ryuk | 66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe

Analysis

max time kernel
175s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
Size

200KB
MD5

ebcadf583bfc61ebb3dd8a119527d829
SHA1

259be1414a0ac7892dddea0259b41094150b8d3d
SHA256

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe
SHA512

9d1099a3cd7675b2baebd2b9b67db42800f0afd33c8ff326155c54e16328bf0b477cfff6fa3785921f1b62eeca8b8ece9afd01cdc3f6fd9f3751e5603c3a87bb

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4412 created 3448	4412	WerFault.exe	backgroundTaskHost.exe
PID 3524 created 2720	3524	WerFault.exe	DllHost.exe
PID 3148 created 2908	3148	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5088	2720	WerFault.exe	DllHost.exe
3984	3448	WerFault.exe	backgroundTaskHost.exe
4028	2908	WerFault.exe	StartMenuExperienceHost.exe
3732	2720	WerFault.exe	DllHost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exesihost.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
2216	sihost.exe
2216	sihost.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
2216	sihost.exe
2216	sihost.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
3984	WerFault.exe
3984	WerFault.exe
4028	WerFault.exe
4028	WerFault.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
2216	sihost.exe
2216	sihost.exe
5088	WerFault.exe
5088	WerFault.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exesihost.exeStartMenuExperienceHost.exebackgroundTaskHost.exe

description	pid	process
Token: SeDebugPrivilege	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
Token: SeBackupPrivilege	2216	sihost.exe
Token: SeBackupPrivilege	2908	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3448	backgroundTaskHost.exe
Token: SeBackupPrivilege	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1316 wrote to memory of 2216	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	sihost.exe
PID 1316 wrote to memory of 2236	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	svchost.exe
PID 1316 wrote to memory of 2280	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	taskhostw.exe
PID 1316 wrote to memory of 2520	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	svchost.exe
PID 1316 wrote to memory of 2720	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	DllHost.exe
PID 1316 wrote to memory of 2908	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	StartMenuExperienceHost.exe
PID 1316 wrote to memory of 2972	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	RuntimeBroker.exe
PID 1316 wrote to memory of 3056	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	SearchApp.exe
PID 1316 wrote to memory of 2812	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	RuntimeBroker.exe
PID 1316 wrote to memory of 3344	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	RuntimeBroker.exe
PID 1316 wrote to memory of 1632	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	RuntimeBroker.exe
PID 1316 wrote to memory of 992	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	backgroundTaskHost.exe
PID 1316 wrote to memory of 3448	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	backgroundTaskHost.exe
PID 1316 wrote to memory of 660	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 660	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 3204	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 3204	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 2216 wrote to memory of 2476	2216	sihost.exe	net.exe
PID 2216 wrote to memory of 2476	2216	sihost.exe	net.exe
PID 2216 wrote to memory of 2640	2216	sihost.exe	net.exe
PID 2216 wrote to memory of 2640	2216	sihost.exe	net.exe
PID 2476 wrote to memory of 1248	2476	net.exe	net1.exe
PID 2476 wrote to memory of 1248	2476	net.exe	net1.exe
PID 3204 wrote to memory of 496	3204	net.exe	net1.exe
PID 3204 wrote to memory of 496	3204	net.exe	net1.exe
PID 660 wrote to memory of 2168	660	net.exe	net1.exe
PID 660 wrote to memory of 2168	660	net.exe	net1.exe
PID 2640 wrote to memory of 3400	2640	net.exe	net1.exe
PID 2640 wrote to memory of 3400	2640	net.exe	net1.exe
PID 1316 wrote to memory of 5060	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 5060	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 5080	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 5080	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 5060 wrote to memory of 1232	5060	net.exe	net1.exe
PID 5060 wrote to memory of 1232	5060	net.exe	net1.exe
PID 5080 wrote to memory of 4472	5080	net.exe	net1.exe
PID 5080 wrote to memory of 4472	5080	net.exe	net1.exe
PID 2720 wrote to memory of 5088	2720	DllHost.exe	WerFault.exe
PID 2720 wrote to memory of 5088	2720	DllHost.exe	WerFault.exe
PID 1316 wrote to memory of 5800	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 5800	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 5812	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 5812	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 2216 wrote to memory of 5828	2216	sihost.exe	net.exe
PID 2216 wrote to memory of 5828	2216	sihost.exe	net.exe
PID 2216 wrote to memory of 5840	2216	sihost.exe	net.exe
PID 2216 wrote to memory of 5840	2216	sihost.exe	net.exe
PID 4412 wrote to memory of 3448	4412	WerFault.exe	backgroundTaskHost.exe
PID 4412 wrote to memory of 3448	4412	WerFault.exe	backgroundTaskHost.exe
PID 3148 wrote to memory of 2908	3148	WerFault.exe	StartMenuExperienceHost.exe
PID 3148 wrote to memory of 2908	3148	WerFault.exe	StartMenuExperienceHost.exe
PID 3524 wrote to memory of 2720	3524	WerFault.exe	DllHost.exe
PID 3524 wrote to memory of 2720	3524	WerFault.exe	DllHost.exe
PID 5828 wrote to memory of 6020	5828	net.exe	net1.exe
PID 5828 wrote to memory of 6020	5828	net.exe	net1.exe
PID 5840 wrote to memory of 6084	5840	net.exe	net1.exe
PID 5840 wrote to memory of 6084	5840	net.exe	net1.exe
PID 5812 wrote to memory of 6100	5812	net.exe	net1.exe
PID 5812 wrote to memory of 6100	5812	net.exe	net1.exe
PID 5800 wrote to memory of 6108	5800	net.exe	net1.exe
PID 5800 wrote to memory of 6108	5800	net.exe	net1.exe
PID 1316 wrote to memory of 5360	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 1316 wrote to memory of 5360	1316	66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe	net.exe
PID 5360 wrote to memory of 5416	5360	net.exe	net1.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2236

