In our student lab, Virtualbench software (specifically virtualbench.exe) is triggering a custom anti-virus rule because it is creating files with random 8 character names and the extension .ryk in the folder %userprofile%\appdata\local\temp\WPF. This is happening with virtualbench.exe launched from a locally-installed copy, and from the version that is invoked from the launcher provided by the device itself.
I need to know if these temporary files are created by Virtualbench as part of its normal operation, as the extension .ryk is used by the Ryuk ransomware for the encrypted files it drops. I do think that this is probably a false positive, but I need to take an assurance of this to my institute's security team for them to add an exception to the rule.
Thanks in advance for any assistance. Please contact me if you need more details.
