ryuk | 56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177

Analysis

max time kernel
176s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Size

202KB
MD5

ab390eb9f4302cb3ecfbf63027e177ca
SHA1

1b84a4c57c6e54a13db6cd49b7e1673b97d02d0f
SHA256

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177
SHA512

ce7152a2a844a7e2fc7134e5125823ebdcc355191f73d687af282b8f3b3f123a68990e51402d35d6ac6ebf44ac8abe54303cb381b946868316415b8caa1e2d77

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process	target process
PID 5080 created 1180	5080	WerFault.exe	BackgroundTransferHost.exe
PID 4556 created 2908	4556	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sihost.exe56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4476	2812	WerFault.exe	DllHost.exe
5792	1180	WerFault.exe	BackgroundTransferHost.exe
5784	2908	WerFault.exe	StartMenuExperienceHost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies registry class 2 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exesihost.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
2284	sihost.exe
2284	sihost.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
2284	sihost.exe
2284	sihost.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
4476	WerFault.exe
5792	WerFault.exe
5792	WerFault.exe
4476	WerFault.exe
5784	WerFault.exe
5784	WerFault.exe
2284	sihost.exe
2284	sihost.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exesihost.exeStartMenuExperienceHost.exeBackgroundTransferHost.exe

description	pid	process
Token: SeDebugPrivilege	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
Token: SeBackupPrivilege	2284	sihost.exe
Token: SeBackupPrivilege	2908	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1180	BackgroundTransferHost.exe
Token: SeBackupPrivilege	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3384 RuntimeBroker.exe

pid	process
3384	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exeDllHost.exesihost.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exeWerFault.exeWerFault.exenet.exenet.exe

description	pid	process	target process
PID 3172 wrote to memory of 2284	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	sihost.exe
PID 3172 wrote to memory of 2304	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	svchost.exe
PID 3172 wrote to memory of 2344	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	taskhostw.exe
PID 3172 wrote to memory of 2612	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	svchost.exe
PID 3172 wrote to memory of 2812	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	DllHost.exe
PID 3172 wrote to memory of 2908	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	StartMenuExperienceHost.exe
PID 3172 wrote to memory of 3008	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	RuntimeBroker.exe
PID 3172 wrote to memory of 772	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	SearchApp.exe
PID 3172 wrote to memory of 3128	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	RuntimeBroker.exe
PID 3172 wrote to memory of 3516	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	RuntimeBroker.exe
PID 3172 wrote to memory of 3384	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	RuntimeBroker.exe
PID 3172 wrote to memory of 3372	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	backgroundTaskHost.exe
PID 3172 wrote to memory of 1180	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	BackgroundTransferHost.exe
PID 2812 wrote to memory of 4476	2812	DllHost.exe	WerFault.exe
PID 2812 wrote to memory of 4476	2812	DllHost.exe	WerFault.exe
PID 3172 wrote to memory of 4528	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 4528	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 4752	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 4752	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 2284 wrote to memory of 4732	2284	sihost.exe	net.exe
PID 2284 wrote to memory of 4732	2284	sihost.exe	net.exe
PID 2284 wrote to memory of 5172	2284	sihost.exe	net.exe
PID 2284 wrote to memory of 5172	2284	sihost.exe	net.exe
PID 2284 wrote to memory of 5228	2284	sihost.exe	net.exe
PID 2284 wrote to memory of 5228	2284	sihost.exe	net.exe
PID 3172 wrote to memory of 5284	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5284	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5440	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5440	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 4732 wrote to memory of 5488	4732	net.exe	net1.exe
PID 4732 wrote to memory of 5488	4732	net.exe	net1.exe
PID 3172 wrote to memory of 5500	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5500	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 4528 wrote to memory of 5520	4528	net.exe	net1.exe
PID 4528 wrote to memory of 5520	4528	net.exe	net1.exe
PID 4752 wrote to memory of 5528	4752	net.exe	net1.exe
PID 4752 wrote to memory of 5528	4752	net.exe	net1.exe
PID 5172 wrote to memory of 5536	5172	net.exe	net1.exe
PID 5172 wrote to memory of 5536	5172	net.exe	net1.exe
PID 5228 wrote to memory of 5544	5228	net.exe	net1.exe
PID 5228 wrote to memory of 5544	5228	net.exe	net1.exe
PID 3172 wrote to memory of 5564	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5564	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 5500 wrote to memory of 5656	5500	net.exe	net1.exe
PID 5500 wrote to memory of 5656	5500	net.exe	net1.exe
PID 5440 wrote to memory of 5744	5440	net.exe	net1.exe
PID 5440 wrote to memory of 5744	5440	net.exe	net1.exe
PID 5284 wrote to memory of 5760	5284	net.exe	net1.exe
PID 5284 wrote to memory of 5760	5284	net.exe	net1.exe
PID 5564 wrote to memory of 5752	5564	net.exe	net1.exe
PID 5564 wrote to memory of 5752	5564	net.exe	net1.exe
PID 5080 wrote to memory of 1180	5080	WerFault.exe	BackgroundTransferHost.exe
PID 4556 wrote to memory of 2908	4556	WerFault.exe	StartMenuExperienceHost.exe
PID 4556 wrote to memory of 2908	4556	WerFault.exe	StartMenuExperienceHost.exe
PID 5080 wrote to memory of 1180	5080	WerFault.exe	BackgroundTransferHost.exe
PID 2284 wrote to memory of 5336	2284	sihost.exe	net.exe
PID 2284 wrote to memory of 5336	2284	sihost.exe	net.exe
PID 3172 wrote to memory of 5368	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5368	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5384	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 3172 wrote to memory of 5384	3172	56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe	net.exe
PID 5336 wrote to memory of 5508	5336	net.exe	net1.exe
PID 5336 wrote to memory of 5508	5336	net.exe	net1.exe
PID 5368 wrote to memory of 2100	5368	net.exe	net1.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5488

