ryuk | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

Analysis

max time kernel
1781s
max time network
1587s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-05-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
Size

117KB
MD5

045eb328ff30b09cebd6fe3c031db7bc
SHA1

b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512

6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

DDhTuPmyqrep.exeUswatRPIflan.exeuPJqdvnxflan.exe

pid process

4100 DDhTuPmyqrep.exe
4408 UswatRPIflan.exe
15660 uPJqdvnxflan.exe

pid	process
4100	DDhTuPmyqrep.exe
4408	UswatRPIflan.exe
15660	uPJqdvnxflan.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SwitchWatch.crw => C:\Users\Admin\Pictures\SwitchWatch.crw.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchWatch.crw.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Drops startup file 1 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

40332 icacls.exe
40344 icacls.exe

pid	process
40332	icacls.exe
40344	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Drops file in Program Files directory 64 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\psfontj2d.properties	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\AppStore_icon.svg.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\ui-strings.js.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons2x.png	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEDAO.DLL.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_FilledDot_White@1x.png	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

186580 4100 WerFault.exe DDhTuPmyqrep.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

341228 SCHTASKS.exe
Runs net.exe

pid	pid_target	process	target process
186580	4100	WerFault.exe	DDhTuPmyqrep.exe

pid	process
341228	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

pid	process
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3896 wrote to memory of 4100	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	DDhTuPmyqrep.exe
PID 3896 wrote to memory of 4100	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	DDhTuPmyqrep.exe
PID 3896 wrote to memory of 4100	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	DDhTuPmyqrep.exe
PID 3896 wrote to memory of 4408	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	UswatRPIflan.exe
PID 3896 wrote to memory of 4408	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	UswatRPIflan.exe
PID 3896 wrote to memory of 4408	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	UswatRPIflan.exe
PID 3896 wrote to memory of 15660	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	uPJqdvnxflan.exe
PID 3896 wrote to memory of 15660	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	uPJqdvnxflan.exe
PID 3896 wrote to memory of 15660	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	uPJqdvnxflan.exe
PID 3896 wrote to memory of 40332	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 3896 wrote to memory of 40332	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 3896 wrote to memory of 40332	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 3896 wrote to memory of 40344	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 3896 wrote to memory of 40344	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 3896 wrote to memory of 40344	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 3896 wrote to memory of 67816	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 67816	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 67816	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 68720	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 68720	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 68720	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 69584	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 69584	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 69584	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 67788	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 67788	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 67788	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 68720 wrote to memory of 65224	68720	net.exe	net1.exe
PID 68720 wrote to memory of 65224	68720	net.exe	net1.exe
PID 68720 wrote to memory of 65224	68720	net.exe	net1.exe
PID 69584 wrote to memory of 65380	69584	net.exe	net1.exe
PID 69584 wrote to memory of 65380	69584	net.exe	net1.exe
PID 69584 wrote to memory of 65380	69584	net.exe	net1.exe
PID 67816 wrote to memory of 65244	67816	net.exe	net1.exe
PID 67816 wrote to memory of 65244	67816	net.exe	net1.exe
PID 67816 wrote to memory of 65244	67816	net.exe	net1.exe
PID 67788 wrote to memory of 65252	67788	net.exe	net1.exe
PID 67788 wrote to memory of 65252	67788	net.exe	net1.exe
PID 67788 wrote to memory of 65252	67788	net.exe	net1.exe
PID 3896 wrote to memory of 290876	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 290876	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 290876	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 290876 wrote to memory of 291016	290876	net.exe	net1.exe
PID 290876 wrote to memory of 291016	290876	net.exe	net1.exe
PID 290876 wrote to memory of 291016	290876	net.exe	net1.exe
PID 3896 wrote to memory of 293896	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 293896	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 293896	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 293896 wrote to memory of 294608	293896	net.exe	net1.exe
PID 293896 wrote to memory of 294608	293896	net.exe	net1.exe
PID 293896 wrote to memory of 294608	293896	net.exe	net1.exe
PID 3896 wrote to memory of 341228	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	SCHTASKS.exe
PID 3896 wrote to memory of 341228	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	SCHTASKS.exe
PID 3896 wrote to memory of 341228	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	SCHTASKS.exe
PID 3896 wrote to memory of 487876	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 487876	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 487876	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 487888	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 487888	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 3896 wrote to memory of 487888	3896	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	net.exe
PID 487876 wrote to memory of 487980	487876	net.exe	net1.exe
PID 487876 wrote to memory of 487980	487876	net.exe	net1.exe
PID 487876 wrote to memory of 487980	487876	net.exe	net1.exe
PID 487888 wrote to memory of 487996	487888	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\DDhTuPmyqrep.exe
"C:\Users\Admin\AppData\Local\Temp\DDhTuPmyqrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 136064
3⤵
- Program crash
PID:186580

