Analysis
-
max time kernel
176s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 07:12
Static task
static1
Behavioral task
behavioral1
Sample
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Resource
win10v2004-en-20220112
General
-
Target
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
-
Size
202KB
-
MD5
ab390eb9f4302cb3ecfbf63027e177ca
-
SHA1
1b84a4c57c6e54a13db6cd49b7e1673b97d02d0f
-
SHA256
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177
-
SHA512
ce7152a2a844a7e2fc7134e5125823ebdcc355191f73d687af282b8f3b3f123a68990e51402d35d6ac6ebf44ac8abe54303cb381b946868316415b8caa1e2d77
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 5080 created 1180 5080 WerFault.exe BackgroundTransferHost.exe PID 4556 created 2908 4556 WerFault.exe StartMenuExperienceHost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
sihost.exe56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exedescription ioc process File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini sihost.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4476 2812 WerFault.exe DllHost.exe 5792 1180 WerFault.exe BackgroundTransferHost.exe 5784 2908 WerFault.exe StartMenuExperienceHost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies registry class 2 IoCs
Processes:
RuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exesihost.exeWerFault.exeWerFault.exeWerFault.exepid process 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 2284 sihost.exe 2284 sihost.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 2284 sihost.exe 2284 sihost.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 4476 WerFault.exe 5792 WerFault.exe 5792 WerFault.exe 4476 WerFault.exe 5784 WerFault.exe 5784 WerFault.exe 2284 sihost.exe 2284 sihost.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exesihost.exeStartMenuExperienceHost.exeBackgroundTransferHost.exedescription pid process Token: SeDebugPrivilege 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe Token: SeBackupPrivilege 2284 sihost.exe Token: SeBackupPrivilege 2908 StartMenuExperienceHost.exe Token: SeBackupPrivilege 1180 BackgroundTransferHost.exe Token: SeBackupPrivilege 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RuntimeBroker.exepid process 3384 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exeWerFault.exenet.exenet.exedescription pid process target process PID 3172 wrote to memory of 2284 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe sihost.exe PID 3172 wrote to memory of 2304 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe svchost.exe PID 3172 wrote to memory of 2344 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe taskhostw.exe PID 3172 wrote to memory of 2612 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe svchost.exe PID 3172 wrote to memory of 2812 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe DllHost.exe PID 3172 wrote to memory of 2908 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe StartMenuExperienceHost.exe PID 3172 wrote to memory of 3008 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe RuntimeBroker.exe PID 3172 wrote to memory of 772 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe SearchApp.exe PID 3172 wrote to memory of 3128 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe RuntimeBroker.exe PID 3172 wrote to memory of 3516 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe RuntimeBroker.exe PID 3172 wrote to memory of 3384 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe RuntimeBroker.exe PID 3172 wrote to memory of 3372 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe backgroundTaskHost.exe PID 3172 wrote to memory of 1180 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe BackgroundTransferHost.exe PID 2812 wrote to memory of 4476 2812 DllHost.exe WerFault.exe PID 2812 wrote to memory of 4476 2812 DllHost.exe WerFault.exe PID 3172 wrote to memory of 4528 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 4528 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 4752 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 4752 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 2284 wrote to memory of 4732 2284 sihost.exe net.exe PID 2284 wrote to memory of 4732 2284 sihost.exe net.exe PID 2284 wrote to memory of 5172 2284 sihost.exe net.exe PID 2284 wrote to memory of 5172 2284 sihost.exe net.exe PID 2284 wrote to memory of 5228 2284 sihost.exe net.exe PID 2284 wrote to memory of 5228 2284 sihost.exe net.exe PID 3172 wrote to memory of 5284 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5284 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5440 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5440 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 