ryuk | 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

Analysis

max time kernel
484s
max time network
1609s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-05-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Size

190KB
MD5

ffef678beca8ee60200bc88809d89630
SHA1

b31070af1ac3e088dfc6f1599f8d12edb1b16783
SHA256

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
SHA512

54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> monsbumide1974@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

monsbumide1974@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

Family

ryuk

Ransom Note

monsbumide1974@protonmail.com balance of shadow universe Ryuk

Emails

monsbumide1974@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 9 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Executes dropped EXE 1 IoCs

Processes:

fgLlaTa.exe

pid process

1104 fgLlaTa.exe

pid	process
1104	fgLlaTa.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TraceBackup.tif.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\CompareResolve.tif.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\HideRead.raw.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\JoinMeasure.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\SearchLimit.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\SyncUndo.tif.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Drops startup file 2 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

2876 icacls.exe
1704 icacls.exe
220 icacls.exe
1660 icacls.exe

pid	process
2876	icacls.exe
1704	icacls.exe
220	icacls.exe
1660	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fgLlaTa.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Dism\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fsquotamgmt.inf_amd64_0e90a152dac6ed91\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_netclient.inf_amd64_40468abc5559cc75\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\displayoverride.inf_amd64_c0d1cad06a0a598a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_a7ea860f8a9b0315\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_ba2718ee23a7ac48\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP830\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\MUI\0411\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\scmbus.inf_amd64_7fb5f9272f2cba00\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_e6e84dc8b3a2a824\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG8100\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP250\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpipagr.inf_amd64_7cda501e97f7d36b\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\stornvme.inf_amd64_2658ace59093e6dd\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_965273be3ff6ea50\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\he-IL\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\000a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_5f236fef4b16ceac\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wnetvsc_vfpp.inf_amd64_a5d3da640e7e06e2\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_e320ef16485392eb\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\en-GB\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\MUI\0407\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\setup\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fssystemrecovery.inf_amd64_5988d2ec543a9bf2\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_securitydevices.inf_amd64_0a48da67b4800672\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_924b5a11fc6fb755\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Common\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\de-DE\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\BaseRegistration\es-ES\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_volume.inf_amd64_0b6d9d64c319b02d\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_45c46b6b6624cebf\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmusrgl.inf_amd64_d23b88063aa01b83\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\Amd64\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG5300\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\migration\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\OEM\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_display.inf_amd64_23eb64caf422f130\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_469178fa51107c59\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sisraid2.inf_amd64_845e008c32615283\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\ja\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\ja-JP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttp.inf_amd64_cb7c8349fd73523e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\pt-BR\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr-FR\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_d7afaceded92585e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Drops file in Program Files directory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\MusicVideosDialogBackground.jpg	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\ui-strings.js	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_20x20x32.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-200.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\ui-strings.js.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-24_altform-unplated_contrast-white.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ui-strings.js	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-125.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\ui-strings.js	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Chevron.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7989_24x24x32.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxMetadata\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\PSGet.Resource.psd1.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\Sounds\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10912_24x24x32.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Contrast\contrast-white\BuilderLogo.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pw_60x42.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-125.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\ui-strings.js	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-125.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\AppList.scale-150.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\logo.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\11d.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Drops file in Windows directory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-t..sionagent.resources_31bf3856ad364e35_10.0.15063.0_it-it_27d8d82ccb4b9294\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..2platform.resources_31bf3856ad364e35_11.0.15063.0_de-de_50a996e382fdd054\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..count-adm.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_343b192f0d0a2e3b\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..access-userdataapis_31bf3856ad364e35_10.0.15063.0_none_1af1ade6fa01514c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..rvice-adm.