ryuk | 05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f

Analysis

max time kernel
130s
max time network
127s
platform
windows10_x64
resource
win10v20201028
submitted
19-02-2021 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
Size

304KB
MD5

19fb1b610cb224e9441f962d04e263f2
SHA1

afd8e08baeff92d8f473bcfbdbc1c13d89e971ae
SHA256

05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f
SHA512

6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

ZVPUHrDYCrep.exekfknNsAotlan.execQOonpFhilan.exe

pid process

3656 ZVPUHrDYCrep.exe
2224 kfknNsAotlan.exe
4492 cQOonpFhilan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4584 icacls.exe
4596 icacls.exe

pid	process
3656	ZVPUHrDYCrep.exe
2224	kfknNsAotlan.exe
4492	cQOonpFhilan.exe

pid	process
4584	icacls.exe
4596	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe

Drops file in Program Files directory 64 IoCs

Processes:

05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterRegular.ttf	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INF	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\main.css	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\RyukReadMe.html	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4708 schtasks.exe
Runs net.exe

pid	process
4708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe

pid	process
652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exenet.exenet.exenet.exenet.exeZVPUHrDYCrep.exe

description	pid	process	target process
PID 652 wrote to memory of 3656	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	ZVPUHrDYCrep.exe
PID 652 wrote to memory of 3656	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	ZVPUHrDYCrep.exe
PID 652 wrote to memory of 3656	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	ZVPUHrDYCrep.exe
PID 652 wrote to memory of 2224	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	kfknNsAotlan.exe
PID 652 wrote to memory of 2224	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	kfknNsAotlan.exe
PID 652 wrote to memory of 2224	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	kfknNsAotlan.exe
PID 652 wrote to memory of 4492	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	cQOonpFhilan.exe
PID 652 wrote to memory of 4492	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	cQOonpFhilan.exe
PID 652 wrote to memory of 4492	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	cQOonpFhilan.exe
PID 652 wrote to memory of 4584	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	icacls.exe
PID 652 wrote to memory of 4584	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	icacls.exe
PID 652 wrote to memory of 4584	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	icacls.exe
PID 652 wrote to memory of 4596	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	icacls.exe
PID 652 wrote to memory of 4596	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	icacls.exe
PID 652 wrote to memory of 4596	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	icacls.exe
PID 652 wrote to memory of 4808	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4808	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4808	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4668	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4668	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4668	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4948	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4948	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4948	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4928	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4928	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 652 wrote to memory of 4928	652	05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe	net.exe
PID 4808 wrote to memory of 4688	4808	net.exe	net1.exe
PID 4808 wrote to memory of 4688	4808	net.exe	net1.exe
PID 4808 wrote to memory of 4688	4808	net.exe	net1.exe
PID 4668 wrote to memory of 2444	4668	net.exe	net1.exe
PID 4668 wrote to memory of 2444	4668	net.exe	net1.exe
PID 4668 wrote to memory of 2444	4668	net.exe	net1.exe
PID 4928 wrote to memory of 3712	4928	net.exe	net1.exe
PID 4928 wrote to memory of 3712	4928	net.exe	net1.exe
PID 4928 wrote to memory of 3712	4928	net.exe	net1.exe
PID 4948 wrote to memory of 5088	4948	net.exe	net1.exe
PID 4948 wrote to memory of 5088	4948	net.exe	net1.exe
PID 4948 wrote to memory of 5088	4948	net.exe	net1.exe
PID 3656 wrote to memory of 4708	3656	ZVPUHrDYCrep.exe	schtasks.exe
PID 3656 wrote to memory of 4708	3656	ZVPUHrDYCrep.exe	schtasks.exe
PID 3656 wrote to memory of 4708	3656	ZVPUHrDYCrep.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe
"C:\Users\Admin\AppData\Local\Temp\05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\ZVPUHrDYCrep.exe
"C:\Users\Admin\AppData\Local\Temp\ZVPUHrDYCrep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.29 /TN pnTFizt /TR "C:\Users\Public\ZVPUHrDYCrep.exe" /sc once /st 00:00 /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4708