4732 wrote to memory of 5488 4732 net.exe net1.exe PID 4732 wrote to memory of 5488 4732 net.exe net1.exe PID 3172 wrote to memory of 5500 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5500 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 4528 wrote to memory of 5520 4528 net.exe net1.exe PID 4528 wrote to memory of 5520 4528 net.exe net1.exe PID 4752 wrote to memory of 5528 4752 net.exe net1.exe PID 4752 wrote to memory of 5528 4752 net.exe net1.exe PID 5172 wrote to memory of 5536 5172 net.exe net1.exe PID 5172 wrote to memory of 5536 5172 net.exe net1.exe PID 5228 wrote to memory of 5544 5228 net.exe net1.exe PID 5228 wrote to memory of 5544 5228 net.exe net1.exe PID 3172 wrote to memory of 5564 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5564 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 5500 wrote to memory of 5656 5500 net.exe net1.exe PID 5500 wrote to memory of 5656 5500 net.exe net1.exe PID 5440 wrote to memory of 5744 5440 net.exe net1.exe PID 5440 wrote to memory of 5744 5440 net.exe net1.exe PID 5284 wrote to memory of 5760 5284 net.exe net1.exe PID 5284 wrote to memory of 5760 5284 net.exe net1.exe PID 5564 wrote to memory of 5752 5564 net.exe net1.exe PID 5564 wrote to memory of 5752 5564 net.exe net1.exe PID 5080 wrote to memory of 1180 5080 WerFault.exe BackgroundTransferHost.exe PID 4556 wrote to memory of 2908 4556 WerFault.exe StartMenuExperienceHost.exe PID 4556 wrote to memory of 2908 4556 WerFault.exe StartMenuExperienceHost.exe PID 5080 wrote to memory of 1180 5080 WerFault.exe BackgroundTransferHost.exe PID 2284 wrote to memory of 5336 2284 sihost.exe net.exe PID 2284 wrote to memory of 5336 2284 sihost.exe net.exe PID 3172 wrote to memory of 5368 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5368 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5384 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 3172 wrote to memory of 5384 3172 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe net.exe PID 5336 wrote to memory of 5508 5336 net.exe net1.exe PID 5336 wrote to memory of 5508 5336 net.exe net1.exe PID 5368 wrote to memory of 2100 5368 net.exe net1.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5488
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5172 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5536
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5228 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5544
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5508
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:5704
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5168
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:6096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5272
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:3908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:1464
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:2776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5776
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:4040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2304
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2612
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3384
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3128
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:772
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3008
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2908 -s 33002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5784
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2812 -s 9442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4476
-
C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe"C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5520
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5528
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5284 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5760
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5744
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5656
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5564 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5752
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:2100
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:5384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5588
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:5728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1480
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:5720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:540
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:4600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5652