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_bfe240b8063260ca\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0001040a_31bf3856ad364e35_10.0.15063.0_none_b0bd9a2d81e8697b\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_mdmhandy.inf_31bf3856ad364e35_10.0.15063.0_none_d398c2706c335a5d\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..-localservicebroker_31bf3856ad364e35_10.0.15063.0_none_013f7796136dc798\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..demanager.resources_31bf3856ad364e35_10.0.15063.0_it-it_a716cf9d7512ce4e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..vider-dll.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_5afb4877f04d826c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msdt-adm.resources_31bf3856ad364e35_10.0.15063.0_en-us_092636e3a5dfac4a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.resources\3.5.0.0_ja_b77a5c561934e089\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop\v4.0_10.0.0.0__31bf3856ad364e35\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shadowcopywmiprovider_31bf3856ad364e35_10.0.15063.0_none_c150eab67ace2ae3\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-registryapis_31bf3856ad364e35_10.0.15063.0_none_b566010b5aca66bb\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-d..sprovider.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_9736a61bcea3ea55\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.powershell.scheduledjob.module_31bf3856ad364e35_10.0.15063.0_none_280141b4f2f305e0\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-a..skmanager.resources_31bf3856ad364e35_10.0.15063.0_es-es_2707e4b013f68f37\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\msil_system.data.services.design.resources_b77a5c561934e089_4.0.14917.0_de-de_37e92d7853ae922e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_10.0.15063.0_de-de_6ac731ea920a5796\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-netplwiz.resources_31bf3856ad364e35_10.0.15063.0_de-de_3b630fac4cce26a1\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..redential.resources_31bf3856ad364e35_10.0.15063.0_es-es_e86317ec65cbdfe4\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_10.0.15063.0_en-us_2733d89f7f749adb\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_58f75d4f79672d15\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-dskquota.resources_31bf3856ad364e35_10.0.15063.0_en-us_b5f9f1e9e00cf19b\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ctshow-dv.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_5829c893a6cdca0c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..rsist-rll.resources_31bf3856ad364e35_10.0.15063.0_es-es_6cdc5279ce972598\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..xe-common.resources_31bf3856ad364e35_10.0.15063.0_es-es_6ca1b9b21c03f412\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.resources\2.0.0.0_ja_b77a5c561934e089\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_prnge001.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_099f439791504c1e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_11.0.15063.0_none_e478cee55709b242\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\msil_system.servicemodel.activation.resources_31bf3856ad364e35_4.0.14917.0_de-de_15e1d3bc9874a7bc\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cryptcatsvc-dll_31bf3856ad364e35_10.0.15063.0_none_c0c382652bed98bb\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wcmapi_31bf3856ad364e35_10.0.15063.0_none_50b452293aef9c05\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_prnnecl2.inf.resources_31bf3856ad364e35_10.0.15063.0_es-es_2d3557a65674f876\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..sideincludebinaries_31bf3856ad364e35_10.0.15063.0_none_17a4bff79f81db10\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..center-controlpanel_31bf3856ad364e35_10.0.15063.0_none_62e7e81d70f4b16e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-duser_31bf3856ad364e35_10.0.15063.0_none_6b88878235493b61\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-penimc_b03f5f7f11d50a3a_4.0.14917.0_none_4e21e66ecf455d18\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..on-server2003compat_31bf3856ad364e35_10.0.15063.0_none_7e92b607e661402f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.web.confi..apphostfileprovider_31bf3856ad364e35_10.0.15063.0_none_f6bcb8da852e225c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-p..inrt-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_7c38b757c3fd7a26\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-c..mplus.res.resources_31bf3856ad364e35_10.0.15063.0_es-es_57dd1e43c2a88b5b\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-usercpl.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_4ad8eedd16d9ea16\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-servicemodelreg_exe_b03f5f7f11d50a3a_4.0.14917.0_none_2d68701fa94905ab\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_genericusbfn.inf.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_6fa650a0d8e529c6\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..lient.graph.cortana_31bf3856ad364e35_10.0.15063.0_none_ad4c3e44b6b2e165\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-system.deployment.resources_b03f5f7f11d50a3a_4.0.14917.0_de-de_b291efe7bf5004a6\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..-wow64-setupdll0c0c_31bf3856ad364e35_10.0.15063.0_none_fd2b949cea9b7b43\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hgsclient-powershell_31bf3856ad364e35_10.0.15063.0_none_6115bdd42451b5af\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.15063.0_de-de_e1ca500192f40795\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_mstape.inf_31bf3856ad364e35_10.0.15063.0_none_3f1d0ca14e2330c9\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.build.tasks.resources_b03f5f7f11d50a3a_10.0.15063.0_it-it_17481829ec049b17\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-diagcpl.resources_31bf3856ad364e35_10.0.15063.0_es-es_18f98c04d861bde0\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ion-agent.resources_31bf3856ad364e35_10.0.15063.0_it-it_eeed794bab3a9aa6\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_tpmvsc.inf.resources_31bf3856ad364e35_10.0.15063.0_es-es_6cf217cc13517e17\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-taskbarcpl.resources_31bf3856ad364e35_10.0.15063.0_en-us_861397cc7a9e8d46\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..aincompat.resources_31bf3856ad364e35_10.0.15063.0_de-de_ba00096e53dc8fdc\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-settingsync-azure_31bf3856ad364e35_10.0.15063.0_none_ff41602930f227ae\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.15063.0_de-de_9f30080f1782830e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..om-miantuan.cortana_31bf3856ad364e35_10.0.15063.0_none_edfba5bd1d34275c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4056 vssadmin.exe
3776 vssadmin.exe
Runs net.exe