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5536

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5544

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5508

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:5704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5168

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5272

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:3908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:1464

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5776

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2304

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2612

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3384

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 3300
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2812 -s 944
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
"C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5520

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5528

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5760

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5744

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5656

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5752

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:2100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:5384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:5728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1480

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:5720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:540

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5652

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5664

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:2176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:5580

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
2⤵
PID:4088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
3⤵
PID:3100

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5244

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4328

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2944

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3004

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1180 -s 2796
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1180 -ip 1180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 2908 -ip 2908
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
9a1d29a6b0e255596ede6d26881d2337

SHA1
07b0c835d946a80d1dc3bcac5b5e308792d54cc3

SHA256
572dff0ccb4664b4518ba7a5f407aa4c6f620e20fb4c8351d07db5727b0ce761

SHA512
9f3b3f28fb179fabfbaca76e68ec3fe039ecee5a8e11a1a6d7d3ecf32170f10bf9ee4d3b1c85c8759d96c98d0a8a83b306de9e72db359b337776ee5233e1fa29

Download Submit
C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\3D Objects\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\3D Objects\desktop.ini.RYK
MD5
3258b20e00868183bdb3772ab62640d4

SHA1
393212da3f5610fbfb38865612baf425d72a8012

SHA256
a0357db454e93a5ff851b905d2adade3ff9563970aad35a82cdb7e64f36fdbce

SHA512
e209d797b1802df3fec1829a8e904f1257a38ba50f734f7e6857c749f953c22d814c950bb81d168c5fcf8b6b360970c5807516bf5db90f7bf8434f43f1bb4532

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
MD5
cc3e8b9b9695c1e72bc897f57c7b42eb

SHA1
353405062326f4cc26bc3af782709e986d0dc26e

SHA256
22b032bbacb88708a1a7161a504e7713095694cb058e2988efbc3e3bc4e1c91f

SHA512
98d6e104c1ec617cbd4755199825a10c4d91cbc7dd402b4d67a9f2d19e940cada70d87b777e1f9bdf83fcc04017ec62379b1be29260848e699982cddce04a01a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin
MD5
041876e39808cef5345dbbee1ecddfe5

SHA1
93451289b71cc27f2cf41ede7e44d988017975b1

SHA256
ab59b0fb603272f450c1ab486c24b50c27d1d68fd680c5a184d6938caedcd8e4

SHA512
721d1c919de1079faab01e289bc53b795d5bd28ba7ad3a8509bf6f5d1968ad7dc3dbd955b3ba47e23efd4049aa7d263e7501c5c9cddade89a6bf54517b1f24fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
MD5
769ad20e3a24ff024370cd8f9f400f41

SHA1
eabe0cc9886cbf4a5cbdefb1456a4d0b95abecd2

SHA256
7083986f2cc6aa2c4315c669896bdbbe14d7f14d17f9eabfa98ee719def66574

SHA512
4a3c83856668a2e8962cd66b5b15d5b8faa590c0611231820b854f05099e3bb13952222a0f0c6c7b77911657cd98eb1a874187a27e5459e21e6390d985f2ef7f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
MD5
8c8db1273b92a5bd94e7c62784163112