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2720 -s 1008
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2720 -s 1008
2⤵
- Program crash
PID:3732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 1388
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1632

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:992

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3448 -s 2428
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3344

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1248

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3400

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6020

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6084

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6300

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe
"C:\Users\Admin\AppData\Local\Temp\66973026e9f6c24e4e88f631fc72efb4c9096e67e9e726486cea4c2986512ebe.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:496

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1232

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4472

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6108

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5416

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2876

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6324

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6308

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:6464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:6572

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 368 -p 2720 -ip 2720
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 2908 -ip 2908
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 3448 -ip 3448
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
f161e2eb50c37c88db9e43c8ed4c2a7d

SHA1
c490b3bef75e96bae0849033ae594c9b9ece165c

SHA256
a69110248329183b4039e6af14bb53c26e209b546125cfd16c2cd56606a814a7

SHA512
9d46188cfad1d2d8d8837c294e135b94a6a1ff43e9980276e0cc1f791ebfcb30fe95a27017cb9ad4fa737eb81beff1f80e5702479467738962c4ab6cb978a781

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
dec16631fff1165ed8e6e13532c0f595

SHA1
e22173ccc5f3414e40af7a274d680e16512bee0b

SHA256
ce6873d7e990ad914797a689107c6d50d10cb3459e52e3e24cae81cc1f54046d

SHA512
144c0a54e08e522af78405f1e1005bb37f662ff2aa06060a0e1790f93b3777eae299c04c80054f6475a65db21c9e604f7345e97fee627726033129edd497c450

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
MD5
cccca091135fb9d254c1f219516820cc

SHA1
6ce7accf9d967ae2779d0bf059cacae9d8d06215

SHA256
26099f5ee175dc32b4b15a487a448513e05decb6d4c84add62c2ae5e4f9c6d72

SHA512
86f1e412e1698ab08b1fd1f3b443f8e5155df2b73e36372a9ac0c42266260c2039f0f719917844c55da79510a0903cf31607c69039f338fcc28aa765fcd83abc

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
MD5
dadf65d67d0e1a2b773a11e3db3ea606

SHA1
cd80a96bb5b1c631928ccd157083d66ad696cf5a

SHA256
68dbf7c7e7cd05c91d0fd19c4c6bd4a8475c4a22f42171d65651591662ba90ce

SHA512
00675f1330e3a17a3aae11c5642d4eb5d6ba0663fa3790521e8e4d97cd0ee8d955d0e6e3704fdc24d5fc331c42adef729e884965d3a0676cb6639c53f409726e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
c5378255b653c667c7fa0817d9bc1b4d

SHA1
075f161f7b72efff8f6abbdd6e6b2b263a1b592c

SHA256
0892deb9052bb28ed12610d3263be15b57605331463c07b8c05d06aca4de04d4

SHA512
227d581b26e2bf2f3025a7cb95d3781618d8de1a310de539a9991eb131ba45a30bbdd36ac33f171f1e22235b66bfc83aa71ff8fa7bbfb0910334d5e38a9bc0c7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
MD5
2b1efa692f0b95b2f56cdb37b34a4faf

SHA1
147b714fa301c9160582b1d2ed29665fd41c6a2e

SHA256
4510c1934f9b88130df0c619221e353928aacfd1364ff1ab75fcd73e4f33146c

SHA512
515eac51c97f6ba634d9436095d9fe485840cbb74152001f68f262513352ec6cbd152afed86752d3ae2f705f8ec3f3e0023c07d67fa0e7c1424ca5e1a2d85572

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
33b8055b761dedbea9185240956baaa5

SHA1
71c4bfcf5a2edb1bb2f909c076f090666a68fd48

SHA256
0465d0d94a30b0225c7a9853f0c26bfde50d63bac7413b21810c596555614518

SHA512
3cddefb2bb2d9cd7608dc765fa4fb6258c236319124346b54f6a2d616eac304142589453112e4126c2a2ae45264df851b8da487fcaf85c53e052ac6516be6b05

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
593b3fd30645c85a2d886dafa20e99a5

SHA1
e6bbe13e94b19d2356c7cf342d5452ef7e9d681a

SHA256
4f372a12322cc8624587b62f16acc144af94478489ac8901b6617cb6f9e6b3d7

SHA512
a610b0923354ef426f081ad391b545a90601be9b78d699ecbc991bbdf9f396ef1ee5fc2a718a0cf0eb4ada9016cfcee89f8deda5ff0a57a07ed5719c0add1335

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
910297070288ed37498639fb03da890d

SHA1
44ae3fea30ff3a410c26f78700f360039c885084

SHA256
a3f94699e8f39766d7b199e07f27c7cd5c52ff0d96fc327cb1f3596adadf5673

SHA512
3b60b7067d3055df430f509aa7dfd1b8f287de2b1241eee5537503b795c9d46097c4fed742c8ef5395544e0a4db514bcb7b220312daa0a953fd781ca457d7d23

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log.RYK
MD5
6003e93bed1185af075fa28e11b931a3

SHA1
cc7362e2ee39bb5df796d9d1951d9edf78367aa9

SHA256
68dc7b16e8e2d2fa577a51a3db863511cfe6afa352aeb2a3d1c833692d842bd1

SHA512
8682249c0f5a279691463990e63d045d29d38faa0b59fd0cc615b7bf01b2ed41f0fddc63e3a63283ed9bba633efa88ec80acea601f66747dcd3c9eb51e4971d3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\DO775D.tmp
MD5
773a111efa1d9c3d5752c60d495d65f3

SHA1
66bdb1a00365c1a4199db544b49efda051e9661e

SHA256
62203ac9ef86bfd41150e29f7f636718e13846b93d548af171d58c3c059f5698

SHA512
430ef61237d24e339f1431a730d09d07549c8f4c70c0d1ad0ece62011abe1b3ec505895bbd6943335f0a7cf555fc86feb5d3488fbe772ba1dcc1032da0ae30c9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
MD5
9f761fb989a4edae189ffacf5db6839c

SHA1
4094c140c977855a162fbb5ffe87dadb8b6edeaf

SHA256
920095c8cfd41db744a8053997465f5b01a49cc99cdc778c974cd5f7b83ec513

SHA512
fe075c7a6e0c5266849b946c2dd40e5e9cbcdfc42ef6843bebed4386afe9957ce4df675c37ae9ee3d344d236959d1f847b47b66017abcb854bc606bfc0b5fbbb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
86758fdb4d8fdeb3ff00c6b8155eb1f1

SHA1
cf2762327f925c0064b33ebe63fd311c4eebe4cb

SHA256
51e8c05e3253315fa1ed87f0b3af61f22f563eb6438f12a9a21b35c6892c29c5

SHA512
3198c6a68ca32ca6d05ee222c6bca9a2514be7b19aaa477d7152a96ad9d30ad3437a696dae705baf6e06c73835b781eab0351a5aee1f9f41389e31bb4ed15d09