pid	process
4056	vssadmin.exe
3776	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exefgLlaTa.exe

pid	process
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1104	fgLlaTa.exe
1104	fgLlaTa.exe
2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exefgLlaTa.exevssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Token: SeBackupPrivilege	1104	fgLlaTa.exe
Token: SeBackupPrivilege	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Token: SeBackupPrivilege	2880	vssvc.exe
Token: SeRestorePrivilege	2880	vssvc.exe
Token: SeAuditPrivilege	2880	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1076	WMIC.exe
Token: SeSecurityPrivilege	1076	WMIC.exe
Token: SeTakeOwnershipPrivilege	1076	WMIC.exe
Token: SeLoadDriverPrivilege	1076	WMIC.exe
Token: SeSystemProfilePrivilege	1076	WMIC.exe
Token: SeSystemtimePrivilege	1076	WMIC.exe
Token: SeProfSingleProcessPrivilege	1076	WMIC.exe
Token: SeIncBasePriorityPrivilege	1076	WMIC.exe
Token: SeCreatePagefilePrivilege	1076	WMIC.exe
Token: SeBackupPrivilege	1076	WMIC.exe
Token: SeRestorePrivilege	1076	WMIC.exe
Token: SeShutdownPrivilege	1076	WMIC.exe
Token: SeDebugPrivilege	1076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1076	WMIC.exe
Token: SeRemoteShutdownPrivilege	1076	WMIC.exe
Token: SeUndockPrivilege	1076	WMIC.exe
Token: SeManageVolumePrivilege	1076	WMIC.exe
Token: 33	1076	WMIC.exe
Token: 34	1076	WMIC.exe
Token: 35	1076	WMIC.exe
Token: 36	1076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1076	WMIC.exe
Token: SeSecurityPrivilege	1076	WMIC.exe
Token: SeTakeOwnershipPrivilege	1076	WMIC.exe
Token: SeLoadDriverPrivilege	1076	WMIC.exe
Token: SeSystemProfilePrivilege	1076	WMIC.exe
Token: SeSystemtimePrivilege	1076	WMIC.exe
Token: SeProfSingleProcessPrivilege	1076	WMIC.exe
Token: SeIncBasePriorityPrivilege	1076	WMIC.exe
Token: SeCreatePagefilePrivilege	1076	WMIC.exe
Token: SeBackupPrivilege	1076	WMIC.exe
Token: SeRestorePrivilege	1076	WMIC.exe
Token: SeShutdownPrivilege	1076	WMIC.exe
Token: SeDebugPrivilege	1076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1076	WMIC.exe
Token: SeRemoteShutdownPrivilege	1076	WMIC.exe
Token: SeUndockPrivilege	1076	WMIC.exe
Token: SeManageVolumePrivilege	1076	WMIC.exe
Token: 33	1076	WMIC.exe
Token: 34	1076	WMIC.exe
Token: 35	1076	WMIC.exe
Token: 36	1076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5420	WMIC.exe
Token: SeSecurityPrivilege	5420	WMIC.exe
Token: SeTakeOwnershipPrivilege	5420	WMIC.exe
Token: SeLoadDriverPrivilege	5420	WMIC.exe
Token: SeSystemProfilePrivilege	5420	WMIC.exe
Token: SeSystemtimePrivilege	5420	WMIC.exe
Token: SeProfSingleProcessPrivilege	5420	WMIC.exe
Token: SeIncBasePriorityPrivilege	5420	WMIC.exe
Token: SeCreatePagefilePrivilege	5420	WMIC.exe
Token: SeBackupPrivilege	5420	WMIC.exe
Token: SeRestorePrivilege	5420	WMIC.exe
Token: SeShutdownPrivilege	5420	WMIC.exe
Token: SeDebugPrivilege	5420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5420	WMIC.exe
Token: SeRemoteShutdownPrivilege	5420	WMIC.exe
Token: SeUndockPrivilege	5420	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exenet.exenet.exefgLlaTa.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2692 wrote to memory of 1104	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	fgLlaTa.exe
PID 2692 wrote to memory of 1104	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	fgLlaTa.exe
PID 2692 wrote to memory of 1104	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	fgLlaTa.exe
PID 2692 wrote to memory of 2420	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	sihost.exe
PID 2692 wrote to memory of 2436	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	svchost.exe
PID 2692 wrote to memory of 2760	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	taskhostw.exe
PID 2692 wrote to memory of 1912	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 1912	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 1912	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 2416	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 2416	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 2416	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 3244	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	ShellExperienceHost.exe
PID 1912 wrote to memory of 728	1912	net.exe	net1.exe
PID 1912 wrote to memory of 728	1912	net.exe	net1.exe
PID 1912 wrote to memory of 728	1912	net.exe	net1.exe
PID 2416 wrote to memory of 2996	2416	net.exe	net1.exe
PID 2416 wrote to memory of 2996	2416	net.exe	net1.exe
PID 2416 wrote to memory of 2996	2416	net.exe	net1.exe
PID 2692 wrote to memory of 3272	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	SearchUI.exe
PID 2692 wrote to memory of 3468	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	RuntimeBroker.exe
PID 2692 wrote to memory of 3668	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	DllHost.exe
PID 1104 wrote to memory of 1660	1104	fgLlaTa.exe	icacls.exe
PID 1104 wrote to memory of 1660	1104	fgLlaTa.exe	icacls.exe
PID 1104 wrote to memory of 1660	1104	fgLlaTa.exe	icacls.exe
PID 1104 wrote to memory of 2876	1104	fgLlaTa.exe	icacls.exe
PID 1104 wrote to memory of 2876	1104	fgLlaTa.exe	icacls.exe
PID 1104 wrote to memory of 2876	1104	fgLlaTa.exe	icacls.exe
PID 1104 wrote to memory of 3856	1104	fgLlaTa.exe	cmd.exe
PID 1104 wrote to memory of 3856	1104	fgLlaTa.exe	cmd.exe
PID 1104 wrote to memory of 3856	1104	fgLlaTa.exe	cmd.exe
PID 1104 wrote to memory of 3776	1104	fgLlaTa.exe	vssadmin.exe
PID 1104 wrote to memory of 3776	1104	fgLlaTa.exe	vssadmin.exe
PID 1104 wrote to memory of 3776	1104	fgLlaTa.exe	vssadmin.exe
PID 1104 wrote to memory of 848	1104	fgLlaTa.exe	net.exe
PID 1104 wrote to memory of 848	1104	fgLlaTa.exe	net.exe
PID 1104 wrote to memory of 848	1104	fgLlaTa.exe	net.exe
PID 3856 wrote to memory of 1076	3856	cmd.exe	WMIC.exe
PID 3856 wrote to memory of 1076	3856	cmd.exe	WMIC.exe
PID 3856 wrote to memory of 1076	3856	cmd.exe	WMIC.exe
PID 848 wrote to memory of 212	848	net.exe	net1.exe
PID 848 wrote to memory of 212	848	net.exe	net1.exe
PID 848 wrote to memory of 212	848	net.exe	net1.exe
PID 2692 wrote to memory of 1704	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2692 wrote to memory of 1704	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2692 wrote to memory of 1704	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2692 wrote to memory of 220	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2692 wrote to memory of 220	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2692 wrote to memory of 220	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2692 wrote to memory of 1560	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2692 wrote to memory of 1560	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2692 wrote to memory of 1560	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2692 wrote to memory of 4056	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	vssadmin.exe
PID 2692 wrote to memory of 4056	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	vssadmin.exe
PID 2692 wrote to memory of 4056	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	vssadmin.exe
PID 2692 wrote to memory of 432	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2692 wrote to memory of 432	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2692 wrote to memory of 432	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2692 wrote to memory of 3552	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 3552	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2692 wrote to memory of 3552	2692	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 432 wrote to memory of 5424	432	cmd.exe	reg.exe
PID 432 wrote to memory of 5424	432	cmd.exe	reg.exe
PID 432 wrote to memory of 5424	432	cmd.exe	reg.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2420