C:\Users\Admin\AppData\Local\Temp\kfknNsAotlan.exe
"C:\Users\Admin\AppData\Local\Temp\kfknNsAotlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\AppData\Local\Temp\cQOonpFhilan.exe
"C:\Users\Admin\AppData\Local\Temp\cQOonpFhilan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:4492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4584

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\BOOTSECT.BAK.RYK

MD5
6663835b497ec6dc61cadaa2aa5b7e33

SHA1
6a961b56cf073da2082349c2eac296fcca12827b

SHA256
173b207dfc37257b9c7658d7f0c2cafad3f4ad40d42348fdf67566069d780d0e

SHA512
e4f9eae5fb3690098f9d011301b4134fab0bbb98d5256a755b0bc3ae605e0bdfdc7a51c7d4af4fd1d8df3531253951409f360acae9b05e415ebb49b7e87ad8d9

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK

MD5
53459e453f18a58d751549a85cfca533

SHA1
e3cc29038aa8757210e90cbc8794d69924750090

SHA256
625458185c5a695c9a25a9bfcf0a43f2bc23d67c7df3d5558786f6f31edabf0e

SHA512
a76a7d6150e540ab239679abb9d09033035939e76bd5a4478711d7e309a0613596ff6bf8c4d9efa22b125b5dbf14e90a5ccfcafaba2da8097e66c4a1d6fea1aa

Download Submit
C:\Boot\Fonts\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\Resources\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\bg-BG\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\da-DK\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\de-DE\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\el-GR\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\en-GB\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\en-US\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\es-ES\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\es-MX\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\et-EE\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\fi-FI\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\fr-CA\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\fr-FR\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\hr-HR\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\hu-HU\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\it-IT\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\ja-JP\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\ko-KR\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\lt-LT\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\lv-LV\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\nb-NO\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\nl-NL\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\pl-PL\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\pt-BR\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\pt-PT\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\ro-RO\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\ru-RU\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\sk-SK\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\sl-SI\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\sv-SE\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\tr-TR\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\uk-UA\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\zh-CN\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Boot\zh-TW\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

MD5
53916a68d36c2f4c7a63135ff8b6875b

SHA1
6dab6718add3359c9f32c13452f614f3f1bbf1a7

SHA256
4cb13b3215ba1d9d6ea081ac0dc8ad1fb39557a1230f6a3ab826760f08fe2621

SHA512
08b63d96e3353a16b5fc32f990da1250671f66516eca319d7ec2ef7804ad46cb0cdaefa1ea1e535b9c93796c57c26c744947802788186dd7945e65a75c117489

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

MD5
85d93ef878015de81c36126ff162cb4b

SHA1
e9a0f591ba770fa96ec0ff32672ea8fd45a792dd

SHA256
21c01d5171400b5cfd55b45310217d7f2e6f3cb3848a053e1a0089f442e4f000

SHA512
08abdd7ed84be885bf02f86b059c5482f9aa89d01bf3ca6288cb239ce1a5d550b104eee4ef31ef0c40b7e593e6bb989a2cea6e4c04133d50f6e72eb4f8552249

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

MD5
37612be828f28f16fcac7b3a095a3d7d

SHA1
b64bfadc2063f9035f8478ae5b39eb9990aee7dd

SHA256
3f6347fa5deb383c4fd702b5723570d9be513cd26881412ef8c6703a2cb90254

SHA512
d105bf0d471ad932cc7ee4fc3c8ec333537423a5cb1f789e982547c7fcbee355dc141ed24c2adc26fa00fe23af075683c59fe2868fc957762f260592cff14c92

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

MD5
79bb16c3c1ebb1821f069af5d57f4249

SHA1
166f4b75684c2109c9b686c8deb9074f3d38a5c9

SHA256
e0a31fb162e63fa7e82593c686038eda02898bb72ed5aabc9bdfeb6686aae4ee

SHA512
cba4c9901679075f6a592e950c07ab7fb93fd00bcbae370f051d5f047a6bd7881aa371af5dd6427c7ef8c41b436380a7cb5793b2c84c2493a2c9122044713baa