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:6136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5664
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:2176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:5580
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "spooler" /y2⤵PID:4088
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "spooler" /y3⤵PID:3100
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:3956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:5244
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:2900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4328
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:3876
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2944
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:3592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3004
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1180 -s 27962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5792
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 1180 -ip 11801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5080
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 2908 -ip 29081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYKMD5
9a1d29a6b0e255596ede6d26881d2337
SHA107b0c835d946a80d1dc3bcac5b5e308792d54cc3
SHA256572dff0ccb4664b4518ba7a5f407aa4c6f620e20fb4c8351d07db5727b0ce761
SHA5129f3b3f28fb179fabfbaca76e68ec3fe039ecee5a8e11a1a6d7d3ecf32170f10bf9ee4d3b1c85c8759d96c98d0a8a83b306de9e72db359b337776ee5233e1fa29
-
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYKMD5
3258b20e00868183bdb3772ab62640d4
SHA1393212da3f5610fbfb38865612baf425d72a8012
SHA256a0357db454e93a5ff851b905d2adade3ff9563970aad35a82cdb7e64f36fdbce
SHA512e209d797b1802df3fec1829a8e904f1257a38ba50f734f7e6857c749f953c22d814c950bb81d168c5fcf8b6b360970c5807516bf5db90f7bf8434f43f1bb4532
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEventsMD5
cc3e8b9b9695c1e72bc897f57c7b42eb
SHA1353405062326f4cc26bc3af782709e986d0dc26e
SHA25622b032bbacb88708a1a7161a504e7713095694cb058e2988efbc3e3bc4e1c91f
SHA51298d6e104c1ec617cbd4755199825a10c4d91cbc7dd402b4d67a9f2d19e940cada70d87b777e1f9bdf83fcc04017ec62379b1be29260848e699982cddce04a01a
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.binMD5
041876e39808cef5345dbbee1ecddfe5
SHA193451289b71cc27f2cf41ede7e44d988017975b1
SHA256ab59b0fb603272f450c1ab486c24b50c27d1d68fd680c5a184d6938caedcd8e4
SHA512721d1c919de1079faab01e289bc53b795d5bd28ba7ad3a8509bf6f5d1968ad7dc3dbd955b3ba47e23efd4049aa7d263e7501c5c9cddade89a6bf54517b1f24fb
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYKMD5
769ad20e3a24ff024370cd8f9f400f41
SHA1eabe0cc9886cbf4a5cbdefb1456a4d0b95abecd2
SHA2567083986f2cc6aa2c4315c669896bdbbe14d7f14d17f9eabfa98ee719def66574
SHA5124a3c83856668a2e8962cd66b5b15d5b8faa590c0611231820b854f05099e3bb13952222a0f0c6c7b77911657cd98eb1a874187a27e5459e21e6390d985f2ef7f
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.iccMD5
8c8db1273b92a5bd94e7c62784163112
SHA1ac8d3c89d40726d92417d37c31dd55aaf6a93178
SHA2569a2c84c4c23d0a984b211368adcba38a820266ca34003fd44fda7955a272c097
SHA512fa58b49102013b84cc8281ec45b0db62ae70418efdf97d2ddc4614d3db755c55d7921f104131d5ce41551fffdc2ebcd13c003a1ebb6f9e6e5f6b53734e265b63
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYKMD5
ce72f58be93ae0923613f7a71a4d4f84
SHA1e21a35a12e99cbd9bea571fdc52c37b5ac4c28dc
SHA25641cc304450afc367a916661634417a3e675afe00a635389a662f323311242786
SHA51292325bfec89b464c573d5b97cc0fa1e41204d047a565fa708b0a0f2ba9ba028ae627e1afe6fd1274450c8acaefe1dca91b4b60b4afac8eab619f0c2f20d7c9d3
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcpMD5
a54863299953e3d7956bcfd92a3bf371
SHA156d4360ad63224f9399c44c1db971a3a6a3141cb
SHA256990be23db9e829d7c52874a85cc795465adf35d620ac3c603a7c51044e4713da
SHA512da60b2b5f388dba8be01b96489356d3e5f0a0fe2112c0ac5818c892a6d20ef7c768877d1bbc5778b817e4000ff7c9ed66ac345afc0b6b567ef12b24e5e002d02
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.iniMD5
bf3609ced4d56dcd05bc3203c2d45221
SHA158f881af49797b80cac083fd8e0b3022b81d0c7c
SHA256e0b4f84bbea33f6ae0af4b7c9013c6a73ce59b7e50ee5aed8ae63d0ca3cbabfa
SHA5127c4d14c927c4d1b1e8eec4942bf2ec4c1d5b95300a40ae2ea2b8d1afa9c1bf9d96e970c2877d50e9b0a6a6a0499834d5f7439d98259bfc761c1360259516b2bd
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.logMD5
0c5902ea0df459424737691c3d74730d
SHA186be2f98f59445c74dee036d8d794b1c01d17991
SHA256a393b137fdbfd457885798640e2ef6b0eed44d95f40479cc7cff6f8b1d0e6660
SHA5120b4d7681a04f5661106f414a7de9e59c98aacea9e3ce48137ad8d4a1869259a6aee180cd9585cf9741da685d708005581ff6d0e7077726dac21515f6f8ab50eb
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.logMD5
d94dd64894daddc02d64c1b442b9a123