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3272

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
"C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\fgLlaTa.exe
"C:\Users\Admin\AppData\Local\Temp\fgLlaTa.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1660

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\fgLlaTa.exe" /f /reg:64
3⤵
PID:25716

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\fgLlaTa.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:26528

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:67768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:69496

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:141072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:142284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:221436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:223748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:308372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:308356

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:345444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:347092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:463884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:466136

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:579232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:580548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:623408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:623536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:628464

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:628408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:634556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:634688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:644320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:644448

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:655396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:655532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:702520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:703368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:762468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:762612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:823788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:824224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:892600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:892616

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:935432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:937312

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:977360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:977776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.00008e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.000304e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.029908e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.03008e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.087472e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.087576e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.132648e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.133796e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.139408e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.139536e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:79492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.139588e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.139264e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.139572e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.148832e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.148912e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.16136e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.161488e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.18882e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.188924e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.21682e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.216948e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.280352e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.280508e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.359004e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.35986e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.450524e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.450992e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.506084e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.506224e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.545892e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.546044e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.571928e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.572064e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:728

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2996

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:1560

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:5424

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1204

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:47016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:48300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:73976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:75180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:123124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:124000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:147764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:148344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:208016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:209900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:224556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:227924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:308200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:308304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:308192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:308392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:319388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:320764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:355420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:357700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:445516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:447240

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:470300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:471304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:553072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:554356

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:587168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:588984

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:620568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:620848

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:623568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:623596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:628248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:628380

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:628780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:628920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:633556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:633688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:634868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:634720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:641016

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:641148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:644436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:644372

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:653116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:653248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:655848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:655992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:683712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:684688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:704972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:705100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:748020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:748264

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:763516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:763664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:797348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:797556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:827832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:827960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:874920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:875164

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:895612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:895784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:927544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:927556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:938352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:938480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:969088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:970720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:978048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:978176

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:995208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:995300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.001124e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.00126e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.022932e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.023052e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.031036e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.031164e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.085008e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.08514e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.087796e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.08794e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.116124e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.116456e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.135228e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.135472e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.139176e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.139308e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.139636e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:49960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.139184e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.13938e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.139436e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:79320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.139664e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.139248e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.139464e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:79448

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.146324e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.14648e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.148876e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.148996e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.159048e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.159072e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.161892e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.16202e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.184864e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.185016e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.189732e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.189016e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.210312e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.210412e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.217312e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.217448e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.267644e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.2679e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.280992e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.280548e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.336136e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.336348e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.360164e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.360296e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.432832e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.43336e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.450912e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.451512e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.495396e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.495544e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.50616e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.506176e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.539848e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.54e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.546172e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.54604e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.566796e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.56704e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.572164e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.5723e+06

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_76f411f2-f958-478f-9f12-a06e3c38c2bf
Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
Filesize
338B

MD5
49f3240d5a0e4196164d2aec4eb471f0

SHA1
2fdf73e927e803550a8d3316cc7306c4e1a7af4f

SHA256
1be5d68d0c2709d6f72b7aa68121973ace7de437264c956cbb38b21b8895de97

SHA512
b5391eb2a3837aca16ec26bb92054708d8f1f96d5645f5d03dd59aa49f89ff65684cde83e6839aa5479596f737e6ebeae9129a6e0fc9dc21468cffa5f3bc449c

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
Filesize
1KB

MD5
6449d1f245af353411e099508fed105e

SHA1
1321cbf23ba9d22ff99e008d92482c53980959d0

SHA256
bbacb85bec52217d98d9b733137ec425301f986a34a79d648066f31c9dde7ed6

SHA512
7bc2af999d138723a36248772a4d3eed886f23fc7d907c40159fe902b8f470fbeb68d6d2d22804df33a7da30455f524070921a8bcb0c13014eb4c53c2f5a4586

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
Filesize
72KB

MD5
606b757ddabb9b3a7dfca7b817973a98

SHA1
2ffbfa1e69faed4fd9e88af177e4937955a65d52

SHA256
48db084175fc6cfaed94c8d2d62675055909ad31ebb7359769a17dead277cd3b

SHA512
0fdcf531bd44ba651035e50a758db1516883039e59e18f4190cc888d14f9dd0594074fc85b4c114e113d9fa577bdc296cdff2c2506dfa1856594e8cbf3349373

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
Filesize
9KB

MD5
d1321cc0f1974f5a7fb9746ebcefdbfe

SHA1
78daeb6d0e158d8d7eb273f93c93e95951ce1f6e

SHA256
f72c673caa2c1487d0384e66f9de3e595f47125701a21d11c86d16d4d7003be4

SHA512
678f80c5a51477102fdeecdd1fc105ebdbdd06e084ce7d7796b7b3522164fb1bd1b74d8ee0c880544fa84d3571c49acac002f7da650b4718d13d34f8aac1c344

