ryuk | 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

Analysis

max time kernel
795s
max time network
1214s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-05-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Size

190KB
MD5

ffef678beca8ee60200bc88809d89630
SHA1

b31070af1ac3e088dfc6f1599f8d12edb1b16783
SHA256

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
SHA512

54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> monsbumide1974@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

monsbumide1974@protonmail.com

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

monsbumide1974@protonmail.com balance of shadow universe Ryuk

Emails

monsbumide1974@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 9 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Executes dropped EXE 1 IoCs

Processes:

VENTLbu.exe

pid process

1184 VENTLbu.exe

pid	process
1184	VENTLbu.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ApproveWrite.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\ClearComplete.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmTrace.tif.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\DenyResume.raw.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\MovePublish.tiff.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\Pictures\WatchImport.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exeVENTLbu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	VENTLbu.exe

Drops startup file 2 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

3120 icacls.exe
2804 icacls.exe
2388 icacls.exe
4528 icacls.exe

pid	process
3120	icacls.exe
2804	icacls.exe
2388	icacls.exe
4528	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VENTLbu.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttd6.inf_amd64_28e2bee7229aaf9f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\de-DE\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmod.inf_amd64_51d6c57c66e3de87\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nulhprs8.inf_amd64_e65ae5a38cb839e5\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsgenericusbdriver.inf_amd64_bcfa5f586783921d\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_acb1691126c93472\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\fr\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0006\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_diskdrive.inf_amd64_1debcd2bd95e9c0c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_mouse.inf_amd64_822333b41326bc2f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mvumis.inf_amd64_f0f4d0c799bb854a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_55c0c78952233d0c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_3daa9a904daf9501\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthleenum.inf_amd64_11f9ff6c12dbf9b5\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\legacy\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\fr-FR\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\sr-Latn-RS\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WCN\de-DE\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\fr-FR\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\MUI\0409\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_3abc48e730d08fde\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_scsiadapter.inf_amd64_efffb8c026d3abc5\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netwtw04.inf_amd64_c8f5ae6576289a2d\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0015\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\VoiceActivation\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\es-ES\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Dism\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttme.inf_amd64_edc94fc65bef3d27\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_ced441476847bd1a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\MUI\0C0A\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ja-JP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fshsm.inf_amd64_48c6ccb73844d3bb\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmic_timesync.inf_amd64_aa4bfe1897922114\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\it-IT\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\applets\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\ja-JP\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmneuhs.inf_amd64_eb59a40d88060ada\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\miradisp.inf_amd64_14cd3615d012fdf0\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rtwlanu_oldic.inf_amd64_1a82423cc076e882\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\de-DE\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\BaseRegistration\it-IT\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidvhf.inf_amd64_0a924aec7600dcde\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Drops file in Program Files directory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-24.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-400.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalStoreLogo.scale-100_contrast-white.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_24x24x32.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-125.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ms.pak.DATA	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-125_contrast-black.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ka.pak.DATA.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-100.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-200_contrast-black.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-100.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-400.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-125.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsCoreBackgroundImage.jpg	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\data-80bd83b592567d50f84a26711cad1cf82f4057f1.archive	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-200.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\5.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\ui-strings.js.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ga.pak.DATA	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\organize.svg.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\ui-strings.js.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ui-strings.js.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-200.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-lightunplated.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\fillandsign.svg	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.RYK	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Drops file in Windows directory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_0da5bd549d784d72\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-refs-v1.