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
c2a30d2a1b41d6310e964e606441a426

SHA1
0435e73a6ccb779845251ff76e50c721e35ebc31

SHA256
87f74f755ec6e6683db0dce988926f18e211be1b1f2ef6d3fb9e0853fb8230f8

SHA512
9697db9963ddbd57712b652192e3e9b971895c27f95e603148c14da442d4813925a709e539a49fad88dc5cf914f9c1acc0b5053c612ea43c0bfcc821d48fc20d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt
MD5
dcf3f79c826eccb89c1b04f297b88703

SHA1
f859ebec7e8b0d09c395b1f4c58a17e9663e575d

SHA256
ed07b17901db8b252f30b07d52c5ebcec5659181073f12a411d9ee658e807abd

SHA512
bf7dba1b285465dff1cdd66916be0327459665a13ec411efb9bf14904ebaf398b3521a9234214a3efcfff57eeda6caac9004d45d41fe45480e477f242ceb7b66

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
8acd6610dcc819d4b779075fa8aed11e

SHA1
aa1283c1edbf5f28934af012e0bbbcd619a18f74

SHA256
f7a9d1d97dbc34e243b5feb3e2cf08ea22997077c0ad5327d15af650c5dd0ccf

SHA512
f1ee1b9f96d5a009daea1dddc570ec71f37bf935174c3b254fd62ee115b77ecf32e210a95ff69d8fd32e48968cab00dc6c20c0c13a373cb4b8043a52f288b28b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
MD5
82b7d97a956a660ddf7255a830028309

SHA1
e11b01aafcaa3b82709fbaa8bab10eea81c7573a

SHA256
37de429ac0bc781707350616172cccd6470468ad4578c5aec88f64bc7b8ae7dd

SHA512
82df9ce16d25bc505f06a626b97e776de1149f28c8ce64dbd0f1db6c8c68a860606bec62e4da816b31fe09e54c0e9939970c8acf32f91749abc241fefa942a9f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log
MD5
87ff0a8569ed3acdd61358da3b6b1296

SHA1
c235a18b8968f705742c2a4ec020aa3653e14351

SHA256
13cbbdf487b46d5a9affdf84205653f0457486da2400d2f952942b6eeee60bbc

SHA512
6168265565f44549b7f964a08f388f79f30a4c975dbae3c906284e0795b6a2a833c28710e9cf152598868883d5e34a138409754ce7b443671fe3e8bebe73026a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.RYK
MD5
7d14dc339f6ae5c8ee55fcd8f1df64cb

SHA1
1bde775963728fdf807fc0ae9a6a1dc95092bd0f

SHA256
885ba3b88ecc555f92e34c0eabbda7d177da7ce00c46d9c500525343c8130d3c

SHA512
0dd1bd904e3187109702b2867cb769c7737b7f6da2c65a895eb86ff908c5c9b12ce3c994a166c1a8ee94af65d1b96c32568b835548fa6a0a30415fa91cfb3457

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64.RYK
MD5
72c93eafa5b45f72e15402b64430e59e

SHA1
e8c70a88a19d02a8089f5701933b2276f119fa3b

SHA256
d44a8b3a0de3f8d10cf3a86915e63924e8027f023e871782c84f63884a7b6805

SHA512
0974626c29fab962c844b7c2dae0083e1b538ea7df077ffd68032db7fc1e5ab6e12a63f2e49a17ff1baf0e3d86706c3bdc3eac8c067489ef5de0e1d815ba3191

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp.RYK
MD5
12a140c2e0b2bdb98afcb735a7955a79

SHA1
9ac217fe2bd16aa389f5472ba67d41b56ba23976

SHA256
e35cb815ad7ae291b6be7455d5c734592c4756086499a1e2d89dbc83559aa328

SHA512
2eeed8f6d5183d6624c5b973bf26c9f8064f34126cf9a93694763d9e95d17e7e5449a20b60c16ab0e30f3c392e177db9d4f2ccdc5abbc8e4e3c16aa90baa0436