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
Filesize
68KB

MD5
7d4f7131f574710b9beface1936bfaa5

SHA1
38e7db1e90e0a563f83d9a322a1422f10f565a90

SHA256
68ac3600aa48bfe12f1f1dc184902e910850eb6a1004468873b0a4c9967e7555

SHA512
33b6cdf517b9ca6e88c4ae8859eb80c238044a247bf208ef6491710c319376a4c9dcdc7d7a1d12e3052908f44a341b53b473638783268ef69966fcc68c2bedb4

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
Filesize
12KB

MD5
9de0ffe58952a43dc58fb51cec1a7b3b

SHA1
0f5df6a06cd4308f7e625846d0f35556a79c908a

SHA256
af40984425976a48e2bc3a4b182b3b676182e5e168e47233674bf9a82659fa06

SHA512
f051c3f59a0b66cb192a38279c9856a231d0b8231a3949a65f81bf851397557348537d43ee9469a09ca19d5815ba6ce5f5ceac959ab86dbec88007b46131e81e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
Filesize
31KB

MD5
47ab3191991ddc89aaac8e5d34eea70f

SHA1
f35402404039e41bfd935683aecc68e733edc151

SHA256
43979d3c06cee5c12714f74e87646681ea0fa672a80a25ca48fb9c9bb43e7351

SHA512
a4bc7bcac012ada220d04d2e561de8e03aa764d39b186961e8d73d81a96f18a1aef4a425114c85d9c6723590fed3e8094bcc350034d2b8a35e7d047c4e0c18ca

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
Filesize
1KB

MD5
87beb38c1d9a8ce21520a52159fc1d56

SHA1
5756d8af59c4ca4a757013a80e157b95c1e75c96

SHA256
528254d76a6c7ab49c44b271a8a9e497ecf2d95fe3ff57fc3fb032f90cc2dc48

SHA512
94c687a23136941dfaf3861210126e1ef727fe81596c1a21540058d5097f132692a0ddd37bbe8f3e03cfeb8ee340d80d1544be98d4abb4dff5765ad9fa92460a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
Filesize
2KB

MD5
8650ac656cfa69d81761af1a54b06e5c

SHA1
b8f60f599accc98b6b36b0e2a2be9c422ad65e9f

SHA256
dd20747b5171bcd2ed7c4c112855da13a2acbab7e19cff2225b49a3ce10affc1

SHA512
5bda4712798b0c90b0e5b32f64ecdf602bc5d768ca7f6ca188406cead40ad36ecf12257fa9df421734bda6588420adbe9f356eb78cb934b3eb9d268717afc940

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
Filesize
64KB

MD5
e5a318a8d5709d1066bbe4633e9b3421

SHA1
9295497f167848bfb78084582779e3866771f4fd

SHA256
5365787db6276c13b1f6b88b3a30750e382454da66a66e15dc33e2a301015710

SHA512
71113daae2f34c7e8fd712f7ea5d7c38460750b4b2c4af4e586e486d03f60830d9134a8eeca1d3242215e6f3286740165c9b7053033f3c368eb0b20b938fbf68

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK
Filesize
8KB

MD5
5b1b553440fc6d59c3ea41f821ceb7a7

SHA1
ea82a8441d1c383db8acff45ffe67044c20eb6af

SHA256
0f8f44e77307ee7bd1b58abd6899a522dee6b64382e1c52672d95b10d846e472

SHA512
8a2ae1c345e81e0ec7310232fc2cf70f3c5e44e75c6d3c71f7359f1995006d3043dfce8ed53e81a28860fb14095835d6321bb01a036aa922a25694c41900aad0

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK
Filesize
16KB

MD5
75ef09aaa1f1b49a2d667492eef7e15b

SHA1
7cac9482a639b1d30210b8d92497d794b43559a7

SHA256
307b3cd7d8522ab706175bcf88c13154b947d5498241b8d49534dae09e203166

SHA512
dd3d01c766d0afa7317511c88ea49c563488860ae1b8e9f869b582652f9c096e61890838eea1bf3748f89b7806ab5e7c15bef6c3c0a657782c3f4586e2bc0fe2

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol.RYK
Filesize
6.5MB

MD5
9f23448fdc39bc21fdab39f64199e446

SHA1
4f192c19eeaa680c5bb03220c32000f61e66ee47

SHA256
0865acb560b0a48cb1bc4483e76ec50243d74ff4e0c40ed9fde3357e71df45ab

SHA512
e930d41e95feb801132a5ef329488f7cb1e2c5c87f2957352a3f39329316d70102806ef8a2aa09bb492acb1be6fe150cfa0e1f7668d887a960941b4889c86c97

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\PeerDistRepub\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\174726148\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK
Filesize
2KB

MD5
da84f5560a528bcd26dd389328f1e7c1

SHA1
9110aed3e1261f6ad546f9dd83eff8f19aeeef8f

SHA256
6207c57a17f3a0972b086529566f36d9e0f9e8e10e7c489590361e19e519fc2e

SHA512
e5cfab48f0f5a5ae71dee4ecc53bd8c6f446e9ff10b062fd8d5faa224f7a2d84a475423ad6db740f2755de3a1f84dedc8c7434509fe5a34b3b5546c47cf70406

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK
Filesize
25KB

MD5
2a7fe8ecbc145198b9b49857c4cba44c

SHA1
bd488183ddf49b0516acc90df2274e526cc1d543

SHA256
8ab374637e919bfe1ddefed503f4461781f112ce3e010c2a992f08e36b4d7280

SHA512
419f09be48903221468ff36407f8277c6ae0a9c4497830f0d6f9f3018eb7e30f6f60b9678a6f555c679de6cff76eb3b46891353f25649100b3f1f26e736ac466