SHA154f2eb1c5321cf3e8099411a1e0a3bc91e14aefa
SHA256e1f0597686abcae2193ae6b9c60fe17674970cfae2bf69fd1c3e4c8d307009c3
SHA512e92baf3e56ac6b6e4f0d708b279b3c9d04f3a6ae988b27338a0df8283666ae9ae0f41e533427a70457ecddc3b5d4a2782472d7bd127d4f442f8f40836ed5dc79
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txtMD5
46f68625891b2e80a1a004e264883bdd
SHA13907ad1c56323122f1ec366caf5699c7afa43df4
SHA2569b01cc4e38991e76119627c739bfb83a9f17aa2e9dff7987269c0bc2a148fef2
SHA5126854f563a931c9743868a8347ea89dffb420afce334f51721c1483c1be6a1c77b068ffa909378ec3c413aabe6a1664c44b461b7588b72912c02f45dd4f5a5f90
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.logMD5
1ea313c9b4825b0dd9ba79b0614804f8
SHA102ced443f2d8d8b66ec8dd3e725dd070a705f05d
SHA256ddd23c3101929c50321453880f82f9601ed2e473827fc22eb45128fdc77a0eb3
SHA512141579d4da95c046d190ecf407f0c6d8fff2ca0a3c839e8ce86c3e74ec17e481c66f7d2260fd82402dfd11607189b38fd388c4da65fb2e68b90f88b2e1f827fe
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtxMD5
b3a73257b60c87d22021da9fa5bfd705
SHA1d2d38761a3ca2bab698056e4f6953a2d2d2fc8b8
SHA2568b3d00929b7628e6d78cce604433c86f666ee6066ced05d15d8ad73475cab1e6
SHA512114ebc7ca0de0ae1ddac26b655e34003d39c1b947047ad68dec8dc40e86ba037604cb12425361ce268e9a2ee831bbc4a026ff0ae94298fcbc7340aa0d4697187
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrsMD5
733350ace0cd2635c6a6526141c681c2
SHA1b767b77f214f97358f8d7534d5875d33afac2fc1
SHA256b6601472a14f9e65465dcab0889b602f2d7403f544b9efefb5f4e53f1c0e5c6b
SHA512ced33ff3aa12cfbbe471f6ebe5e50c554b37ead76828d7b9a972674dda0ca022fff8bde06651e62be6608cac9d33c76641ec8824a1f08401a1c25475253dd9da
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrsMD5
f020277acdc0bdb6308c0d68181645fd
SHA15caf1312d751c999c59ba68d564b70853849e258
SHA256d7aab0ecf2e16557402f439aeb556946d119d3828a589bfffe6c4b97331faf8e
SHA512d9c33364e310cd6af4a3004ec664fd5f35b5a473e14dd0f39402441898fd3fc3f75b5059d3ad114f3cadfe2619c4a1403a5f7c6f50e4018eecb713da7b9632ca
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtxMD5
ae94282a446277ed7880ddae33787858
SHA147b1ea827d263eee4e09f6ad9cffb68246cc1040
SHA2562fff47cd93f6c10cc026591ff51361614f3fddd38e608dbbe06a001e26335ab9
SHA5128131484d6b5864a5b2263c879a173852ae5e0b24cd0526f5993b2007e23ca4ccb7015464ad5c311d717ad15249db84828ac546f5e60bc16bfc4e5d453988bc8e
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfmMD5
c30369e517b6ea1fccc45b8e9c380955
SHA1a8447509033ba0e0c1c010a7e8315c912de4429a
SHA256a19ca73c8b338016f3f7a2cff260c72e0077133c02e2b27f8688f3756e4583c5
SHA512982463a523169fcebc2197cf64e3230b2125e58517bec6c840f570a1379de0fa99326ec6bdb98485c2ed0f72deea02c19665885a31dae81781f8a32da9618b19
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.volMD5
c19803bcb2a68dbf731c6b2897d50929
SHA1fcdfcb7d2ceb7831c0cd87f787df4ff5bffcd0f2
SHA2562605956b3ba2d01ffd078dd598b3bcbcc7ab4cd1ab8e77d902773f75ccf7c68b
SHA51240c12504a14ed4eecfeecccfb8cd0c65f9852cb6dc64efd602f059b77ae13578eb1c9a2122938595f42a4c1588b3eb321376ec3201361562d265ade3f7ecb44e
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdpMD5
0a6910545a2efac09ac742ea66384d80
SHA188cd0570aeefd11070494642436755d6407efaba
SHA256e8fae83acddcd54db706e10ba133f4aa52032244e5c9c61d8abcd858c4369fc2
SHA512b9b842fef7bb96fb64843ac6426d857e87f194291312f5ed2ee52e80b7e75bee1563c61a042bc85d77cff1f6b22a2e4ebac80fb5659078a25dcb74765eb4af4e
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LB\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LY\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-MA\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\AppData\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\Admin\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\Documents and Settings\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2MD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\RyukReadMe.txtMD5
0d0204b608ea871911628534fabba09e
SHA1145c91a6931004a3e43affcaee629ce2f719bc92
SHA256d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002
SHA512dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f
-
memory/2284-130-0x00007FF782600000-0x00007FF782995000-memory.dmpFilesize
3.6MB
-
memory/2304-131-0x00007FF782600000-0x00007FF782995000-memory.dmpFilesize
3.6MB
-
memory/2812-189-0x000001F80E3C0000-0x000001F80E3C1000-memory.dmpFilesize
4KB
-
memory/2812-188-0x000001F80E400000-0x000001F80E408000-memory.dmpFilesize
32KB
-
memory/2812-151-0x000001F80E050000-0x000001F80E051000-memory.dmpFilesize
4KB
-
memory/2812-162-0x000001F80E410000-0x000001F80E411000-memory.dmpFilesize
4KB
-
memory/2812-160-0x000001F80E420000-0x000001F80E428000-memory.dmpFilesize
32KB
-
memory/2812-149-0x000001F80E3C0000-0x000001F80E3C8000-memory.dmpFilesize
32KB