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp.RYK
MD5
182d0d6566830c0364bbdc9ee7b9020b

SHA1
b341175ba6298717af3bb3f014fae6be43556e74

SHA256
56cdc3471029921514355d349f98048ae4f4bd820bf6ce73aec4c51c35e5083f

SHA512
aacc8b8469aa33db43d5d52e369e47ad5547633b038541a72d5bf81af79fabc5e4decef4a2b080e2dc52184d9c33b84c109cb0576047e0656b028ac081472ea8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp.RYK
MD5
6dfa57593927e4d22b85e1599070f42b

SHA1
5445ffa4a05258f59bd9943a706738b6ae94d998

SHA256
a9cf343a301264ae1e1838f76f5ac57376c604c6c1761a799c5d380524c4e341

SHA512
591e4143a53b797433cc47f6fce64887f1efe673bec2c13b87cce5a85250d4017b5b5c0132152e2ebd23f7b5bf57f1b56d4f017f3653b6fb442ce37e1640a462

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp.RYK
MD5
b594fb27baef6c6386bb9bb5d21d59e4

SHA1
e2ac8cd288646c9188b3e79f521626bf53eecf4c

SHA256
57381889cb51ff7c17c57646eaaa98845ba32a2848118454d0f095e7c5e8f0e9

SHA512
e156b11cf66a1dfd994628f9defe160570d3fece6b373ec6237468d049f4d87093af5da4257182d3f6c3471d961117864a03fb417313751ff81e4178370371e3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp.RYK
MD5
8e6c0fffe5edaf78343df8d0a007a927

SHA1
171e9b432da46d2c8146662bcbb023281cd84adb

SHA256
aad10f2a1473c2c4772980f4bed4f5cbe0f112a9689a35833c30e0e4b7ed1c25

SHA512
d43ae9bc1ffc823931edcc139ad7e698ae81bcbcc3811ef8538db54101cde581c8456a06585c6d67f9588ed03df10addb9acb93d47a11de4060790f227c79998

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctCE8B.tmp.RYK
MD5
ac03e9d6ddaf48f84a4cd10b55c0a39d

SHA1
1c4183af38e653e247961272ae0d8a3b02f8d391

SHA256
806e204be30e043c9c8a1c43bfad9b3d3f9e7d79906ac93d91cf27d52f63d952

SHA512
e3e03cc5348750073e42ec1971cef361b321857f7e702f7f3ed2fb2449ba7a8a6aac2de583d3a8fa93cd107aee214e9dc1965f59e0cd0c500e3f5eb683464d0b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctE22A.tmp.RYK
MD5
b21fe886b71b903416391e8391c5ea8e

SHA1
5a87514fac9a6455a5aca50a085cc5d672eb51d0

SHA256
196b3fbe6b670f8eca3d41453e977db36947b000b83da9497749aae01f5fdb87

SHA512
bb2ab34d3e56602eccde47439c470226fc622283ad58624ac343a4f8d425091cd28de2bf68540f780aea1dfd3daca32d4e07f738edfc2d4df8238fed73cdee4e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp.RYK
MD5
6bca6fd6588f9dc95d9e7f7a5b622abb

SHA1
7fafc6e61e58f33ebaaead554e654c5778b16f0c

SHA256
3c313b36492df0a102124698f6fb965dd3dc63e4b459f7c831a12c39f4726675

SHA512
0dc287e8980f30028f1f3f40d9847fd00a280836f97c50bd7862ee3a0a766232ac85db4af9e25b5f7e380d61145acaa75f602734c66f0390f025774a9a84465b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
c381fb4aa96b2000609ad167c62d6660

SHA1
76746963cc5dd5eec362264387b81b534c989947

SHA256
6e4d1b6aa4a9b6b5bb0a5333415c7b31e65504800e19e223218ef8f0d824af0f

SHA512
67d7faf90a7ab232555033bb5fc57b8b7bf5bc61168a90e59fba4bb54ae01db091cfd7cbe7dd2169bb2836601cc6c017ea56c759d6cc11fb8da36a36302e337c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtxhe.db.RYK.RYK
MD5
2d61c53e264c9207c1681bde6dcd2be2