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NZMSJAPR-20220414-2119.log.RYK
Filesize
60KB

MD5
e386620ab68e74a825bf44d86912e81d

SHA1
30f7fa996e2cd6ec578a7f0a4e323dee14abc5c5

SHA256
c7cec01b6686f0aedd0f4aee41530c3f75d7cd2b081ce2297a049e09462ea410

SHA512
9c2d2a2135da86ed528b5e6989a6324ac22e811348eef92c339d86c194a90baca359b10c0f064e9eb343588448b5ef146ea2527bdcb07dc63e1f6514a11e6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\NZMSJAPR-20220414-2119a.log.RYK
Filesize
188KB

MD5
73eee30eb21822e49a5eda571e3e3690

SHA1
0a10abef6f523d58147a0b5524f426b88a899c39

SHA256
4b0d5ccf987df704fd96e51e9f8afc82cec893159f3a28e89b586c77d0b4acf8

SHA512
72d76a31aae790b7225b36335722eb45394a4916ddcf443e4cb7337e9a102089bbca2487fa64b446d9fb6e83a2009ce21aeb12fbb4569beca1852758fc1c3d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3932.log.RYK
Filesize
754B

MD5
8b5e72f4a2808a8d9855183c7fac1939

SHA1
7a661f768bcec9e1e303161a18c8ec9bf813f350

SHA256
492cf70301e713e0936ebfd36115a983509dcefb69f664c93c509d8c6668c833

SHA512
288b62eb754f1f74d440b1f8a1a4984e16e38c3006aaaa76595924840b2512aa678d8af882ba3cebbe17d2cf8eb5ed71acc852c0025779c5b2756940adb894e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.RYK
Filesize
2KB

MD5
25346685429976a9e0d82aa29fa1e600

SHA1
0c488ec56458dd35c895f4af75fa6a48da7e0b6d

SHA256
25316b6c1e8134d59a83a026a9d84a547d427db5e88f0b0dadee3d679b898ca3

SHA512
5e6950bed461a18db7249340b56b90beac762979199171a973167c9b556b81e8de81eb57600c48d43b3c044c2e7fe646838c14b44438b2a5d3b22dce18a383e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.RYK
Filesize
2KB

MD5
1d07289db6c1fd188fa3adf986dc54ea

SHA1
67929e01b04e97a0ab7f7d30e415a6d18e295eda

SHA256
b1f994982486d87b8c73a31a4249994128b5b6d788aa5ae7b856630efb5c7757

SHA512
49fccd3f3202d372c76e795e967b9b9e3682cbe1099e3220c622f20e1c72386e846995105c89e571220cbd2c67dc7696177a4609611c7a448e0fc274e2381e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI0665.txt.RYK
Filesize
425KB

MD5
6bd9734feabcdec6c1a941ca1fee5f63

SHA1
6cfeb57d88450281219a02ba582a4e5a64a40172

SHA256
ee385002816ed28b1edae135854d615ffb0b80be39c4ca0553b58612becbc680

SHA512
69ac05dd011b03ffacb7a0e27ae31fa4a7b5a6fef680267de759ce39e0681482628c34119c04f528f645210ef1d22bda88207fb2d8c2e394e09fefb444fd290a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI0665.txt.RYK
Filesize
11KB

MD5
57e03bb07b2c2b9d89b3c3813d13cedb

SHA1
c8767fc094d463990624c579095c501d63710566

SHA256
ec78a704c833727d734fc2f655ff28a7b5a506c29f7755ec73601fddbda10ac6

SHA512
e6073d533f702dfdd6677549843e6350d6ebaf665b8d5a39d5f662b93faf5dfe625cf49a6353a3259e08abf3958861a5f842886be1548de8955937fa614ff0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI0692.txt.RYK
Filesize
11KB

MD5
d806f442cfd10e4b1b11d377fbeb9e3e

SHA1
b800c8c3d2809d9db057d88850e3e3970bd36cb4

SHA256
cbbff73e8a61df34514da3bbc311579fbd3c2d105b4c11ac29f291b4c2fe2376

SHA512
87f977c8bc2c9d3ddbb960f9193f3cb29e2f910e957cf030bb673dd7f949860784436ed44bc58124d3b5a372ca7176e1265a3fd96bce360281b81072ea7777bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgLlaTa.exe
Filesize
190KB

MD5
ffef678beca8ee60200bc88809d89630

SHA1
b31070af1ac3e088dfc6f1599f8d12edb1b16783

SHA256
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

SHA512
54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgLlaTa.exe
Filesize
190KB

MD5
ffef678beca8ee60200bc88809d89630

SHA1
b31070af1ac3e088dfc6f1599f8d12edb1b16783

SHA256
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

SHA512
54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK
Filesize
266KB

MD5
5ef773fb497ffd02a42f120c4a1c9aec

SHA1
aae57b114a074f411550d3295f9e751359ad62a5

SHA256
8821fe08249916b6f5e6ea00808d99a127dc7aeb56fe83364db82c6a13b6e0ae

SHA512
278d9cfc990ecee284865e0a2f22e7b674793256a205514aa60d3cd99e824bfa31724431bee00807db41b9e60c45e935db5de9b21b273e60d0456bc396b3fbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp605F.tmp.RYK
Filesize
17.0MB

