b556bc1499c6a90afcd0c0187ac5619983f8238f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
926511722a8fc62e7a391da9e6d3adcd

SHA1
a14db7323d1dca1f90d25059447fc59c9370b731

SHA256
70789c77597704cfec662ab5f7fb59fdf3c3e2a8ab2ea9245f21eaf61cbd105e

SHA512
bc3821361f66b88d9baf23de5cb4d89f250c39c2fbd3def05346af6afd47bcccbe086b8b16a7b56bfb9b09f0c74b07ce91a7f96f4645c4c3d281ca8a4328b7e8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
0b3f702c23d0f2583420c816c6843634

SHA1
744a273d7ce11ca2d2de49f5e7827761e08363cb

SHA256
6b2b0d64e4bef334688acb6f0cdca497def73c8934866d7d766ac53659d2b0d7

SHA512
ae2ce698da5bbbb5a591489fc8e682a6199149d789455471b33b83c0e18d15dacf775307545c5df6788bc9fc30111378d216dd6731161e41226ce29a34f63598

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
cfe3ee91c375990e1db829f630f95c48

SHA1
14f9f79cea1e8f2560d9f5f257d6c06192262b23

SHA256
2ff92365b82657234bafccb16ef3dd9f41a2b825d408d3f2671e0916e961df4b

SHA512
587cd22bd0ad1e49fb07611789790e8c1080fe43bfd66439fb45f7018d783b7c49ffc7fa4c0b47e022c286a7561f47ea86e47f8036f1f57d757a07a456301b09

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
MD5
8e999934c9ac091bbab09a2dda3d24e7

SHA1
6c455dccfa5a1902e97215796f87bc8914d289e9

SHA256
56ffc98061a98e9850a0f8a5005e05c85b9ad116f9d380a254c2ba362c99ff4e

SHA512
5d44bba6eb2912b81eba8a93e180e65564f503f2d6f1464c033c4aff3a3f05f2edab9b680bd6a62aa00471fb888ab0065d933e840ce6e7e0eebb553d31f89c24

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
3bea9abd10c69fb4853bc820fbc6ca17

SHA1
71e38b9c8a6eaa200aeb38354fe31733096e85b5

SHA256
5939557bc75e4fba87280534716793cca75116d00e2963b420442fe9b0bc485c

SHA512
1345e0b1e44438f99a01a342975d734691493d520274be5469b7f62f95b2835a69bbc707af915138c805f2f0cf194e932bb8ea18aefbc29156155e44f642efea

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.RYK
MD5
ba9906a126e9c0b288e8a7d7d9964d23

SHA1
ea39d8e193c028e3b70c9f6e41f124ddc97b343f

SHA256
b6ea97d66bcb4392a50fe95994c2886a5e0d358d7723fc76e374b4e4b3d828f6

SHA512
26ecb8e3fe71db576ceab5c138330a2c52fb7dc0e5a79105e49692b479ca68224008fcceb4c759d61297a4695539abac1a87bf0e9bab1d89c211217595f1de9c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64.RYK
MD5
c9860675b04ce055aa4e9bb6cdcc580a

SHA1
529e8869583df34a5066770a0d72b8c72f9bf355

SHA256
9cd0b60d8247ef85705a521856573a739f7d6b46c0dfabbfe28f5e70480ff5d1

SHA512
14183254f3639d8cfa88389bfa62cb55dc5ace0478d38e39e51d03db253f2a584cff2f2d467a743f2dfd60bb87cc36bba685520a527272d040e68646c794b354

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp.RYK
MD5
15526c43b9c35aa6d8d836a0e63c3345

SHA1
39f605daa972db8e5846e4b2c9f412c350877272

SHA256
9e33b760d5b425308466cc506765c44507d598a1d699e0824ca63d834612ee39

SHA512
a83ac5fc16c7410c0d499d207d43e1d27a1b0e8e194cb31c0126e96105aa25c7e43b7c9f30fb944840fe92321662bfd9f22f2c2dff3629b28207be77832451cd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp.RYK
MD5
9104e5dd21cedbff50ce55749e292b6e

SHA1
faab361bdd0effcc6f35b272e242ea720edf2d80

SHA256
e405a0d72fa7891956484d5ef4d88a0f5d62824ea14f1deb76c954f955e031a7

SHA512
92d6e47aada9bac1d4aa2b4936c4a3c79df01ff9b7900ce3121c7e1bfc9962e2c1b70d98d29aece2ecfc1f5feb993e957bcd3d1a46c79b6641cb8ff03a768977

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp.RYK
MD5
853eef71184fed7fcca90cd347e129fb