C:\Users\Admin\AppData\Local\Temp\UswatRPIflan.exe
"C:\Users\Admin\AppData\Local\Temp\UswatRPIflan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\Temp\uPJqdvnxflan.exe
"C:\Users\Admin\AppData\Local\Temp\uPJqdvnxflan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:15660

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:40332

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:40344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:68720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:65224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:67816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:65244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:69584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:65380

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:67788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:65252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:290876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:291016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:293896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294608

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintiT" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\CTx64.dll" /ST 10:25 /SD 05/07/2022 /ED 05/14/2022
2⤵
- Creates scheduled task(s)
PID:341228

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:487888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:487996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:487876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:487980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:489448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:488776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:489196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:488012

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:506964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:507008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:507040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:507092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:615856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:619456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:615832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:619444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:637156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:636760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:637588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:637468

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:637340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:637948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:636908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:637764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:637080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:637740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:636168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:637492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:235432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:637340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:637680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:636328

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:636888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:636296

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:636756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:637112

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:683904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:684028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:683936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:683996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:753632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:753640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:753656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:753672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:794204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:794208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:794264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:794220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:795364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:795220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:795412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:795580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\$Recycle.Bin\S-1-5-21-4236190499-842014725-259441995-1000\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\PerfLogs\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
Filesize
1KB

MD5
6860d74f2bc7f5b2ac19709970d91a2c

SHA1
def31543c8a0c068d4830ef9ace635f1a5f9a5d0

SHA256
5bb14a098c22267f8d52298bdb13b90445bdf7a2f77fdb34998bdb6a997b8b8c

SHA512
a4a5b6861e191a2c79e74ef5c8fd13ecec26ef69935fdbf1b833d7f0caa2cd7cf2e280fa87a751a03793d3d371ef09e8e7a42c0c66979ff8f5234e358dbbcb5b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
Filesize
72KB

MD5
5bce33bad1033b12bb8cd28d3632952c

SHA1
e7b4bedf4981c9d2ec657757fef01fb95a28759a

SHA256
a81b7953dd242984f230b7b60ef62f1da412140c8f971fdbc9e64d0f2a15841d

SHA512
031630a378e8782db6f7f6c48854214647d44728fb2c70901bea7e3151432398fd19f0da6aba9f4a0f4402cbe3edf7684ad0c744cce0594c856891971890c6d6

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
Filesize
9KB

MD5
af3c246770cd2074772d67f20cbb224e

SHA1
7905b5a28415985f4541c3fdbea1963dc8482060

SHA256
a183041219e8016b9a5b92b779cf25fb1ae678f3461e1cbbb9488688c73e7587

SHA512
27511073dfcbd057ae8b8351b9fc86129c850ba524a2581edb19f7221b021d3c87faf657bb95b4f6bcacbc98d77114eb7c061a71211913cb71a00a60a5748f6f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
Filesize
68KB

MD5
03b61229984b11845bb9aa795139155b

SHA1
72ec0bb01a182a7868de52022f9785dff8f6ac18

SHA256
2ac7d4bad19528ed97f59e9b0fb77aea1d23cb39033ab6b534c8f2ca16673e1c

SHA512
5e25af8067e091087bbe14dcb7122ba9280fbbead2c0005da7ae3c5689a07ebf747ee5d337527e78993cee69bc7729cd113c8da3b1ad5c974d208bc718060085