MD5
4d83428fa66dbf96a8a611b1a65bac4b

SHA1
af492468702902541b78329344a00093a90f295d

SHA256
a536665a23c6302e36642a3fa2bf3913dbaa626eda88b3d26a0949085adf7c3f

SHA512
9cba82f12b4fdbe29073ea6e3edcc13b1afc35824b0be26f22a2c6f41516978eeb194989783b70e322ac51308e1796b25090c214561c4d37304d05eb583ca9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62E0.tmp.RYK
Filesize
17.0MB

MD5
66e143d0656480ab4c3f0f77302537a3

SHA1
c344931069890dca4d3b291aa45cefaaff209871

SHA256
80f533dfeb607c8ff243994223128424192cfb7d1fc448f89d1ad9f4dcb32a88

SHA512
76c03882997656bc150ac8b6f88d880730071650797ebac610a0c59deb52bb4a4bc5a77a03cfcd027e0ce09eb57377399a77c3eaf0e38cb2b24360f581d248a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp646D.tmp.RYK
Filesize
17.0MB

MD5
f50a8685d51d552f19c2e9811d9dbc62

SHA1
ab18cf2c3763872a5d665b73157663ef1215aef4

SHA256
6ce256449013a4055bd29c9449e9026ac9f9c69cd70efcccc261ceb9b12c61d1

SHA512
21309ab5ac03378b4a04ae89ad1b5dca4f547a1be524f7bb79f94da199c55c5e7171ad46f22fa30234f8feb9484193fae4ca84c4462f723491e5b7cafbd8303a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp.RYK
Filesize
17.0MB

MD5
3467e887eabee5f00c80cc0a5cdfc5c1

SHA1
d8640934d9fbfe571d78f4f9016c61672f3a5382

SHA256
38a92db7cc9c66ee6c9a788c3ba6a8d3facd2ab0a7a5a4bb6f4979a24ecc61dc

SHA512
20a8ae39b7ff235ab883eca3dcdbfe49a4b4d2fff26ca6f0cfc166c53dd9986e5fa2769737ca573b7502cc5ee0ee6ba14b971e067bfb04fb3c21df237d4ec105

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct70D7.tmp.RYK
Filesize
55KB

MD5
acb8f899f0b9ae9b5026062b84d8f0f0

SHA1
00f2b9c872f368dbebe02b4c8c22e68d12729043

SHA256
f544067792acd13ff0b90c9d38d41353bb40df7534bdca10bc601ee781e6eda2

SHA512
9eb3115fd38a02686390b01d049faae0fec5d476a258620eb34bcd27fffac7010527d06245f3930489901268965d54fea587eecfbb1b24d54f25f64c56c3b12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK
Filesize
962B

MD5
40d130a5d3ce655762c84d1537bca566

SHA1
8ee6adfed2f47da077e277af4e7139839245527e

SHA256
4f414f993c1bd6aa6f05752b6ec0966c3ea3c1f04bfab5aa0d768b743e957dd2

SHA512
1ee341a9884a607f9f7166241eaf6bfc13a9d606cf3803519654de7f5d3fde746da99bd40890efed3339162b64925bfe9118ffdf30f642b47e7b14190ff13821

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDB.chk.RYK
Filesize
8KB

MD5
ed2647a3f7d250bdfdc14db6d4aa451f

SHA1
1a724b6569a468ecce3d7db93dbaffa870c9f283

SHA256
a79e51bfa8fc5ba4bf97784f412e4a98ca811424654bc8625c43c1ee57feb945

SHA512
92d97e305b6229d0d6b8547ec049a69447a09b70eb9603208af1dc5b8379802798b2c725635f551f8cc025ed9a66ba905360c09e79c947fe39bcff3db347eff4

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDB00001.log.RYK
Filesize
2.0MB

MD5
d3afb69ab1c6c1b5ea3c7410cc71dee6

SHA1
7d60c16ae2fc446761f1e093fa6b9e5ec7c01571

SHA256
fc0e60d7750d3753f8900e4dd83444b07b27787d0872950c2d5a0ee7724dca0a

SHA512
127ede7a61b4f6854a89a254cf1d3eacf04b0a87ad1f744e13fca9e003480f60bdc2e17f6f912c37ef7894f2ec6e7f37a98cd313a26662c51c6bb5eb133ab5f5

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDBres00001.jrs.RYK
Filesize
2.0MB

MD5
085b64cadd999e5c675e04c65d4597bb

SHA1
60ff2b03d7777b0dedc3a3f356d15ea8099cee64

SHA256
8c5303d8417024555fcb63e2954044782e61a96bc6f1892611e4fe0dd1339c58

SHA512
b0334a150531b96403ddf47751dbef59e367034072ad9ba684954ec0ebcc28260d03226c48ac61e41e822f1e537dd7b68c2f247d52b7cce038bd168e23737438

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDBres00002.jrs.RYK
Filesize
2.0MB

MD5
504e55377b1b08de6d903f82315df527

SHA1
209863011f1a9dcbeb8673136fa1bc28a4c12d28

SHA256
e412b2dc2e8d36d6ed35c835ffbf66e05735b568bed19278443255b77ee723e4

SHA512
1d7d308a7725a55d9f185536d73fd7243a9440bbae2777c3e32391c7f3eb647c36bf7feba87153baa6caf580f09bba1be9a4d2087818750f07e6f31337e2a9d9

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDBtmp.log.RYK
Filesize
2.0MB

