ryuk | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

Analysis

max time kernel
1800s
max time network
1216s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-05-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
Size

117KB
MD5

045eb328ff30b09cebd6fe3c031db7bc
SHA1

b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512

6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
344	HrufuaMkGrep.exe
4816	KTKKGEOxElan.exe
7832	WVuticIPSlan.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RedoWrite.tif => C:\Users\Admin\Pictures\RedoWrite.tif.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File renamed	C:\Users\Admin\Pictures\ResolveGroup.raw => C:\Users\Admin\Pictures\ResolveGroup.raw.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File renamed	C:\Users\Admin\Pictures\ConfirmFind.tif => C:\Users\Admin\Pictures\ConfirmFind.tif.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmFind.tif.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Users\Admin\Pictures\RedoWrite.tif.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveGroup.raw.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
32424	icacls.exe
32436	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-hk_get.svg.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office32mui.msi.16.en-us.vreg.dat.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rll	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_closereview_18.svg	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\ui-strings.js.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\ui-strings.js.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-execution.xml.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected-hover.svg.RYK	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
200048	SCHTASKS.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 344	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	89
PID 5096 wrote to memory of 344	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	89
PID 5096 wrote to memory of 344	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	89
PID 5096 wrote to memory of 4816	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	91
PID 5096 wrote to memory of 4816	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	91
PID 5096 wrote to memory of 4816	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	91
PID 5096 wrote to memory of 7832	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	99
PID 5096 wrote to memory of 7832	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	99
PID 5096 wrote to memory of 7832	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	99
PID 5096 wrote to memory of 32424	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	100
PID 5096 wrote to memory of 32424	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	100
PID 5096 wrote to memory of 32424	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	100
PID 5096 wrote to memory of 32436	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	101
PID 5096 wrote to memory of 32436	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	101
PID 5096 wrote to memory of 32436	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	101
PID 5096 wrote to memory of 50212	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	105
PID 5096 wrote to memory of 50212	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	105
PID 5096 wrote to memory of 50212	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	105
PID 5096 wrote to memory of 51148	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	107
PID 5096 wrote to memory of 51148	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	107
PID 5096 wrote to memory of 51148	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	107
PID 5096 wrote to memory of 51196	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	109
PID 5096 wrote to memory of 51196	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	109
PID 5096 wrote to memory of 51196	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	109
PID 50212 wrote to memory of 51172	50212	net.exe	111
PID 50212 wrote to memory of 51172	50212	net.exe	111
PID 50212 wrote to memory of 51172	50212	net.exe	111
PID 51148 wrote to memory of 50448	51148	net.exe	112
PID 51148 wrote to memory of 50448	51148	net.exe	112
PID 51148 wrote to memory of 50448	51148	net.exe	112
PID 5096 wrote to memory of 50276	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	113
PID 5096 wrote to memory of 50276	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	113
PID 5096 wrote to memory of 50276	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	113
PID 51196 wrote to memory of 50504	51196	net.exe	115
PID 51196 wrote to memory of 50504	51196	net.exe	115
PID 51196 wrote to memory of 50504	51196	net.exe	115
PID 50276 wrote to memory of 51144	50276	net.exe	116
PID 50276 wrote to memory of 51144	50276	net.exe	116
PID 50276 wrote to memory of 51144	50276	net.exe	116
PID 5096 wrote to memory of 192972	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	121
PID 5096 wrote to memory of 192972	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	121
PID 5096 wrote to memory of 192972	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	121
PID 192972 wrote to memory of 192696	192972	net.exe	123
PID 192972 wrote to memory of 192696	192972	net.exe	123
PID 192972 wrote to memory of 192696	192972	net.exe	123
PID 5096 wrote to memory of 192628	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	124
PID 5096 wrote to memory of 192628	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	124
PID 5096 wrote to memory of 192628	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	124
PID 192628 wrote to memory of 196400	192628	net.exe	126
PID 192628 wrote to memory of 196400	192628	net.exe	126
PID 192628 wrote to memory of 196400	192628	net.exe	126
PID 5096 wrote to memory of 200048	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	127
PID 5096 wrote to memory of 200048	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	127
PID 5096 wrote to memory of 200048	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	127
PID 5096 wrote to memory of 340964	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	130
PID 5096 wrote to memory of 340964	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	130
PID 5096 wrote to memory of 340964	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	130
PID 340964 wrote to memory of 341032	340964	net.exe	132
PID 340964 wrote to memory of 341032	340964	net.exe	132
PID 340964 wrote to memory of 341032	340964	net.exe	132
PID 5096 wrote to memory of 341056	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	133
PID 5096 wrote to memory of 341056	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	133
PID 5096 wrote to memory of 341056	5096	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	133
PID 341056 wrote to memory of 341104	341056	net.exe	135