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
Filesize
12KB

MD5
a407400796fd2a850051984cdf9a14bf

SHA1
1eb07a20b32e63abcb9e81529f40a026d1f7fada

SHA256
04edc5b8b048c1de41e31368a05088d984a44d3d305efc6fbd89b71d7ed49190

SHA512
a0c30fb028246b8179d91701a4dafaf45708d2e9a685ef8557ba5564e7737adb9a129a94af1651054eb86f4ea1c145292a0667b4f857839f17971c15c7ce38e4

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
Filesize
31KB

MD5
0162a16ff523743a86dad42d61cb9c2b

SHA1
ce4ddd9e48987cb662896a058999c22a23b834cb

SHA256
955b718bbee551dcc9a81a85717ae5fbc5f4ae55b334f46a25e13ca127031e81

SHA512
075302fe1ea38f2e883319556dd7dbfcfda009372a0bd2f7d5431e23efcc3f17ce76f9c57a2ff9e5ddc64c90bba33dda1598af5301b939f26f09f61494af6285

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
Filesize
1KB

MD5
3266876004a55112b21ac9d43f086416

SHA1
d777b0359494d02c87ca5018b1938e9318b996ea

SHA256
aaa1171085dd1470d906475998587ae3461c5257185c930f1d4657fbc69e3fa4

SHA512
4ed71c7d48ffea8063792912fa18b436c0a73791c2dd13ea79ea99eb1a92a47fb754f0519cd00fe1191467a4167aaf95f6642398b0c25d960b1dce33e0291131

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
Filesize
2KB

MD5
27d9c4d5f25e826deb96fd06959b12c5

SHA1
8dab70d1331ee0b6365296a5089642e0de88612f

SHA256
186d28738bc6dd21806821255b13e929abdb39c3d99857bccea7c855d80e273d

SHA512
3c927b706978b4961c18fd06c4b8d284d6f220d1ce8edde80247db57a932f819215c7f880aa20c32e237df5999364137eaae6cee8743e97a7c14f761e660b9c4

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
Filesize
64KB

MD5
094c38e41a3d284c679864dc73bf9ae4

SHA1
7aed0bb93cd3760effd2ac54fb0609f3387be304

SHA256
4d676058b148f6d190150080dd994199e9525c1e097d40c9619fb11c3960e309

SHA512
384eeac94f33777978daa0a6b18f9630eee10b78aa3d2f3d8dede46f3cb894dabc3163c702e34397b81d63c81d6d519ab69dc65bd6daa25bf1e6f29d68da402e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Packages\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\PeerDistRepub\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\1646762828\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK
Filesize
2KB

MD5
8b03bd5d0fd2fce0e871115e5d3eaaa1

SHA1
401066a26418f517320b32c88b5f662be1822ac7

SHA256
6b07a9f6587101342673b44498d01231eb0eafb11b1ea2510660cabd443b1754

SHA512
0c08ca18527be9c0ea0836e7792723652e00032cb981b4edece5aff03575d63d2993e973bb6a1eb828bb8322f6127fc34aeff1248cf03c46dbee34d896120d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDhTuPmyqrep.exe
Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDhTuPmyqrep.exe
Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK
Filesize
25KB

MD5
7e41b780fcc84e8b4c52360cc2e2f7a8

SHA1
9fb7b3efe1aa8c8b8e77ff41dc51802bf7733817

SHA256
f42be0990a2368dc27a201e0a4a7c0e2fcf290b9fbc6380550a7ccb1aca56426

SHA512
21d901256078b085f63352153b342048c6e92007a035c6a4f959e9566797b882843b4a131bd37e21752b3bd0faba5addc60eaaf111594e96fdded19632d38de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSOMOBUO-20220414-2303.log.RYK
Filesize
60KB

MD5
9ba9dd286324daeb87c46b080219bb49

SHA1
25c3354e952b73e465920771a7e7c2e432627930

SHA256
6648a285156df43b8960097fe31837d257eb7a332afda29d65894e849db294b7

SHA512
cc4e7607c092f534e8ff9707b36d1c0e63494fc3bfd9d8e7efc0725712f6dd97953281ae10fe733241c15ae092c9dcbc2e79ea8472c1e12a4f8ba43672dfdde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSOMOBUO-20220414-2303a.log.RYK
Filesize
184KB

MD5
a238ca843074d09b5c8c480334f62fd6

SHA1
a735304eb4a79f11c1ae427de0044eaf3064242d

SHA256
18cec5f959204b0dd7ddf437497124421d22597aac09c9765c40c63636e33919

SHA512
169347272649440deae9f3bcdbdfe8752232ec6392517e4f1db0d0dbac411f272c3086462978d19990b531af86e017ae67eae5955ea7efa2d4fb6463333b4844

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\UswatRPIflan.exe
Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UswatRPIflan.exe
Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4912.log.RYK
Filesize
754B

MD5
d0732941294132818030ed5556b2dbab

SHA1
6c8862fbac79f07114b915e7635f039e3fd218a4

SHA256
6c627d3ce25294da2523bbb9dcd8e8cd33ae8248c79c5e0b4bd7cff9e5423f39

SHA512
be10b5a5341b737fe24357ba8223d66925d1b6938e5a9cc090218822ba6127466bd9c1ad2e2c29806411884ac402cf73f73d56af3b47afb49c5f7b537ffcd9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.RYK
Filesize
2KB

MD5
ae161b4d26430487b8534e1098e3352d

SHA1
a20a76c2215e957b1960a67b920798431567f7d2

SHA256
ca16cadf3ef6896e4304298b16afeb0e79728adca96c9ccbd209398e8cd015eb

SHA512
fc7d81833e45ac369903d1bb2982c8a4bb686f62d70f218170c97dc76345bfc67c3ce7d8cafd684e4f3eb8b4136c8fa443356fb8b1317ec3aa096c7b8bc90fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.RYK
Filesize
2KB

MD5
462e37f59f09ed662c16a0fcb9700128

SHA1
a698e841b3147405e138ad0ef90fc368e014b0ef

SHA256
79b55277b1c31214831235035f01a3380b2dc51bdf4692fb7c776335191fd49e

SHA512
2869bf6cd3f1c7d0d36f5e3f5ad1ce426e293a2d2f0e9a4d30f69a0e8e550e7840d38c5dc62b7e9ca177ba0d0c1f6cb4df439f1ef0d4ffd94b2db25a79405b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI581F.txt.RYK
Filesize
427KB

MD5
3b3c2057a5b67973d461c464a5363001

SHA1
db29237a1245d254d2304361aaa297fd2a3d257b

SHA256
ef93ccab10eb9a1c832a9b119cb136f86171e5f081f15051ebc3a7caadfe6ff0

SHA512
5045debe3b9815efa437715763a091714d6f2d23219f6ade99917c0f25dfd120d7c3c6d7b5df62121c35d2d654c14b47cf4db5f936f2b1f1ff04cc97bce1e6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI584A.txt.RYK
Filesize
413KB

MD5
c584aaf7c538b5e157a99572ae45c0ef

SHA1
32bc866f35cc3c91422b0842612afa233d7940c8

SHA256
7941d0d3c2e89965ef58da5872c539a630fc5b11a776b8211db51d1068a4ae81

SHA512
1d39f089f3006aeade58998b32d42d56228af1e77672369544bf17aa206d57b1be7ee0e57843ba3622542271a83602b4ad2d0ce88c59cc44a34a572608c2ef30

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI581F.txt.RYK
Filesize
11KB

MD5
bfa6496b8a89139aa5335eda713143dc

SHA1
4352f31ef1e18bad358a41c4f5edfc2cb2f2f658

SHA256
a1587dc62c213ef01da1406a50846e2ffbe00cc3211fbe3dcec9f85f196f3de2

SHA512
2d058026d3a18e9fa7f90c7181e3526800bd4404d1a708ccf958197a3e5c6992215a906fc3b940920753cb970897d2c4372a6e11138f26561356f786a7017bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI584A.txt.RYK
Filesize
11KB

MD5
86c38b85c725fda00333c2ed2aeaa9ff

SHA1
22aa065b7731b84bdb79bdd06bd14419b30faa25

SHA256
91274b8e21be8f21e055f0b4b095da9880efd4ba02725dfe42433d6e269aef7f

SHA512
ab70b246746547d5ec87f162dfd830bc1e57be94a622e8caccd22374f4080747d74249f0a8162b023881b3a90f5f01427512f3054bb11f51a8e53f7558ed690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK
Filesize
265KB