MD5
1e39128fb95da1279652479deb097b0a

SHA1
cb5ff1e027f45e3cb76469254081d566d465c658

SHA256
0b888ae5f9cd3bb49372fdf986382c7d1ed6ceca2669d96d826d7da73ecd8cf2

SHA512
9a7a3c88c878ab50eed32862b1c0fc56e270730a55294d5387377d0bf828d9ab766ebf03ac1ade8ab8b8a88fa30f0d7034fdd6b4bc606cac89154662089b0af4

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
memory/212-401-0x0000000000000000-mapping.dmp

Download
memory/220-422-0x0000000000000000-mapping.dmp

Download
memory/432-437-0x0000000000000000-mapping.dmp

Download
memory/728-238-0x0000000000000000-mapping.dmp

Download
memory/848-345-0x0000000000000000-mapping.dmp

Download
memory/1076-362-0x0000000000000000-mapping.dmp

Download
memory/1104-183-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-171-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-163-0x0000000000000000-mapping.dmp

Download
memory/1104-165-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-166-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-167-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-178-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-168-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-174-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-176-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-177-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-180-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-169-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-186-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1104-172-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1204-577-0x0000000000000000-mapping.dmp

Download
memory/1560-426-0x0000000000000000-mapping.dmp

Download
memory/1660-284-0x0000000000000000-mapping.dmp

Download
memory/1704-420-0x0000000000000000-mapping.dmp

Download
memory/1912-182-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1912-184-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1912-179-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/1912-175-0x0000000000000000-mapping.dmp

Download
memory/1912-181-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-185-0x0000000000000000-mapping.dmp

Download
memory/2692-136-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-147-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-148-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-146-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-145-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-143-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-142-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-144-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-121-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-135-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-134-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-122-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-132-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-129-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-127-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-149-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-150-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-123-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-120-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-170-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-118-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-151-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-153-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-154-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-152-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-119-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-162-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-161-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-160-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-159-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-158-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-157-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-156-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-155-0x0000000077360000-0x00000000774EE000-memory.dmp

Filesize
1.6MB

Download
memory/2876-285-0x0000000000000000-mapping.dmp

Download
memory/2996-246-0x0000000000000000-mapping.dmp

Download
memory/3552-446-0x0000000000000000-mapping.dmp

Download
memory/3776-291-0x0000000000000000-mapping.dmp

Download
memory/3856-288-0x0000000000000000-mapping.dmp

Download
memory/4056-431-0x0000000000000000-mapping.dmp

Download
memory/5420-574-0x0000000000000000-mapping.dmp

Download
memory/5424-569-0x0000000000000000-mapping.dmp

Download
memory/25716-692-0x0000000000000000-mapping.dmp

Download
memory/26528-701-0x0000000000000000-mapping.dmp

Download
memory/47016-718-0x0000000000000000-mapping.dmp

Download
memory/48300-739-0x0000000000000000-mapping.dmp

Download
memory/67768-759-0x0000000000000000-mapping.dmp

Download
memory/69496-780-0x0000000000000000-mapping.dmp

Download
memory/73976-800-0x0000000000000000-mapping.dmp

Download
memory/75180-821-0x0000000000000000-mapping.dmp

Download
memory/123124-841-0x0000000000000000-mapping.dmp

Download
memory/124000-862-0x0000000000000000-mapping.dmp

Download
memory/141072-882-0x0000000000000000-mapping.dmp

Download
memory/142284-903-0x0000000000000000-mapping.dmp

Download
memory/147764-923-0x0000000000000000-mapping.dmp

Download
memory/148344-944-0x0000000000000000-mapping.dmp

Download
memory/208016-964-0x0000000000000000-mapping.dmp

Download
memory/209900-985-0x0000000000000000-mapping.dmp

Download
memory/221436-1005-0x0000000000000000-mapping.dmp

Download
memory/223748-1026-0x0000000000000000-mapping.dmp

Download
memory/224556-1046-0x0000000000000000-mapping.dmp

Download
memory/227924-1067-0x0000000000000000-mapping.dmp

Download
memory/308192-1169-0x0000000000000000-mapping.dmp

Download
memory/308200-1087-0x0000000000000000-mapping.dmp

Download
memory/308304-1108-0x0000000000000000-mapping.dmp

Download
memory/308356-1149-0x0000000000000000-mapping.dmp

Download
memory/308372-1128-0x0000000000000000-mapping.dmp

Download
memory/308392-1190-0x0000000000000000-mapping.dmp

Download
memory/319388-1210-0x0000000000000000-mapping.dmp

Download
memory/320764-1231-0x0000000000000000-mapping.dmp

Download
memory/345444-1251-0x0000000000000000-mapping.dmp

Download
memory/347092-1272-0x0000000000000000-mapping.dmp

Download
memory/355420-1292-0x0000000000000000-mapping.dmp

Download
memory/357700-1313-0x0000000000000000-mapping.dmp

Download
memory/445516-1333-0x0000000000000000-mapping.dmp

Download
memory/447240-1354-0x0000000000000000-mapping.dmp

Download
memory/463884-1374-0x0000000000000000-mapping.dmp

Download
memory/466136-1395-0x0000000000000000-mapping.dmp

Download
memory/470300-1415-0x0000000000000000-mapping.dmp

Download
memory/471304-1436-0x0000000000000000-mapping.dmp

Download
memory/553072-1456-0x0000000000000000-mapping.dmp

Download
memory/554356-1477-0x0000000000000000-mapping.dmp

Download
memory/579232-1497-0x0000000000000000-mapping.dmp

Download
memory/580548-1518-0x0000000000000000-mapping.dmp

Download
memory/587168-1538-0x0000000000000000-mapping.dmp

Download