C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\HrufuaMkGrep.exe
  "C:\Users\Admin\AppData\Local\Temp\HrufuaMkGrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Users\Admin\AppData\Local\Temp\KTKKGEOxElan.exe
  "C:\Users\Admin\AppData\Local\Temp\KTKKGEOxElan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\WVuticIPSlan.exe
  "C:\Users\Admin\AppData\Local\Temp\WVuticIPSlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:7832
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:32424
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:32436
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:50212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:51172
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:51148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:50448
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:51196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:50504
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:50276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:51144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:192972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:192696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:192628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:196400
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /NP /SC DAILY /TN "PrintE8" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\4MC8W.dll" /ST 10:25 /SD 05/07/2022 /ED 05/14/2022
  2⤵
  - Creates scheduled task(s)
  PID:200048
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:341032
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:341056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:341104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:461612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:461664
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:461688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:461736
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:461184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:55096
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:461800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:948
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:461640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:461592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:461188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:461532
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:469412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:469504
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:469464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:469544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718156
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718244
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718372
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:469356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718192
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:677848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718464
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718656
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718568
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:593384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:718324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:609500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:718576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:939328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:939428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:939320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:939436
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:975224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:975676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:975148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:975804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
fa7df31c6f958f940d35077df53aac5b

SHA1
507d000e6c0256c021ab2ddf3d817afcae72e2ce

SHA256
45299b3df5bf31115c7f14dd0f49f56b4560f3b8ead859cfae93f97dc2e4f4a3

SHA512
0b518725a826bd13e4909b97ae1c058fcb4a064c27cad97f0d7dfef2872079be3c4a9032d7bda9a83e12f390393605796c784367cc02abbc99dc2439801240f4

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

Filesize
1KB

MD5
9865d3869d1438e38ad77ee55da3d646

SHA1
79f4ba1b96291419c3a31b462a29b2e8dec73ee7

SHA256
a56e8cb2a454b6382a86c8eac8cfdf1066744c91c2249ec920a7a3f4151d0cf5

SHA512
aaec3bbabb4cd00caa75c2ca701a2e63a9bd151d6f859d508970a00c9f07f74c0d0f7b1969ca1951b92cedc8ae3ad0f679f9938e515486f908bc59b9a36e3167

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

Filesize
80KB

MD5
d8342798c1f51226b32d039f14c62339

SHA1
2b9c817f14853e2f7dcae4f42b14c0f4845b1ec4

SHA256
bca5f75be76ce7c3ea57a2a21b4e02361b46e3a239d57dd2f6064b459d5006fd

SHA512
32eb4cbbd812fd22c6ffc8ead6cea88807a4ad316993c3aed90ed02daef54156be3abbe2fefd9b0181e4f9c0bb42a9fc775805de00fa8e481ea2dda3b7cd9e4a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

Filesize
9KB

MD5
623e94b53057f5136ff313413306ca96

SHA1
77786983291c9732705050d78b7479c7bbcc2322

SHA256
b6f675743ff965000abc04bbea2ded978abe0d0842d335e81acf6cc700a049d0

SHA512
5e1a9753ad54dcb26faa5e9a62565d03b469129d58006feaebe65a5e04819b8fd3a87f3e71b0d2b480e39c3785624d434e98d1b07b3b694371d229c6557c27ef

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

Filesize
68KB

MD5
2d8bcfa08872eb9e9c84c4e709d95e0d

SHA1
f11299c61b3858d79cc1010ec8fcdb33dbb7feb7

SHA256
3b1e5ca968038a4c4244edcb020d1ff291d8c5f777b248197f24689694ce3e1c

SHA512
aef1f125508ac4e2618f17a4c4386e514228fe25ef8b59a9a39acdd61585543d572b1671ebeb3a54e7c6d54d4547f5d59398bbb68f642ae81930cb7bfdd2002e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

Filesize
12KB

MD5
13c1dc556a1a9ff89fc422eb0c6c5657

SHA1
d53d71282d1ef46834135328c1aec0bf1f63660f

SHA256
a288fd308a694b53b0f36e4b1a3b6bd53cd66b675cb1bb47697083e5431ba27d

SHA512
68adcce1770f01d3cb730a7123be07f08ecbe24d9a0a0720e209143d9e1353d19514be1ebd50a903ef80abbaa881edf45aab29da46725fc4bca02cf88a49d8e5