MD5
7f22d6a5912ec9383bccba7329d7b552

SHA1
dfda7a1d52a4b2b5000c6e0a260bdb75fee5466b

SHA256
b3567bd5d37642258f014a398be05c16d8d0f0a186715f6eedd5ef3f5de8f9ea

SHA512
59e743ed5648b471ed6381e3e158d55165790235d1f752472f407a4615bc361573292117242f07079f1fafa64f83e1f6f6b85c8c4ea7d22a78f5ee76a0b08c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp515C.tmp.RYK
Filesize
17.0MB

MD5
c9917b75aeef5aa27873e7adb9e92eb6

SHA1
79dc09fdf479ade785668dafcca5bfcedd2af1e2

SHA256
e5b8b8f24cddf9dd65fc95fc3b082e08b10374a5987878d041a1c50744c639e9

SHA512
b306e994678e8fd4f1562bd0608b9ea77ef525122b747c3531929ec76a84c3146332259e2ef640b8d4895662e2b543d1102927a285fd9c715fc0f69614e6578c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.RYK
Filesize
17.0MB

MD5
42aa7f2212cf5350727ce838919ceb52

SHA1
1a46693fad0954cbbcf688a956a97b9a98b50e77

SHA256
05d485618514c366f629868c4552651a4d8f3dfbff0a70eead7b052def5a0c1b

SHA512
62ecc3b4875d187397515f899ec71fa08fdab8f4515c229eca0ceff709e22f61328938f104ded60292b22cbd1aba7e4529a8209625395cb02165d51d78084302

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B6D.tmp.RYK
Filesize
17.0MB

MD5
4aee4cba5464a8665dd567a22e984e69

SHA1
8dd44ae38a82aac43afab8fe52968068991b97db

SHA256
0ff5d099ec39e33efe757dc251269d48050b9d6c38c9198badcddf3ec31fcb63

SHA512
390e89047d84ae3656f5d298b9340f0b0298ae58504f2bf20eaed31cf20b7110f0114815f7620bb79dba36fb6f2b0ed177621efff628447e8d5e48e595a454e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D52.tmp.RYK
Filesize
17.0MB

MD5
9427fd8aa4e54e44aca758ad908ad24c

SHA1
627a147222caade3cfb5096704636bd6cf101e3e

SHA256
186d4465d997043f2b1e8814c3dd7f0d5068366d3a6406f98db899f0b793c3a0

SHA512
1bacfd7c35fa840f5626980a4ce1771aabca9ed5f3b92aa6ea2c7d345218ca99f4021a68a0a6b6d0fdebb355d6524bc16494bcdcc488dccd6d122b7b8f8bc6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uPJqdvnxflan.exe
Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uPJqdvnxflan.exe
Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct3307.tmp.RYK
Filesize
55KB

MD5
c7e69abc7809225d75459950088e8ba7

SHA1
693f2d9b3e78532bae6464b90face77db39690d4

SHA256
43c24d8f74f2b296dc906c82b2a4df448f081e15270256369bce3f3b540a1c8e

SHA512
cb565fbffd4fcf19bc07b499956860e4d0d6d43016359e0a27ffda54e090789c8c962dd6b3e4c8f04e3aeaeb180446e2c5ba2e06b9ac3e58d1e71cbcab7aafc4

Download Submit
C:\Users\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\odt\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\odt\config.xml.RYK
Filesize
978B

MD5
a447a4594d464036ae6578434adac405

SHA1
b4be6920ceb40204e255b307f6a43449f270726b

SHA256
ca5186daed1eb9dbf023ae130371cfe7dd77688ee24febcf7434f83a46c65e89

SHA512
565b364a991effa1a0d5210cdc805937c105379fb72fd79cb6f88a12139dcd74e7093114886aa1d277333e88c537e215113c418d92ae3faea27049f4ff8f00d1

Download Submit
C:\users\Public\RyukReadMe.html
Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
memory/4100-114-0x0000000000000000-mapping.dmp

Download
memory/4408-117-0x0000000000000000-mapping.dmp

Download
memory/15660-120-0x0000000000000000-mapping.dmp

Download
memory/40332-124-0x0000000000000000-mapping.dmp

Download
memory/40344-125-0x0000000000000000-mapping.dmp

Download
memory/65224-138-0x0000000000000000-mapping.dmp

Download
memory/65244-140-0x0000000000000000-mapping.dmp

Download
memory/65252-141-0x0000000000000000-mapping.dmp

Download
memory/65380-139-0x0000000000000000-mapping.dmp

Download
memory/67788-137-0x0000000000000000-mapping.dmp

Download
memory/67816-134-0x0000000000000000-mapping.dmp

Download
memory/68720-135-0x0000000000000000-mapping.dmp

Download
memory/69584-136-0x0000000000000000-mapping.dmp

Download
memory/235432-225-0x0000000000000000-mapping.dmp

Download
memory/290876-191-0x0000000000000000-mapping.dmp

Download
memory/291016-192-0x0000000000000000-mapping.dmp

Download
memory/293896-193-0x0000000000000000-mapping.dmp

Download
memory/294608-194-0x0000000000000000-mapping.dmp

Download
memory/341228-195-0x0000000000000000-mapping.dmp

Download
memory/487876-196-0x0000000000000000-mapping.dmp

Download
memory/487888-197-0x0000000000000000-mapping.dmp

Download
memory/487980-198-0x0000000000000000-mapping.dmp

Download
memory/487996-199-0x0000000000000000-mapping.dmp

Download
memory/488012-203-0x0000000000000000-mapping.dmp

Download
memory/488776-202-0x0000000000000000-mapping.dmp

Download
memory/489196-200-0x0000000000000000-mapping.dmp

Download
memory/489448-201-0x0000000000000000-mapping.dmp

Download
memory/506964-204-0x0000000000000000-mapping.dmp

Download
memory/507008-205-0x0000000000000000-mapping.dmp

Download
memory/507040-206-0x0000000000000000-mapping.dmp

Download
memory/507092-207-0x0000000000000000-mapping.dmp

Download
memory/615832-208-0x0000000000000000-mapping.dmp

Download
memory/615856-209-0x0000000000000000-mapping.dmp

Download
memory/619444-210-0x0000000000000000-mapping.dmp

Download
memory/619456-211-0x0000000000000000-mapping.dmp

Download
memory/636168-221-0x0000000000000000-mapping.dmp

Download
memory/636296-230-0x0000000000000000-mapping.dmp

Download
memory/636328-226-0x0000000000000000-mapping.dmp

Download
memory/636756-229-0x0000000000000000-mapping.dmp

Download
memory/636760-214-0x0000000000000000-mapping.dmp

Download
memory/636888-228-0x0000000000000000-mapping.dmp

Download
memory/636908-217-0x0000000000000000-mapping.dmp

Download
memory/637080-220-0x0000000000000000-mapping.dmp

Download
memory/637112-231-0x0000000000000000-mapping.dmp

Download
memory/637156-213-0x0000000000000000-mapping.dmp

Download
memory/637340-227-0x0000000000000000-mapping.dmp

Download
memory/637340-216-0x0000000000000000-mapping.dmp

Download
memory/637468-215-0x0000000000000000-mapping.dmp

Download
memory/637492-223-0x0000000000000000-mapping.dmp

Download
memory/637588-212-0x0000000000000000-mapping.dmp

Download
memory/637680-224-0x0000000000000000-mapping.dmp

Download
memory/637740-222-0x0000000000000000-mapping.dmp

Download
memory/637764-219-0x0000000000000000-mapping.dmp

Download
memory/637948-218-0x0000000000000000-mapping.dmp

Download
memory/683904-232-0x0000000000000000-mapping.dmp

Download
memory/683936-233-0x0000000000000000-mapping.dmp

Download
memory/683996-234-0x0000000000000000-mapping.dmp

Download
memory/684028-235-0x0000000000000000-mapping.dmp

Download
memory/753632-236-0x0000000000000000-mapping.dmp

Download
memory/753640-238-0x0000000000000000-mapping.dmp

Download
memory/753656-237-0x0000000000000000-mapping.dmp

Download
memory/753672-239-0x0000000000000000-mapping.dmp

Download
memory/794204-240-0x0000000000000000-mapping.dmp

Download
memory/794208-241-0x0000000000000000-mapping.dmp

Download