SHA1
4c46ef9c6f7c4eab79ac64f26cf134d6e7b95e88

SHA256
beb0fc790f813cf74b24a250d632e9818259abd747b424b8f65205bf6e6a80e0

SHA512
4f561c03c4c014632dc8a4f439ef89f5ce1253b6d9d94c8560225d6613a580f5a4eab13026d6486136d0c2549f49d3b068f23b8c971317f08e2e681b8bf1c4e2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs.RYK
MD5
63a962ca77887ed5cca65381244b7064

SHA1
d20d7ae007d15315b0141798bf37a0a97824f9e1

SHA256
d9b9014f80e9ec106fbdf9f0aae82abdbab72f391e85f014e89fddb52c95ecf5

SHA512
1f458ca3e29ebac41f684af198bc6ece1f192c4da39420eaa979798d6635f86d410950107c1e69c9f72c2fea2cd925667e6c9a90452c2d4588f5d80890836650

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs.RYK
MD5
c62df17d9e0c83e9f70651e7d8188fa6

SHA1
95a65223be1b37cb2925c003a021887eec445132

SHA256
4195e515c8fa58ba70d9b99eefa07504c0541cd6c0c3e75d35326f650cabcde9

SHA512
1b079c8c7690c513e3184ced580bef4fcfaee991529bb40ba35336f31f6b8c74437fa0ef998426ff23d23497eb595435a139ec00f5d3d19046556afde2bf8782

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx.RYK
MD5
188e02ed39b8d60c167c13ba75859d14

SHA1
11054b79cb37351f09f20669086a48e301fd0d47

SHA256
8001850d14b150c298718be6ec23545a40dabca42963453c0bda4dbe66913d9b

SHA512
fa7a4063d839c9a193976fe7861b5f499197339afb56e669c4a11d574dc722e0a982dcab0d9676a75ed9f424156e6da83e8bc393acdd70299ed4a39479685f6b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm.RYK
MD5
50861a66ac478812ac0185149f557e90

SHA1
504de48a2b5ff5b30870b87c758a7eb97bdb2093

SHA256
250bb381f8a27fd3293f4c3f1ee24c9399b80a613e5227aea232156c1778408e

SHA512
c091ace22deb1f7ef4d55b716c05122d1a960b64deae7f42df8cd6c917bb14d8ddaf285433f13b641de50090d9795ceaf4cff0869a32abf109dba8416238e8f5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol.RYK
MD5
9b36a4eace62ded2605701cbce7bba33

SHA1
50095b8b4f02bba62cb81a086b96b4714eb374e5

SHA256
4a47f1bc99f90f49c70b0c46fdad4be00c5b729431dbfe1c74fa507e307457a7

SHA512
8324490da60dc58053ce47c501a995a014dddaafd980a6ccabc671099ac0f2a82dbcd4f83b928691a056e1eabdacf5acbd9fae712aa6f04e699607b879cc6c14

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp.RYK
MD5
380caaeea370ca45f26e139a0627ed65

SHA1
c6b854bc30d6fe37cf1ed5f6b3a16cf2964d41fe

SHA256
bd68a2294130627d11a23dc65c14a4305e25a6bcc345a9eb8cfe865f69fe0aa2

SHA512
29c9b9a8d4e4d907f1de7fb7d855f0c5981949919c86071bdc7ae9c79cfeb40b92fcf907e6695a6346b4c0d996c0bd3a4fadbf59f0fb9c97cf0ca0be946543db

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\Documents and Settings\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
d9fe6793afc43f7c749d83875e83016a

SHA1
30f5fc315a83b5045215745e05055edb07652a8f

SHA256
8869460caab24865dcf32cf568180dcf6259a772ea4eea1826fec3796e1dd19f

SHA512
7c7b752591c9b84d85521749bccf31501168caf824bf086a5455655b61866273304247ac55ee9b51f97eea6c4d229281f4ee3fe4687d537b81152391239deef7

Download Submit
memory/2216-130-0x00007FF6C1B00000-0x00007FF6C1DDA000-memory.dmp

Filesize
2.9MB

Download
memory/2236-131-0x00007FF6C1B00000-0x00007FF6C1DDA000-memory.dmp

Filesize
2.9MB

Download
memory/3448-132-0x00007FF6C1B00000-0x00007FF6C1DDA000-memory.dmp

Filesize
2.9MB

Download