SHA1
d757f23b13728e1f4172b8c8fdc85c3857579ddf

SHA256
0d40c36efd51d73c581cf72dcde2841f2aeff63f7b581e2cfa6c5469c4b9acc2

SHA512
888fad0df61a5af1b564337fdf08290228b79e9ab9bbb7c465a67b104e4b32867a6ef73dc015db5e7e9e75f5443550a4b36c9214d0f005588729c8e88937e20d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp.RYK
MD5
e8b69af4fd0d592770d70fd6fad20238

SHA1
3309475b74d282f865e7b94e86180d6101be4fbf

SHA256
b4cc6685e24b694fb41ec19f7afdf5cb87480e876b04ad217f93068d5fd823f1

SHA512
00fba3ff47f3022e4e5a184de8592bd0f16d1d741eb4570a2c40abf0dae55ac4125a8e22405e50b658a1460abacc9277bd3935849a496761dbb6ff6eace026b2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp.RYK
MD5
50b3b5597b2eed920b12732fbd98aa1b

SHA1
c1d56d5ed5e116290f49801650366560f1cb18d5

SHA256
67dfb936d704ee025d8004fc7cd71226b660925c2333ea29e9ed35d6a4718a9d

SHA512
847fadcc63d98d2e5d0d1d850432f21de87f856a5d58b88d482c860228e03478b02efffd5ea530796883064f25e2f6f00150d23cd5f7e831f70ec6278da419bf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp.RYK
MD5
faccf1ac81e9558be8c7c54a2ad08727

SHA1
0830d93e622e662f9347164d7d73a387ee1e7bb6

SHA256
233da8ec188e8cbb1331f2d43ac87599959ddcbaa5f51aaac6cf473eb98ea8cf

SHA512
e071d8c59f47ac241aa429bee2bf413b736f6ebe2252662552e2b47da28f75f3c29e50afea650a1db2b49d79e43d9d805ffa0a114902bdf8de06438157c40ff2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp.RYK
MD5
ec23a23a804599468d34c2bd033efc58

SHA1
0dc1a5d16cb6c427b7b1c1e760863d371b2c7796

SHA256
126d1e075f3de9915ee1ff01f4aafadceafffccc5342ebc6e40d1205e7a9b359

SHA512
53527d5878dc8c5576140191c414311f543b83bcd195e738a294080a028eb5420b0eb429d0c8fea0b46b30fb6d689a5f377784b3736d3da59e3382ebf825f82f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp.RYK
MD5
a5ab3e263a9b32e8813622ff1cb5a893

SHA1
4cb76471d49492137354893f28da4dbdd9198d73

SHA256
d6bd563f3a8e701be7a0c5a5b80001917a3123b55e3ea3e0e3a8c90fa9d3bbbc

SHA512
fed924978ccb55bba68a91abd1f9cc4ededff67aa1af1f3f14ff864fa05e20e8e6e83160a5c08e8fa6b1cc40fe5a2f22c03404ad1c150a13a0d54097a991f91d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
ad2accd9b7f01e2f19700e3356d0c611

SHA1
0e2652fa27dabfa2a1a24df12826a5ac0c2aec86

SHA256
6ee2e5dab36a08bf8cd07d3ac425c9c3c3ed1c73804567bc23929445c8862ff6

SHA512
2b32fe4c237a42b83366c97e0e67c8c7bbbff7be1ff01a4effbbd9391ef9780fd78d9142173c74beff829e235b03b9f97ee685399e85aa568365cc46ef20d56c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK
MD5
5d33e4bfc57396148c2c7ea07dda030d

SHA1
c7a3131ae78e05007bf53975ce21299cd67ed191

SHA256
61f2af938b5e6a571221169de873e655bfaa02ad316ad1b303dfcb98049a0150

SHA512
72b2df926bca904cd49b15d61c132926b8f66fdc837188e407b16c0c362f92c0f2d0d0b257e068460294cca122d4964593d6994bba7d69b7b7e01cebcdc7d70f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
c06d67725422aa2ee42d69e1ac2ce8ce

SHA1
c24fc421155ab66a4481019f91de8679faf217bb

SHA256
7264ccd14f35a1eebd8f552383929271effd512077595fe8d69dcae7b37f9367

SHA512
814d8f412ab4fcc2c2d675240f131bd2d48d4c71bb8ccddd9499f9433b723612de94c71e63c96247f6ad7271b07f994a6735050a66ab9d11eea9f50379995d46

Download Submit
memory/2172-130-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download
memory/2192-131-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download
memory/3360-133-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download
memory/3392-132-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download