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5
6812baa0be9481f0e2dba1ffb239cb55

SHA1
01cc5fd059bce4c361f2088366d83e1b4d7b1a54

SHA256
b85de0b122d77e67d9dd43cf8117f537cf824414fcf7352644bd85e18a9342bd

SHA512
a023d589211535448ec0b9828e0b69ed3da53cbb1cdd9168b0b8577dd9d4bfd3956c07b168550ebff8da41b65394ce5dc203450d4189a6abc48d62496b28d2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZVPUHrDYCrep.exe

MD5
19fb1b610cb224e9441f962d04e263f2

SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae

SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f

SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZVPUHrDYCrep.exe

MD5
19fb1b610cb224e9441f962d04e263f2

SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae

SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f

SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQOonpFhilan.exe

MD5
19fb1b610cb224e9441f962d04e263f2

SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae

SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f

SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQOonpFhilan.exe

MD5
19fb1b610cb224e9441f962d04e263f2

SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae

SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f

SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfknNsAotlan.exe

MD5
19fb1b610cb224e9441f962d04e263f2

SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae

SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f

SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfknNsAotlan.exe

MD5
19fb1b610cb224e9441f962d04e263f2

SHA1
afd8e08baeff92d8f473bcfbdbc1c13d89e971ae

SHA256
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f

SHA512
6a5a32a0638922fdcea6dc4af508f40bb06a7c4abcf482af1dff94d604c1f4e8df56b16c03574c9b4da9cdb5dcb6365bd1b9cfa6b543805cb5d3a07511b176e8

Download Submit
C:\Users\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\odt\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
C:\odt\config.xml.RYK

MD5
2364c004421fd7ced7df3c3b36ef2f9f

SHA1
dc4cb49f4d5699613cc2cac6008e0f156a096ff5

SHA256
19a93e06f46ab17762c8dc7433bece3575636bf2b257a3b533c1ac0ffc5336bd

SHA512
06851405c679594f04942669dbaebd12a4290e9b38cdeac009007662f9174325bd5ea69b0514a8585809d46cfada4bb99be20923a925176b256ab2f33ea3ffa2

Download Submit
C:\users\Public\RyukReadMe.html

MD5
7484fe2c2893a4588185992b514ac30a

SHA1
171c59b1c6c5ef4c976db8810c9ed3577ae3f1b2

SHA256
bfcf57a79d438d70d1b1dd783e4686cc600f198827403f0abd6efa6f0a6c3d98

SHA512
34fee4d82d5bad2473d2d3c3e1ee25f5b07d302874a76b6a03bd756257587a58f14f6faa51c685cb98fb8b35a03fa6f219d3fd8ab48a553d1b974a2d8f097238

Download Submit
memory/652-3-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/652-2-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/652-4-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/652-27-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/652-26-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/2224-14-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2224-11-0x0000000000000000-mapping.dmp

Download
memory/2444-86-0x0000000000000000-mapping.dmp

Download
memory/3656-5-0x0000000000000000-mapping.dmp

Download
memory/3656-8-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3712-87-0x0000000000000000-mapping.dmp

Download
memory/4492-21-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/4492-18-0x0000000000000000-mapping.dmp

Download
memory/4584-28-0x0000000000000000-mapping.dmp

Download
memory/4596-29-0x0000000000000000-mapping.dmp

Download
memory/4668-82-0x0000000000000000-mapping.dmp

Download
memory/4688-85-0x0000000000000000-mapping.dmp

Download
memory/4708-89-0x0000000000000000-mapping.dmp

Download
memory/4808-81-0x0000000000000000-mapping.dmp

Download
memory/4928-84-0x0000000000000000-mapping.dmp

Download
memory/4948-83-0x0000000000000000-mapping.dmp

Download
memory/5088-88-0x0000000000000000-mapping.dmp

Download