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

Filesize
32KB

MD5
1537630d88796f10f31697f4b0585d31

SHA1
1d6131b2b73ef73a048d7c30c36de16e65e7479a

SHA256
94d4a2140391cb9b71a1adeafa134ae074dcf2d62b88d60e99948e5e147d4dc8

SHA512
d90317f031a9683fd3a92b4b9713e8db3be9aa58a633d366e292c614f80a182ec0db00ab292f87ed8732c5f6a10fe6297957a3d46cbf5ed3440f7d1a722670d4

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

Filesize
1KB

MD5
d3c6b6f3415693ae974ceacd30e7ca60

SHA1
d576d18818c4a46b482087a8dc387f85e57716ee

SHA256
1e2615f52463e38095c00fab3dbb7be1b17784c1cd8ed52f625802ff293502f5

SHA512
ec18f0ca0eadba7a50335dc7544ecb91eda028e8c4ac7b581127504fc2195c49906821bb4a0032dcd05b15ed3ce4ccb218daa5a5a6bd8771f5db15fcc6642a59

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
544e7e451b9f0691aed226805cb3122e

SHA1
2e9054ed87c97ca6376edf39c47f740138a3c670

SHA256
39c4c86b2c81a07c5ba2f59371e6e1619be07e340167b63b71d2b019393c6851

SHA512
7a59047de0b29eb7dbf0f22d9d12daa232281286584abf41c97c04739a999130e19ccbe0b3c772261947068131907f7f5eb63b39b776263eefa077939f7b5bc9

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
074ee22b230dc5b5c36e1fd30a945fb2

SHA1
79c5b7f52cc77f67ff464ef8a17d38a797bcdb87

SHA256
71f43a4f5304bec093b62229cc6659248558945798b0c83742f8badd4fc873dc

SHA512
76279e89e19aef452807307751854e9866ab406c9b8d2e64a18c1bf119cbd0d054f1a6b81eb39c98db08b2a9ef1194d9d75b8daad854edd3db6c2ea992256132

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK

Filesize
8KB

MD5
75ed683c219a744a6ec9ea48fc1e2499

SHA1
38f34e1c2a08c43dfe4a155f878879598203ddbe

SHA256
0ae12008f30fddfb04566bda4ac6af5a1f68f26e242ba458131c4fa3e99193b6

SHA512
8d2d92f7243a7a8675ac58012a85e255c5ef845d05ab7c4e5c781957784f070d6f76cf1c61f835ff2b6bcd4c1f1724e9c878a132a87c1e40493e3c8a31f23709

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK

Filesize
16KB

MD5
123ab3b422563facc81ff797c61a2179

SHA1
c148d94e797661a5381b1efda87b27f29e13f06a

SHA256
42717643892312c16a58959bdc68c53beb81681b538dee1c4f17e4db5e5d0aa8

SHA512
51cde288486d2401bd4704d28f5aeaea8fd5ae70248ecb218f29bea86eab75be3bb8677f62af0993146ba07b555861e1d53dcb58cbabf4952a2a02334627d0bd

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol

Filesize
6.0MB

MD5
90e1de0ed6b508d3a589f1d1968bc3cc

SHA1
9d6db6d6d2d15de9e2a384aa6d35151d5e6d30c6

SHA256
9277d0d5b44687d6b725a0f8f6e9e976d7a3432637ebe621fe306e5671a96b3b

SHA512
b37c79a3fe85f9df5e3f06ef432cf1daadd1561521295a1dd00c4d91db25d50b5a18a05cae19c97a55d1a809a66a3612b791e67e5c3a893f926d025e14511ede

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Packages\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK

Filesize
2KB

MD5
9f87816560c562c3e622eea2021260c1

SHA1
431dbc4c255e48c18db6d580f2b655a9eb1decbf

SHA256
6a1b0c62c24b20527ec447c4b05bd876df67f889289d392ed146cbf48bc1a814

SHA512
0fa773e01fab08ceebd95e4cf0224e2ad854086a6c3cc11089125e095d7224a397697cd908cf30746edba7255c180019dbfa2b63c55524fa8efd257cb2611d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HrufuaMkGrep.exe

Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HrufuaMkGrep.exe

Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK

Filesize
25KB

MD5
5938552f86bd812848ec6b363c8920d8

SHA1
1a70917ac613343586ce3fbafe813c14374caeee

SHA256
162ed88d3498b847b2eac07490e722ac31778580fdffe0a6f337bc3a543786ab

SHA512
c14fb311e6ba0f3b21aeccbb2390194a3efbaa409558d07766f4554737cff5bcd7707024ccd087f0136851c416984e6cf95e3ea0153e3472f38ccb25c3d1accb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KTKKGEOxElan.exe

Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KTKKGEOxElan.exe

Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVuticIPSlan.exe

Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVuticIPSlan.exe

Filesize
117KB

MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3732.log

Filesize
754B

MD5
6a353cdb7556c604278f1bbf3035a8e2

SHA1
e2a9bae424f5153c6b9a1ba062eaa88a11f3008a

SHA256
d14c70332a6faaa3a0a3d547161ebc0178ab3ca1fe34e65445d776a633f88928

SHA512
b1d6f5e99fc76faaa6ec0f00159a3f78d6c1074940ab8ba87ddb8bf02b8f4885a66511351df1c346540c569fe7c50ec175383bf02121fa5c52ff4915b2e8a119

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
3KB

MD5
0382f9c02b1e768eb933c13c0c458d4a

SHA1
897327c524cd145e4b6a3c261dcce3773aa08639

SHA256
e0432da87da6be967ade9dae13d16e8d2e91f050381eadc53ac722d42c6ace98

SHA512
a08fdc552b136d85fdcf5be3ce0d3d6c2d01f0eb7a9aa926325c7466d9b52d4b5cf056c60fc86dab35e7de506ac56e7ab88ab1f095d90d197e24b8ba63cbe3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI703B.txt

Filesize
11KB

MD5
b19c3f7b09606ddf86cc454c4af70b58

SHA1
483e60998faf5c9cee5146f655d7a03b14f45c17

SHA256
fef55e1382614eb2c0f2bb12fce83d17d5aa6063b9f89a00ee8a91a6b5d12fcc

SHA512
93ba35de24d89beb79f6627226a25cc3bc2513394de1ef31945ef0c9a431f6bdc0910f5f99766475cf659ba2c0ed29f87c7f6ec47248f0906e5a4f17db8dbb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7076.txt

Filesize
11KB

MD5
852ec98bd39649c9719292e2fb758a6e

SHA1
27225805cd2392bba407d677afe142e67a322848

SHA256
19418b287dd286f595d6048c9b613be9327db61dd1c17f3df1b7b1e2c9eaf614

SHA512
c3a95f1e00cfb7bee962eb3b8ebc30b3312ed9388533f7f3eec3f8f0b1d22aa38579eac2339b61362826487207fe80bf7b9631546a59b3e3a967bd4e1b61519b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK

Filesize
266KB

MD5
b143785c6e337fd1f9d86109aa51e0e1

SHA1
0df6560def544af104d9a0f57f38f9144ad75270

SHA256
6bbe317f408080bfecb9ecc53987d8f5597ac6f101c13b69f89314b4f793a95f

SHA512
ce9caef5284abdfb53ba7c64d62953b617348c0fc647b7f67ac6415e2e267964003a12c29fd5c8481f9482a4373f358dcd81b87d240519d29059b02488e76ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
3KB

MD5
c29a82f639a4a05036120c75d35a38be

SHA1
2f74ebe1b6fc6314bdbb102e93a096a1cc5b340a

SHA256
2422c15df28c661c0300f3c71d9131f00017d4ed4063c8b8dd0ecd871b229be3

SHA512
349e05771d379cd02bd29d507cfa2aa5f1a62f058d9a1ac7b15ca92e9800bb07ba402078048c4648e5a770cbe135d97ce8ab06e0fca48d5a28481fe325dc8988

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B58.tmp

Filesize
25.9MB

MD5
b36acdef3fed64afda408c4876e50dfc

SHA1
729240c09a9461953b46b75c5c68263fa92e3837

SHA256
b7a3fe4bd47cda11199461872d372784a77d487f47602018257202d30bd614b5

SHA512
5bb95e8c51843c314ae3567245c49ea21b621de448358b568bfdb97538782129e7f4d2737b7122abea27cec87604f23ce5f80816b9454888588f4419aa3cca91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E74.tmp

Filesize
25.9MB

MD5
d4c27bf1572887d1e82d454ab51d155e

SHA1
f7a44317161e6a5a7cac048dd2735a05322581fc

SHA256
3f9436b8cecd6acd96f524b2927e0650c3eabc701c90872527f81ac035d7ce8d

SHA512
77a80b0b37f3057a93ee677b9179982bb431c85f8dd2622c42b8f4d2e692a0b5c8ad3a5c47de0e38e63492b05247240d09efb207f6213b8f56dace01fccb1d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct2859.tmp.RYK