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a3de15efea23fbeb\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_b1ef3035e92014fd\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.Resources\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Utility.Activities.Resources\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mdmmct.inf_31bf3856ad364e35_10.0.19041.1_none_0faec8e499c4bced\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..vicediscovery-dnssd_31bf3856ad364e35_10.0.19041.264_none_01f2e2aa5606795f\r\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..providers.resources_31bf3856ad364e35_10.0.19041.1_en-us_1214973364835641\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.906_cs-cz_4dab4dea707205cc\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..brary-mof.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_7a5870a2fee36d2d\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_10.0.19041.1_es-es_8d91c95bbe1a8034\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\Setup\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9a45b49543424403\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-csvde.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f523558981391b45\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-webp-image-codec_31bf3856ad364e35_10.0.19041.1_none_ca40592d43fff327\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-m..lnamespaceextension_31bf3856ad364e35_10.0.19041.1266_none_42492ae9d3482ca4\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..de-others.resources_31bf3856ad364e35_10.0.19041.1_en-us_16004d105fb45482\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..vider-dll.resources_31bf3856ad364e35_10.0.19041.1_es-es_113f3110881877d4\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-winsrv.resources_31bf3856ad364e35_10.0.19041.1_en-us_f3ba4d44a3c97f27\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-network-qos-traffic_31bf3856ad364e35_10.0.19041.1_none_2c4545e51e4294f6\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-ie-f12app_31bf3856ad364e35_11.0.19041.746_none_3439cbf8eff84ce1\f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_fscopyprotection.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_92fa4602ba8a030e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_fssystem.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_77050b0c05a75a51\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..aging-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_07f89a321fd4ddc3\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..lservices-workspace_31bf3856ad364e35_10.0.19041.746_none_aee84b36b8ee0f17\r\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..opactivitybrokerapi_31bf3856ad364e35_10.0.19041.1202_none_fc9cc421373d9596\f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..icate-policy-engine_31bf3856ad364e35_10.0.19041.610_none_438b584092caa8f5\f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_msports.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_bdc8d849d2bb38a3\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..dlinetool.resources_31bf3856ad364e35_10.0.19041.1_es-es_c60e67f54a332964\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_d35b26ed12bb754b\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..-heap-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_8956a7c3a5a75e8f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-h..lient-wmi.resources_31bf3856ad364e35_10.0.19041.1_en-us_a685036ba64de887\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mskeyprotcli-dll_31bf3856ad364e35_10.0.19041.423_none_a674d42538bb790e\r\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..ce-radcui.resources_31bf3856ad364e35_10.0.19041.1_it-it_daef9a977620c24a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..nkobjcore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a5fc5e0e1e575686\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..on-aad-wamextension_31bf3856ad364e35_10.0.19041.1151_none_e89716a29031b44a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\pris\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-hvsocketapi_31bf3856ad364e35_10.0.19041.546_none_017fe414680118f2\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..icenseserver-tlsapi_31bf3856ad364e35_10.0.19041.1_none_dcf02542119e56c8\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wlangpclient_31bf3856ad364e35_10.0.19041.488_none_96754d2c2f87291c\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wpd-mtpclassdriver_31bf3856ad364e35_10.0.19041.1_none_87aa921a3989f96a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_netl1e64.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_05496b1b92e16436\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_10.0.19041.1_none_ed965939376efbbf\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_wstorvsp.inf_31bf3856ad364e35_10.0.19041.985_none_9ec3d9e91b3d1b4c\r\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.19041.1288_none_6a70c7f973424381\f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..egacyshim.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_863cba32dfc9d495\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..g-cmdlets.resources_31bf3856ad364e35_10.0.19041.1_es-es_36cc4a9d88c57077\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.746_none_f0689b1a058a1f82\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-i..o5-codecs.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_87f61464c6845a32\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\base\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_net44amd.inf_31bf3856ad364e35_10.0.19041.1_none_6e2116dc714fa3ac\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_vhdmp.inf_31bf3856ad364e35_10.0.19041.1266_none_03961fc5aec657fa\f\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_wcf-system.servicemodel.ref_b03f5f7f11d50a3a_10.0.19041.1_none_6216fa95ee562cb8\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-c..ement-wmi.resources_31bf3856ad364e35_10.0.19041.1_de-de_568cc9805fdef689\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-powercpl_31bf3856ad364e35_10.0.19041.1_none_2226aad147f68c44\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..nt-winproviders-ibs_31bf3856ad364e35_10.0.19041.746_none_bfb4eba6b9f575a5\r\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_76ab6db74ef1e15e\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.Resources\3.0.0.0_it_31bf3856ad364e35\RyukReadMe.html	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exeVENTLbu.exe

pid	process
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
1184	VENTLbu.exe
2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exeVENTLbu.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Token: SeBackupPrivilege	1184	VENTLbu.exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe
Token: SeManageVolumePrivilege	1116	WMIC.exe
Token: 33	1116	WMIC.exe
Token: 34	1116	WMIC.exe
Token: 35	1116	WMIC.exe
Token: 36	1116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe
Token: SeManageVolumePrivilege	1116	WMIC.exe
Token: 33	1116	WMIC.exe
Token: 34	1116	WMIC.exe
Token: 35	1116	WMIC.exe
Token: 36	1116	WMIC.exe
Token: SeBackupPrivilege	4288	vssvc.exe
Token: SeRestorePrivilege	4288	vssvc.exe
Token: SeAuditPrivilege	4288	vssvc.exe
Token: SeBackupPrivilege	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Token: SeIncreaseQuotaPrivilege	1988	WMIC.exe
Token: SeSecurityPrivilege	1988	WMIC.exe
Token: SeTakeOwnershipPrivilege	1988	WMIC.exe
Token: SeLoadDriverPrivilege	1988	WMIC.exe
Token: SeSystemProfilePrivilege	1988	WMIC.exe
Token: SeSystemtimePrivilege	1988	WMIC.exe
Token: SeProfSingleProcessPrivilege	1988	WMIC.exe
Token: SeIncBasePriorityPrivilege	1988	WMIC.exe
Token: SeCreatePagefilePrivilege	1988	WMIC.exe
Token: SeBackupPrivilege	1988	WMIC.exe
Token: SeRestorePrivilege	1988	WMIC.exe
Token: SeShutdownPrivilege	1988	WMIC.exe
Token: SeDebugPrivilege	1988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1988	WMIC.exe
Token: SeRemoteShutdownPrivilege	1988	WMIC.exe
Token: SeUndockPrivilege	1988	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exenet.exenet.exeVENTLbu.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2544 wrote to memory of 1184	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	VENTLbu.exe
PID 2544 wrote to memory of 1184	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	VENTLbu.exe
PID 2544 wrote to memory of 1184	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	VENTLbu.exe
PID 2544 wrote to memory of 2328	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	sihost.exe
PID 2544 wrote to memory of 4684	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2544 wrote to memory of 4684	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2544 wrote to memory of 4684	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 4684 wrote to memory of 3004	4684	net.exe	net1.exe
PID 4684 wrote to memory of 3004	4684	net.exe	net1.exe
PID 4684 wrote to memory of 3004	4684	net.exe	net1.exe
PID 2544 wrote to memory of 3732	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2544 wrote to memory of 3732	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2544 wrote to memory of 3732	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 3732 wrote to memory of 2368	3732	net.exe	net1.exe
PID 3732 wrote to memory of 2368	3732	net.exe	net1.exe
PID 3732 wrote to memory of 2368	3732	net.exe	net1.exe
PID 2544 wrote to memory of 2348	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	svchost.exe
PID 2544 wrote to memory of 2472	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	taskhostw.exe
PID 2544 wrote to memory of 3080	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	svchost.exe
PID 2544 wrote to memory of 3280	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	DllHost.exe
PID 2544 wrote to memory of 3368	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	StartMenuExperienceHost.exe
PID 2544 wrote to memory of 3444	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	RuntimeBroker.exe
PID 2544 wrote to memory of 3524	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	SearchApp.exe
PID 2544 wrote to memory of 3668	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	RuntimeBroker.exe
PID 2544 wrote to memory of 3536	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	RuntimeBroker.exe
PID 2544 wrote to memory of 1712	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	backgroundTaskHost.exe
PID 2544 wrote to memory of 1800	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	backgroundTaskHost.exe
PID 2544 wrote to memory of 4576	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	RuntimeBroker.exe
PID 1184 wrote to memory of 3120	1184	VENTLbu.exe	icacls.exe
PID 1184 wrote to memory of 3120	1184	VENTLbu.exe	icacls.exe
PID 1184 wrote to memory of 3120	1184	VENTLbu.exe	icacls.exe
PID 1184 wrote to memory of 2804	1184	VENTLbu.exe	icacls.exe
PID 1184 wrote to memory of 2804	1184	VENTLbu.exe	icacls.exe
PID 1184 wrote to memory of 2804	1184	VENTLbu.exe	icacls.exe
PID 1184 wrote to memory of 3724	1184	VENTLbu.exe	cmd.exe
PID 1184 wrote to memory of 3724	1184	VENTLbu.exe	cmd.exe
PID 1184 wrote to memory of 3724	1184	VENTLbu.exe	cmd.exe
PID 3724 wrote to memory of 1116	3724	cmd.exe	WMIC.exe
PID 3724 wrote to memory of 1116	3724	cmd.exe	WMIC.exe
PID 3724 wrote to memory of 1116	3724	cmd.exe	WMIC.exe
PID 1184 wrote to memory of 4568	1184	VENTLbu.exe	net.exe
PID 1184 wrote to memory of 4568	1184	VENTLbu.exe	net.exe
PID 1184 wrote to memory of 4568	1184	VENTLbu.exe	net.exe
PID 4568 wrote to memory of 1308	4568	net.exe	net1.exe
PID 4568 wrote to memory of 1308	4568	net.exe	net1.exe
PID 4568 wrote to memory of 1308	4568	net.exe	net1.exe
PID 2544 wrote to memory of 2388	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2544 wrote to memory of 2388	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2544 wrote to memory of 2388	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2544 wrote to memory of 4528	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2544 wrote to memory of 4528	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2544 wrote to memory of 4528	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	icacls.exe
PID 2544 wrote to memory of 692	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2544 wrote to memory of 692	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2544 wrote to memory of 692	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2544 wrote to memory of 3156	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2544 wrote to memory of 3156	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2544 wrote to memory of 3156	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	net.exe
PID 2544 wrote to memory of 3596	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2544 wrote to memory of 3596	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 2544 wrote to memory of 3596	2544	320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe	cmd.exe
PID 692 wrote to memory of 1988	692	cmd.exe	WMIC.exe
PID 692 wrote to memory of 1988	692	cmd.exe	WMIC.exe
PID 692 wrote to memory of 1988	692	cmd.exe	WMIC.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1712

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4576

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2472

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
"C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\VENTLbu.exe
"C:\Users\Admin\AppData\Local\Temp\VENTLbu.exe" 8 LAN
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3120

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VENTLbu.exe" /f /reg:64
3⤵
PID:15832

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VENTLbu.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:18144

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:54112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:54620

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:120592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:120784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:210024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:210232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:242592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:242640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:245696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:245752

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:249748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:250140

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:346588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:347384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:485848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:485960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:506224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:506308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:512884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:512988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:533228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:533288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:555052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:555136

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:570872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:570920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:574312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:574400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:604900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:605296

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:621928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:622016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:649360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:649416

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:673176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:673268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:726160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:726220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:758372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:758428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:787796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:787888

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:820376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:820444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:856848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:856948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:874944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:874996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:891968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:892056

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:892252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:892308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:892500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:892556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:897588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:897324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:910140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:910220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:932876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:932964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:961000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:961088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:990280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:990344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.03078e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.030856e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.084728e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.084844e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:1.1229e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1.122976e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2368

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2388

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4528

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
2⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:3332

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:42768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:43084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:69164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:69608

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:109556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:110004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:135640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:136432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:201656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:202088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:227368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:228300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:242020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:242068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:202996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:242636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:245604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:245656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:245964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:246012

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:249764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:250128

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:260856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:261288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:347028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:347440

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:363316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:363376

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:485864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:485952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:486088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:486132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:506272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:506340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:506276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:506336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:512924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:512996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:513224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:513272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:533280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:533340

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:535916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:535968

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:555100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:555180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:555348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:555392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:570952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:570996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:554792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:570920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:570996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:574364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:574432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:574564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:574612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:605304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:605384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:606588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:607000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:621976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:622048

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:624452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:624728

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:649432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:649480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:651580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:651636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:673208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:673300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:673256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:612440

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:726232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:726288

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:727612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:727672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:758448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:758500

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:760012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:760060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:787828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:787916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:789088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:789168

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:820452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:820532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:822172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:822232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:856888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:856980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:857468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:857516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:875008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:875064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:875280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:875332

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:892008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:892080

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:892104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:892156

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:892332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:892380

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:892400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:892444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:892572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:892624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:892644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:892692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:897236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:897536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:897272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:898016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:910184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:910256

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:910152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:910164

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:932908

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:932988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:933548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:933684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:961032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:961108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:961164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:961292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:990368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:990420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:990484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:990552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.030832e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.03092e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.030888e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.030956e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.084788e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.084912e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.084776e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.084948e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.122984e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.123108e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.122968e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.123092e+06

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
Filesize
9KB

MD5
20c0b72579fb0ca3b84d919bd1277801

SHA1
e076b34b28f190a98481591d8d5befef82272143

SHA256
659420a34c441b2cb66ff47daa7cc390e6df2a9eecec89c5c1fce3ca8aac8ee7

SHA512
4df7db1d0e7fc040c67e1fc70b0ccac428e229ca33da1d1636ac6ca70fe8a74642bc8067d94b562e390a5ea88a5b8b02b1366e9a74adc2862d058944d63336dd

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_20e30e2f-4677-4eb9-89e6-7dd1fd044635
Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\3D Objects\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
Filesize
1KB

MD5
1a6d3451d60ce1bb28632ae611350527

SHA1
2de0afec555ef5db0ee52cf8bce8aaf1cfe6c91f

SHA256
464f214e92e9992c085d8ca45f8f60e872a9f9c0927e3d4a16fcc0e6f752bf29

SHA512
ae7ba6fce315252b169662f9f9cb0306c1379177f3f96a3586eb68fa6f5956b3f3003719a4a168f97a945e7e2c7b87f67ce1d8763a867db2e9b3b41bda6bd5b0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
Filesize
80KB

MD5
9098bd9a9155647216d81d16761e27d9

SHA1
a9011cf52e92453dc009474872df9a370c6b5cb6

SHA256
95fb803943ad457c7cec764c4fe3eba1d405547fe8774cc3d63085c5dae6fe07

SHA512
64cf2fe62305a29e2ad5d253b4e9faad944db617226ebfde9ae43f5bb2f34517ed639531f2166cd367e2a2830323ff0c650102cf9f07c9e9afd949ce87656924

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
Filesize
9KB

MD5
3aafe9724b89c377789007a039adf026

SHA1
98ababde526e243ff8c76a509ecd16ee24d81bd9

SHA256
783f4a0eec735a911db86e548e2e4da1e88330cec235a9b6c284a91e6c265748

SHA512
7a27d9070c99e8c6bfd7b6c122f7410e5b1da446da076a0f21b92bc76290cf2bb8e825251b7aa5626e18ad56cb1e3293cf7677315050a4b63bc532c6c320fd1a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
Filesize
68KB

MD5
f51c2f31ef4b47191f3e002ca19e2888

SHA1
4e575c28cfbd5d6904faeed60fff598cb3bb37dc

SHA256
2d0a9a1bd0d5f093571e838ce4acf57b36f20fe2796a64f5015fdb76102d2e64

SHA512
009ce5d1d3ecf32ed571666140fb3d0afca69859a31f902b4b05ef4ade2599075b015f21be5cb33175d727254998c190dc2748d9e5ff878a84fbe131ba0500a8

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
Filesize
12KB

MD5
9272b339a1b04764c2417d36f5edb97a

SHA1
7bfa9190c8c5fa7b75f928f01b6b5b540e5609ad

SHA256
20b1b4fdd8992a3331488504940efb9a4982e206e8385b59370a8e88ea1a9234

SHA512
f47b43df6fceab8099306048d4c8cb00aa36d114678ba4d36b046794ee669a4dd5d42b82c73be9c5837b943b511ac167e933ec1963e2e8e33a32a6b2676e7155

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
Filesize
32KB

MD5
71dd71ce5400fa2647865d3fdd8b709a

SHA1
b4404ccb90200cfeb7689ff27be5439b06171d7d

SHA256
3b81cc15c9656c403ac74f2f3d008c7d4010f769c094e857a2e9b5200dd17636

SHA512
002fbe300ec6b808c989909da60d6a92c7c1371ced360e740951a6dcfd393b3302f6a1d5fc4f66eb99f28395f8acbaad9002d4844ae4250c7c80a20d59ce53b3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
Filesize
1KB

MD5
902a06cddd33a00a02254c8d0dcca3bb

SHA1
7aae4fd033deda424970de097663017848354e9f

SHA256
e22554923811171e9f9c5d816881059d6a7fe5397a1006230293675e824a26ba

SHA512
6de5676b4fa075062b09852194b494e0a676ddeaeac8ba7ab989f2d071af59138d395e604af3a354506d783c60d7e949c7132d45444dfc4a3574d12de8bfe4e7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
Filesize
2KB

MD5
ed74e81619458bfe0fe7a396d4f57c3d

SHA1
485c2a2f53d480f1bc7865224c855abcd5d53ce4

SHA256
37e88ddeaedcdb90a3d8c720a3184295dddc69fe5dec09f7bf1b31f0bf42068a

SHA512
b78559bad2d95bc3b44e3510114f278e038969250bd379effcc55a00fab7abc651aae9cc9d7c80d93e3dd277148fdda5c9311fad04ee890326c007d38090d372

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
Filesize
64KB

MD5
4fbedc0a663065f6ec8b96a0f7651e55

SHA1
0e51b2cd034adae5e75326c86be570b9202a8a02

SHA256
01012de99a83176b9fc93bbf640bf91988a6d0ce028f599acfd3a6604833bac1

SHA512
25484587310633b7d959073d17b203d8ee8750044f201843922672e8a18a5460bd6dfa83784efc1202d8a29c53d2584b87529a94fbac6de78e61e3a594e18b91

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK
Filesize
8KB

MD5
77932f4fe7e599a9dd0b240e78025050

SHA1
6cffa7432dc6f60f9515d12f57a38d015265d02d

SHA256
5bb9b777c8d0343bd57eda1868d3e79e3f13962b049a50455ba1042a330fc01c

SHA512
e1a7ac82e8e129a26124f06666456a7199ac2080c66bec87c9559d0d0fa7cdf41463fbaf72a0bb29e17fdf5c483923fbaf15bbd1dee829bf50aafe235429ff87

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx.RYK
Filesize
3.0MB

MD5
bc9741b16ca3dab6df7f8410035f4372

SHA1
8504f23e89170e2c98c5ff9350d891e4e1cc249c

SHA256
fe2bfb93bf18be88e0d60c13b5ab85052c3946baf485e27458156f74fc1e36b9

SHA512
9681979176178649e4db4db80b87637af44b90fd1343a099290aee46caf7e95eb69574aeaf47bbdcab7a65ee10f861f29ebdb7fb20059f378968a511731ce5dd

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.RYK
Filesize
3.0MB

MD5
55094fc304b4d2ff70543fac0ef970de

SHA1
cab519c651c93faf4b176af94f5ce24bf6b384eb

SHA256
354a9fb59d0cacebe3758067e0fe7954222c224809459795310de8d61728ae0a

SHA512
1251f7a5e6f790ccb81fc5eaf1034b4db3136dcf5b317a4c0057d20312acd9c094e4f3485c9dccc71d10df4700422d771e9149788eacc59043526917b90569c5

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.RYK
Filesize
3.0MB

MD5
1c0c57e36af794220b2c1b269704b5f4

SHA1
236fab492bcaab40ecfbd83de9c97fa7f3d19bcd

SHA256
76ff6e7c1cbb60da06ecf10bb822ca7342a3a2cd37b5092936f45c7fb50b8288

SHA512
9c8b1b753f2f0a9de4f9fede87d062774a5cae4ce27ff5a8631300081d08f13eaf8b203095c0f1a5403d4cadbc8b4180b827ac90a79017dadfcb41a6660d082a

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx.RYK
Filesize
3.0MB

MD5
70fa4409530273d35408694c85d6ab8e

SHA1
c1d85ff1187ccd0641878aac7df04a244eec2d30

SHA256
ac1660e01a422dfc7424a5d51316670f722448699b20f90ee436b35263dbc884

SHA512
9670ab3c25719603d0ca9fcd745b1bfcad050208ce9bdbb540edf5d3a174dc80a78283bc4acae765c639ed2cf078e58f367d0a5cb86b6f5afb5201d2d370fe43

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK
Filesize
16KB

MD5
905bcc276df5c00ccecc66115d66a7e4

SHA1
64b568197b3d093204dc63e5e08893622677bf8a

SHA256
e695988c63d5563d35fb2fd2bf6dfa4033e94f5c6319b40906e2f8fc67bf7b03

SHA512
5d27cf1b644ccf8b1d35f2df7688fe1a9c36d98d07f98597bfecb0a9f7d26c3fb41f8ac4ee4a3b8cd811419bbb00df3e02aa819c0ac22e6fe934184354605768

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol
Filesize
6.0MB

MD5
a024d074ca5138506a7bfeaad826d1a4

SHA1
ea7554e4153070b4f4595a6d41a13f3e6b3ef15f

SHA256
7ac79802a13dece3492578c0eee97113dcde5ffb2b4c0f4234f28ba045b5caad

SHA512
d24f67fd6aacfe62f56e398a348766b7c0b62d5f6e5baf266e1680572dc8874b81eb311e10606f42797f9336755c329cda36c1801dbada948dd429905d33b298

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp.RYK
Filesize
1KB

MD5
b810bbf8f83b9e39c6e1368748301815

SHA1
c16310538e77966a0470da63aeb409b6f2db61a0

SHA256
1dd002556e722c3f4400e5e7a39dd61b3288b3f4f969ca19564234e825559b4f

SHA512
2423d28bcb1cfb1cddb953c477d3aca3a0c9b577f01c991cffa92c581aabc27ab07cf453bb271a6f0afd8b7dcf3762fdce63db733cfe6a293a7c2c7f4050f9d3

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
20KB

MD5
1273dd98076c0aaec0a2a8b3b407900b

SHA1
83e805247de5bbe590998cc33172bc7bc7604cf1

SHA256
f8391edb02cc4c3452f5bc0c7bb82e32fe685c9187ab8cabf659dfa4cfe622c1

SHA512
16944b0f9c693862949e95f9722eb47ff31bcbfa03343e9253cb7069b5114db985b9aadf40364892fc503a093ba4820104bf1a061d98b2f1f7dd207aa6941a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
1c13cdb13c190133356f5b96bedd2b0c

SHA1
130cc1033fe96a9cd0717c60d4d45bf77eccb9e0

SHA256
f3a6c25fd1ad2bdb25f9561b1fd8d866fb3428eaca0ff0e42e33a28b890c347f

SHA512
4aeaa44cc64c199daf16cfe95a5c37351a7bc001e1b35346b6315e2b6bd6963bb4eb754cc20cdb07b0ef1a39fceb5de80ee51a27a41bbbc4abe9b196e423239d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Filesize
48KB

MD5
ebf7c1d7c423e777706630cfa778168a

SHA1
3053b0fd3a43668786f9812cc685bf7f0616c723

SHA256
628bd330103eb3379525769ca46f93370a3956ff72af54bf67aeac03e0ed43c3

SHA512
3f498aa96bed5f00d6917d74c69a54f0d20a74124dfbc0cf7c66b989e1922328ff1b50f20abac59c75c6a034fe0b6264041482f68aa000b0f06fbedad23596a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK
Filesize
466B

MD5
ed1fc9ccf636cb59499fa3862bf68f22

SHA1
33e54aae98e37fac634791fce2c52ee5e301973d

SHA256
6892fabdcf2f7193493dfd647147b26b921b71eae879f95aa9b7c0a8b60dff98

SHA512
64c6e4476b0e82c572113551a8328d0ec9de41c0e68bec371275415309022c212cd497d609b3fd2051f2d69fa72b6e7ca191076a622c4fe59c9a02edea19ee66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
112KB

MD5
ebfa8affdd3dc3a382f498704c15e3b6

SHA1
4ae99b877cfb3149b41d1fa7515d2f9eaf7bd432

SHA256
80612eec515e2e9efaf23cbaabf13eb87847c83264e9f50db234a70664f5828c

SHA512
4048bb442e9df25d57f916f496c3d38c7bf6c729f92584d86d7a678c0ce9ef90cf02162aa6a83daaec1d078b3be48ef1f258bac2032613a97139b5fd5dcdda79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State.RYK
Filesize
3KB

MD5
934b0762e5f9f638eeca975706a733ea

SHA1
a3b3f471d2ed3361dd07ce18a0a8fdcfe9bf29be

SHA256
8d273aba186a8b299a5f9f74958f4454d146cbabdf91589fd3dad521c9859a8e

SHA512
fd301c578906efecde7bd421bf36f920322ece76610476ca267192203a8ea83136f26b3bec47c65687e3940e12e5d7db161571dc5f363b641b523d397538b3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK
Filesize
2KB

MD5
4761397c10d5b3316f18144cdca617ff

SHA1
991202475fff14537f8b6c1013e7731d0666868c

SHA256
b42bc328f2108ec65c34a5dbee5669cefb3b682a31a0d3d130b34c138828db54

SHA512
6ceecc0bd218e1871d5521975c2fca0661c15ca6ec99b39fe93dae58f79717dd8182c797c83952bef9f023775b7cc1d11aa8b3e35ef1b388fef58d63f80c1380

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
627B

MD5
bff5fb0064af3544d547b5a15c5ff617

SHA1
8655be3a67bbecc340e0bc6fe77a384c496d6372

SHA256
f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2

SHA512
ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VENTLbu.exe
Filesize
190KB

MD5
ffef678beca8ee60200bc88809d89630

SHA1
b31070af1ac3e088dfc6f1599f8d12edb1b16783

SHA256
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

SHA512
54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VENTLbu.exe
Filesize
190KB

MD5
ffef678beca8ee60200bc88809d89630

SHA1
b31070af1ac3e088dfc6f1599f8d12edb1b16783

SHA256
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

SHA512
54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4852.log
Filesize
754B

MD5
be558f5e726fae13c82ae094aecfa7fe

SHA1
e42f5a922301246d0a617527ece656024537847a

SHA256
5897980bfe1cb7933236770b433f56f8180369bf971f6be317d748bb01978c4e

SHA512
24bce2e7fd4d7c797fb0e9a2375c4bf286c6d1feb9e231351356ac27d8c30f57bee5d41f094629029ae5c64bbccaa7a4fd282749f90aeeea21344f0449f57ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
2KB

MD5
99244cb8480a492d5ab94c7a6d6c37dd

SHA1
d91d300f2bc87f7d8fe19f178c5d4c9ddf7084f8

SHA256
06280d90df657c9fda6121988c6163e0af3f144ffd114c5a509ad34564a53ad1

SHA512
3241ae9d9219120228375bca2f0e89ddc3225e50ff2eec3b25be332bb311d4d4203b39ed941c30bb36e753498a39d353ee75d3475dbd9321182f9daeb42ac779

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI49E2.txt
Filesize
11KB

MD5
cf7f8e6bac6e0680acc5040e196025b0

SHA1
c64c20aee9de80363aa4b840816d45e2e338a68c

SHA256
885b656ab579e73498f7c924ccb5157fde5969130edd2c02541273a3d11fe180

SHA512
57e8e838c142ee3a1536fbfbf799e716085d3a78441105cfe269930b3e47fe58e4906ab492f606c46ccf44306376d9d18afea126aa45428d181b83e162aee5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
Filesize
3KB

MD5
eb54c6db47e3508b2fe16f93ad50daac

SHA1
268f267907f13db8843f106b1e3e0f484b7dc2b1

SHA256
aea130761a822f074320d110b489535948a229e2beca4b531b42906ae11364c0

SHA512
78e992b1840d84ffa3d982e61faa6744e84525d8dd8152cb20392f9a61df41eacbfbef1204169658c7e802ce7c148b0c65c48826e514ef07b6b8ab4de1f8dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp546B.tmp
Filesize
25.9MB

MD5
efbe2f9939503be8a65bc162a2ebc39d

SHA1
46599733890294e64d0e0e2d59a6e893776861ad

SHA256
ae5536a878e9e049a87e5e725ad5c2337fdf9106563bcf94499a7c5a701e6efb

SHA512
8c3173dd01a23710ddfae310587f19975ef9f648a1fa8ed331caad4c9ec0f5c024589d6bb6a1d9ecbe9ddbf34ed50dfe2ff4e00fdebb78d7c34307f1ee1a9495

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct515D.tmp.RYK
Filesize
55KB

MD5
221032c22c9937f2e5a0aa748c1edaea

SHA1
1f6d4d662e3e1a28ae0aa98fe4e80ecbae09d6d0

SHA256
40acffb49df6b4481267c6a1be3d855e02798e236d2a796022cc41b12c623632

SHA512
b683604a043c3b7fcd4009040dd04329b1fb414f234d92f773044f333e509c13c3af5140e124a10bda372b8c9750e55b54cf9072aac0d1a4f985d507740d26eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct9DE5.tmp
Filesize
40.2MB

MD5
1e0d77f55c62efb69662f05b3c048506

SHA1
671dbdb0dc5faa5d37b6d5ef293b209700c6ccc9

SHA256
9c639449b14073c21498a59153372e0bf72b5e507f702629b72556fe6f10bba8

SHA512
9c0c877ad557256a6d89aab199e27ab8d6853dd6683952da6c6702f344404dc8202675cf91c4695f89c0294bd5e133b4b52d9024d6b8850efdb8f3a9b1e472d4

Download Submit
memory/692-147-0x0000000000000000-mapping.dmp

Download
memory/1116-141-0x0000000000000000-mapping.dmp

Download
memory/1184-131-0x0000000000000000-mapping.dmp

Download
memory/1308-143-0x0000000000000000-mapping.dmp

Download
memory/1356-151-0x0000000000000000-mapping.dmp

Download
memory/1988-150-0x0000000000000000-mapping.dmp

Download
memory/2368-137-0x0000000000000000-mapping.dmp

Download
memory/2388-145-0x0000000000000000-mapping.dmp

Download
memory/2804-139-0x0000000000000000-mapping.dmp

Download
memory/3004-135-0x0000000000000000-mapping.dmp

Download
memory/3120-138-0x0000000000000000-mapping.dmp

Download
memory/3156-148-0x0000000000000000-mapping.dmp

Download
memory/3332-152-0x0000000000000000-mapping.dmp

Download
memory/3596-149-0x0000000000000000-mapping.dmp

Download
memory/3724-140-0x0000000000000000-mapping.dmp

Download
memory/3732-136-0x0000000000000000-mapping.dmp

Download
memory/4528-146-0x0000000000000000-mapping.dmp

Download
memory/4568-142-0x0000000000000000-mapping.dmp

Download
memory/4684-134-0x0000000000000000-mapping.dmp

Download
memory/15832-214-0x0000000000000000-mapping.dmp

Download
memory/18144-215-0x0000000000000000-mapping.dmp

Download
memory/42768-216-0x0000000000000000-mapping.dmp

Download
memory/43084-217-0x0000000000000000-mapping.dmp

Download
memory/54112-218-0x0000000000000000-mapping.dmp

Download
memory/54620-219-0x0000000000000000-mapping.dmp

Download
memory/69164-220-0x0000000000000000-mapping.dmp

Download
memory/69608-221-0x0000000000000000-mapping.dmp

Download
memory/109556-222-0x0000000000000000-mapping.dmp

Download
memory/110004-223-0x0000000000000000-mapping.dmp

Download
memory/120592-224-0x0000000000000000-mapping.dmp

Download
memory/120784-225-0x0000000000000000-mapping.dmp

Download
memory/135640-226-0x0000000000000000-mapping.dmp

Download
memory/136432-227-0x0000000000000000-mapping.dmp

Download
memory/201656-228-0x0000000000000000-mapping.dmp

Download
memory/202088-229-0x0000000000000000-mapping.dmp

Download
memory/202996-238-0x0000000000000000-mapping.dmp

Download
memory/210024-230-0x0000000000000000-mapping.dmp

Download
memory/210232-231-0x0000000000000000-mapping.dmp

Download
memory/227368-232-0x0000000000000000-mapping.dmp

Download
memory/228300-233-0x0000000000000000-mapping.dmp

Download
memory/242020-234-0x0000000000000000-mapping.dmp

Download
memory/242068-235-0x0000000000000000-mapping.dmp

Download
memory/242592-236-0x0000000000000000-mapping.dmp

Download
memory/242636-239-0x0000000000000000-mapping.dmp

Download
memory/242640-237-0x0000000000000000-mapping.dmp

Download
memory/245604-240-0x0000000000000000-mapping.dmp

Download
memory/245656-241-0x0000000000000000-mapping.dmp

Download
memory/245696-242-0x0000000000000000-mapping.dmp

Download
memory/245752-243-0x0000000000000000-mapping.dmp

Download
memory/245964-244-0x0000000000000000-mapping.dmp

Download
memory/246012-245-0x0000000000000000-mapping.dmp

Download
memory/249748-246-0x0000000000000000-mapping.dmp

Download
memory/249764-247-0x0000000000000000-mapping.dmp

Download
memory/250128-248-0x0000000000000000-mapping.dmp

Download
memory/250140-249-0x0000000000000000-mapping.dmp

Download
memory/260856-250-0x0000000000000000-mapping.dmp

Download
memory/261288-251-0x0000000000000000-mapping.dmp

Download
memory/346588-252-0x0000000000000000-mapping.dmp

Download
memory/347028-253-0x0000000000000000-mapping.dmp

Download
memory/347384-254-0x0000000000000000-mapping.dmp

Download
memory/347440-255-0x0000000000000000-mapping.dmp

Download
memory/363316-256-0x0000000000000000-mapping.dmp

Download
memory/363376-257-0x0000000000000000-mapping.dmp

Download
memory/485848-258-0x0000000000000000-mapping.dmp

Download