SHA1
ac8d3c89d40726d92417d37c31dd55aaf6a93178

SHA256
9a2c84c4c23d0a984b211368adcba38a820266ca34003fd44fda7955a272c097

SHA512
fa58b49102013b84cc8281ec45b0db62ae70418efdf97d2ddc4614d3db755c55d7921f104131d5ce41551fffdc2ebcd13c003a1ebb6f9e6e5f6b53734e265b63

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
ce72f58be93ae0923613f7a71a4d4f84

SHA1
e21a35a12e99cbd9bea571fdc52c37b5ac4c28dc

SHA256
41cc304450afc367a916661634417a3e675afe00a635389a662f323311242786

SHA512
92325bfec89b464c573d5b97cc0fa1e41204d047a565fa708b0a0f2ba9ba028ae627e1afe6fd1274450c8acaefe1dca91b4b60b4afac8eab619f0c2f20d7c9d3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp
MD5
a54863299953e3d7956bcfd92a3bf371

SHA1
56d4360ad63224f9399c44c1db971a3a6a3141cb

SHA256
990be23db9e829d7c52874a85cc795465adf35d620ac3c603a7c51044e4713da

SHA512
da60b2b5f388dba8be01b96489356d3e5f0a0fe2112c0ac5818c892a6d20ef7c768877d1bbc5778b817e4000ff7c9ed66ac345afc0b6b567ef12b24e5e002d02

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
MD5
bf3609ced4d56dcd05bc3203c2d45221

SHA1
58f881af49797b80cac083fd8e0b3022b81d0c7c

SHA256
e0b4f84bbea33f6ae0af4b7c9013c6a73ce59b7e50ee5aed8ae63d0ca3cbabfa

SHA512
7c4d14c927c4d1b1e8eec4942bf2ec4c1d5b95300a40ae2ea2b8d1afa9c1bf9d96e970c2877d50e9b0a6a6a0499834d5f7439d98259bfc761c1360259516b2bd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log
MD5
0c5902ea0df459424737691c3d74730d

SHA1
86be2f98f59445c74dee036d8d794b1c01d17991

SHA256
a393b137fdbfd457885798640e2ef6b0eed44d95f40479cc7cff6f8b1d0e6660

SHA512
0b4d7681a04f5661106f414a7de9e59c98aacea9e3ce48137ad8d4a1869259a6aee180cd9585cf9741da685d708005581ff6d0e7077726dac21515f6f8ab50eb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
d94dd64894daddc02d64c1b442b9a123

SHA1
54f2eb1c5321cf3e8099411a1e0a3bc91e14aefa

SHA256
e1f0597686abcae2193ae6b9c60fe17674970cfae2bf69fd1c3e4c8d307009c3

SHA512
e92baf3e56ac6b6e4f0d708b279b3c9d04f3a6ae988b27338a0df8283666ae9ae0f41e533427a70457ecddc3b5d4a2782472d7bd127d4f442f8f40836ed5dc79

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt
MD5
46f68625891b2e80a1a004e264883bdd

SHA1
3907ad1c56323122f1ec366caf5699c7afa43df4

SHA256
9b01cc4e38991e76119627c739bfb83a9f17aa2e9dff7987269c0bc2a148fef2

SHA512
6854f563a931c9743868a8347ea89dffb420afce334f51721c1483c1be6a1c77b068ffa909378ec3c413aabe6a1664c44b461b7588b72912c02f45dd4f5a5f90

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
MD5
1ea313c9b4825b0dd9ba79b0614804f8

SHA1
02ced443f2d8d8b66ec8dd3e725dd070a705f05d

SHA256
ddd23c3101929c50321453880f82f9601ed2e473827fc22eb45128fdc77a0eb3

SHA512
141579d4da95c046d190ecf407f0c6d8fff2ca0a3c839e8ce86c3e74ec17e481c66f7d2260fd82402dfd11607189b38fd388c4da65fb2e68b90f88b2e1f827fe

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx
MD5
b3a73257b60c87d22021da9fa5bfd705

SHA1
d2d38761a3ca2bab698056e4f6953a2d2d2fc8b8

SHA256
8b3d00929b7628e6d78cce604433c86f666ee6066ced05d15d8ad73475cab1e6

SHA512
114ebc7ca0de0ae1ddac26b655e34003d39c1b947047ad68dec8dc40e86ba037604cb12425361ce268e9a2ee831bbc4a026ff0ae94298fcbc7340aa0d4697187

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00001.jrs
MD5
733350ace0cd2635c6a6526141c681c2

SHA1
b767b77f214f97358f8d7534d5875d33afac2fc1

SHA256
b6601472a14f9e65465dcab0889b602f2d7403f544b9efefb5f4e53f1c0e5c6b

SHA512
ced33ff3aa12cfbbe471f6ebe5e50c554b37ead76828d7b9a972674dda0ca022fff8bde06651e62be6608cac9d33c76641ec8824a1f08401a1c25475253dd9da

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs
MD5
f020277acdc0bdb6308c0d68181645fd

SHA1
5caf1312d751c999c59ba68d564b70853849e258

SHA256
d7aab0ecf2e16557402f439aeb556946d119d3828a589bfffe6c4b97331faf8e

SHA512
d9c33364e310cd6af4a3004ec664fd5f35b5a473e14dd0f39402441898fd3fc3f75b5059d3ad114f3cadfe2619c4a1403a5f7c6f50e4018eecb713da7b9632ca

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USStmp.jtx
MD5
ae94282a446277ed7880ddae33787858

SHA1
47b1ea827d263eee4e09f6ad9cffb68246cc1040

SHA256
2fff47cd93f6c10cc026591ff51361614f3fddd38e608dbbe06a001e26335ab9

SHA512
8131484d6b5864a5b2263c879a173852ae5e0b24cd0526f5993b2007e23ca4ccb7015464ad5c311d717ad15249db84828ac546f5e60bc16bfc4e5d453988bc8e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm
MD5
c30369e517b6ea1fccc45b8e9c380955

SHA1
a8447509033ba0e0c1c010a7e8315c912de4429a

SHA256
a19ca73c8b338016f3f7a2cff260c72e0077133c02e2b27f8688f3756e4583c5

SHA512
982463a523169fcebc2197cf64e3230b2125e58517bec6c840f570a1379de0fa99326ec6bdb98485c2ed0f72deea02c19665885a31dae81781f8a32da9618b19

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol
MD5
c19803bcb2a68dbf731c6b2897d50929

SHA1
fcdfcb7d2ceb7831c0cd87f787df4ff5bffcd0f2

SHA256
2605956b3ba2d01ffd078dd598b3bcbcc7ab4cd1ab8e77d902773f75ccf7c68b

SHA512
40c12504a14ed4eecfeecccfb8cd0c65f9852cb6dc64efd602f059b77ae13578eb1c9a2122938595f42a4c1588b3eb321376ec3201361562d265ade3f7ecb44e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.Admin.cdp
MD5
0a6910545a2efac09ac742ea66384d80

SHA1
88cd0570aeefd11070494642436755d6407efaba

SHA256
e8fae83acddcd54db706e10ba133f4aa52032244e5c9c61d8abcd858c4369fc2

SHA512
b9b842fef7bb96fb64843ac6426d857e87f194291312f5ed2ee52e80b7e75bee1563c61a042bc85d77cff1f6b22a2e4ebac80fb5659078a25dcb74765eb4af4e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\History.IE5\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\af-ZA\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-AE\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-DZ\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-EG\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-JO\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-KW\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LB\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-LY\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-MA\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
0d0204b608ea871911628534fabba09e

SHA1
145c91a6931004a3e43affcaee629ce2f719bc92

SHA256
d6560b3ab307fd94146e8229534eb64d441c1c5f4f19575dd23de0524b632002

SHA512
dba6d0e88fd95b462c41c3fcecc5dc90685bc90faafc54d31ee415a73671ddb5eae525220b0b1edb6ccb9fd7af3017394fb499b7de2a349d3a60e2d86794d19f

Download Submit
memory/2284-130-0x00007FF782600000-0x00007FF782995000-memory.dmp

Filesize
3.6MB

Download
memory/2304-131-0x00007FF782600000-0x00007FF782995000-memory.dmp

Filesize
3.6MB

Download
memory/2812-189-0x000001F80E3C0000-0x000001F80E3C1000-memory.dmp

Filesize
4KB

Download
memory/2812-188-0x000001F80E400000-0x000001F80E408000-memory.dmp

Filesize
32KB

Download
memory/2812-151-0x000001F80E050000-0x000001F80E051000-memory.dmp

Filesize
4KB

Download
memory/2812-162-0x000001F80E410000-0x000001F80E411000-memory.dmp

Filesize
4KB

Download
memory/2812-160-0x000001F80E420000-0x000001F80E428000-memory.dmp

Filesize
32KB

Download
memory/2812-149-0x000001F80E3C0000-0x000001F80E3C8000-memory.dmp

Filesize
32KB

Download