Filesize
55KB

MD5
3045c0574a664e4a96252f76e9fdd427

SHA1
ebe343d522616845baabfea04bec859adf28feb8

SHA256
5c49f12060c07a253e2df3bedaec8d324c52425fc7facf8c94698ac9cda36fb8

SHA512
0ae008704a27f99d225e9f0d4aa29f11a8e844a6f8a67aed4a25de4f9f70d90ed6b99b1b84080c3537dd3b3b73a875594d331a6ae0a7a993a3acfc62f916fe4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct81E2.tmp.RYK

Filesize
55KB

MD5
627627c1166d77dc5d8bc923ef2c8c05

SHA1
6f83203b0cb2bb08e4ffbfd6e8637141cd0cfd91

SHA256
67320bd88cbdfa54338329bf960ab481b9053484b39eedcc3af8ed33398c8b9d

SHA512
1d78ab0b387728c0a693f0dfee3b1e1907af63d3dd23abb0b52da9cd78a20aa1a36a9e548dc175c9aa337377866b2488b1c55297fe7efa0a1ae1fb29ef978ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctAF0C.tmp

Filesize
40.2MB

MD5
8b90dc63337f98d1c9ba6dfaa2765d8c

SHA1
fd9c83271c83ace279210d57dd84513ed07638dc

SHA256
d19490f24053ff3a5f695e4839876cc29d67c087e9fdb891421afe4061d9bba1

SHA512
bf2d71045fa5df187e2e626043bab609f59213f8d9882c13bef80f0c3807feaebcebc3ed036ca1b77b99a7c32abb668e3d1b3cc0d960c01e6792b73b9b7b28db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctB33D.tmp.RYK

Filesize
55KB

MD5
9b42c71766403479f37538f9f9bcb9c9

SHA1
04a58543bf821bc145153c52c45dd479f8b1c12f

SHA256
4015ccc33b939b1aeb244474d7e4fc32f200df00ff62c86aa243750baa2a202b

SHA512
d64acda7798058a5c3c850576e132abd234a18034490e68ba2dcac18dca5af0760e49cd14a2ed1b65b626222eb4e7f6e5b202a55421ab806d9f04deffb6460e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC679.tmp.RYK

Filesize
55KB

MD5
791bc0b1de00e3b235579d493a3c2d97

SHA1
b6e63e94b5123a2c31ce4be1c1b53e429a6919d2

SHA256
0e837186d88b7131a00adb5afa1cfdac58eb79c089f16347ff3b3df6d3f1846e

SHA512
2f966b1ae196afd7ff101c1d619e2ca7bd90a6520e39855a1eeb3f32d3ba48e7c6b493d7902fdeb4439c3869e3f356053ea6172568d3b7f2cc754e05eb8f5fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctEB2B.tmp.RYK

Filesize
55KB

MD5
8092b31c6289b579f0f210f1bd0a6491

SHA1
c790bd0dbf17f39d81338382a9ed3d57dc8d73b3

SHA256
185ad94e2116236aaf15e6b06f25534d584cc44704fa0cad318a94aafb91c562

SHA512
d424647cd062a4680fd2023a3352aa474129815f8c257dc61e8dc427a33f42fd671374e5128085d5b48fac7f986ff3bce903df6c60e2750734056146a7f78968

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK

Filesize
978B

MD5
9832fc75cb8990385d38384ac826dd36

SHA1
8ca4937d8dbb4702efd5d6ef0fb1714bba336012

SHA256
0c66c8f84576d9cba24755bfbf2f80532c56d9c6c22837d1d009b4e2cb9c911d

SHA512
f333a98d182f05dffd3b5c84a56bb2a5ac27c71f9df806f28ee3fe8caf8d56d515d4570889d23db12b4e973cbbbda3e379057306aabb7d06b5dff35e0f862064

Download Submit
C:\Users\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\odt\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\odt\config.xml.RYK

Filesize
978B

MD5
5e046845730513fd0bfaa38442c1822a

SHA1
69cf7b1732f71baf7d5b1fb98776cdf39ea3051f

SHA256
c488352b13b76afd9a2694699731282d9213ec263403f0f291aff24a2b24a66b

SHA512
5d79154eebc2278563195a10e718b4007d71669807b581752b7c5b929240ed672abb5181534c3fca4c1cb19ceb911b38b503551d8eff7300a3f6d16f0fd0c6c5

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit