ryuk | 0ab020889b427c4acadabd81033b78738ee09cf755c11a6cc55b8338296c8014

Analysis

max time kernel
116s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
09-03-2021 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xXx.exe
Size

298KB
MD5

81bb3763db2a1affb2bf64ec94032227
SHA1

a4697a87c564905d01e26051e565dd02acac0c0a
SHA256

0ab020889b427c4acadabd81033b78738ee09cf755c11a6cc55b8338296c8014
SHA512

918322d20b18309e84d264c6ece39d822b708d0bdbed70f8045841e04284c67560e0b0e5238d32d15e8b41d27f841318e8c39fb75a42ee0a4a1a6d6896f47b2e

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3680 created 2108 3680 WerFault.exe EnCycoW.exe
PID 4200 created 4712 4200 WerFault.exe xXx.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

EnCycoW.exe

pid process

2108 EnCycoW.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1776 icacls.exe
4496 icacls.exe
2820 icacls.exe
360 icacls.exe

description	pid	process	target process
PID 3680 created 2108	3680	WerFault.exe	EnCycoW.exe
PID 4200 created 4712	4200	WerFault.exe	xXx.exe

pid	process
2108	EnCycoW.exe

pid	process
1776	icacls.exe
4496	icacls.exe
2820	icacls.exe
360	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xXx.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3396	4712	WerFault.exe	xXx.exe
500	4712	WerFault.exe	xXx.exe
784	4712	WerFault.exe	xXx.exe
3340	4712	WerFault.exe	xXx.exe
4076	4712	WerFault.exe	xXx.exe
4256	4712	WerFault.exe	xXx.exe
2996	4712	WerFault.exe	xXx.exe
804	4712	WerFault.exe	xXx.exe
1176	4712	WerFault.exe	xXx.exe
1596	4712	WerFault.exe	xXx.exe
2124	4712	WerFault.exe	xXx.exe
2732	2108	WerFault.exe	EnCycoW.exe
4624	2108	WerFault.exe	EnCycoW.exe
1956	2108	WerFault.exe	EnCycoW.exe
1548	2108	WerFault.exe	EnCycoW.exe
1572	2108	WerFault.exe	EnCycoW.exe
3132	2108	WerFault.exe	EnCycoW.exe
3084	2108	WerFault.exe	EnCycoW.exe
4876	2108	WerFault.exe	EnCycoW.exe
5000	2108	WerFault.exe	EnCycoW.exe
4108	2108	WerFault.exe	EnCycoW.exe
3680	2108	WerFault.exe	EnCycoW.exe
900	4712	WerFault.exe	xXx.exe
4200	4712	WerFault.exe	xXx.exe
3140	2108	WerFault.exe	EnCycoW.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4484 vssadmin.exe
4240 vssadmin.exe
Runs net.exe

pid	process
4484	vssadmin.exe
4240	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
500	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
3340	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe
4076	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exexXx.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeEnCycoW.exeWerFault.exeWMIC.exevssvc.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3396	WerFault.exe
Token: SeBackupPrivilege	3396	WerFault.exe
Token: SeDebugPrivilege	3396	WerFault.exe
Token: SeDebugPrivilege	500	WerFault.exe
Token: SeDebugPrivilege	784	WerFault.exe
Token: SeDebugPrivilege	3340	WerFault.exe
Token: SeDebugPrivilege	4076	WerFault.exe
Token: SeDebugPrivilege	4256	WerFault.exe
Token: SeDebugPrivilege	4712	xXx.exe
Token: SeDebugPrivilege	2996	WerFault.exe
Token: SeDebugPrivilege	804	WerFault.exe
Token: SeDebugPrivilege	1176	WerFault.exe
Token: SeDebugPrivilege	1596	WerFault.exe
Token: SeDebugPrivilege	2124	WerFault.exe
Token: SeBackupPrivilege	2108	EnCycoW.exe
Token: SeDebugPrivilege	2732	WerFault.exe
Token: SeIncreaseQuotaPrivilege	2008	WMIC.exe
Token: SeSecurityPrivilege	2008	WMIC.exe
Token: SeTakeOwnershipPrivilege	2008	WMIC.exe
Token: SeLoadDriverPrivilege	2008	WMIC.exe
Token: SeSystemProfilePrivilege	2008	WMIC.exe
Token: SeSystemtimePrivilege	2008	WMIC.exe
Token: SeProfSingleProcessPrivilege	2008	WMIC.exe
Token: SeIncBasePriorityPrivilege	2008	WMIC.exe
Token: SeCreatePagefilePrivilege	2008	WMIC.exe
Token: SeBackupPrivilege	2008	WMIC.exe
Token: SeRestorePrivilege	2008	WMIC.exe
Token: SeShutdownPrivilege	2008	WMIC.exe
Token: SeDebugPrivilege	2008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2008	WMIC.exe
Token: SeRemoteShutdownPrivilege	2008	WMIC.exe
Token: SeUndockPrivilege	2008	WMIC.exe
Token: SeManageVolumePrivilege	2008	WMIC.exe
Token: 33	2008	WMIC.exe
Token: 34	2008	WMIC.exe
Token: 35	2008	WMIC.exe
Token: 36	2008	WMIC.exe
Token: SeBackupPrivilege	4656	vssvc.exe
Token: SeRestorePrivilege	4656	vssvc.exe
Token: SeAuditPrivilege	4656	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2008	WMIC.exe
Token: SeSecurityPrivilege	2008	WMIC.exe
Token: SeTakeOwnershipPrivilege	2008	WMIC.exe
Token: SeLoadDriverPrivilege	2008	WMIC.exe
Token: SeSystemProfilePrivilege	2008	WMIC.exe
Token: SeSystemtimePrivilege	2008	WMIC.exe
Token: SeProfSingleProcessPrivilege	2008	WMIC.exe
Token: SeIncBasePriorityPrivilege	2008	WMIC.exe
Token: SeCreatePagefilePrivilege	2008	WMIC.exe
Token: SeBackupPrivilege	2008	WMIC.exe
Token: SeRestorePrivilege	2008	WMIC.exe
Token: SeShutdownPrivilege	2008	WMIC.exe
Token: SeDebugPrivilege	2008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2008	WMIC.exe
Token: SeRemoteShutdownPrivilege	2008	WMIC.exe
Token: SeUndockPrivilege	2008	WMIC.exe
Token: SeManageVolumePrivilege	2008	WMIC.exe
Token: 33	2008	WMIC.exe
Token: 34	2008	WMIC.exe
Token: 35	2008	WMIC.exe
Token: 36	2008	WMIC.exe
Token: SeDebugPrivilege	4624	WerFault.exe
Token: SeDebugPrivilege	1956	WerFault.exe
Token: SeDebugPrivilege	1548	WerFault.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

xXx.exenet.exenet.exeEnCycoW.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4712 wrote to memory of 2108	4712	xXx.exe	EnCycoW.exe
PID 4712 wrote to memory of 2108	4712	xXx.exe	EnCycoW.exe
PID 4712 wrote to memory of 2108	4712	xXx.exe	EnCycoW.exe
PID 4712 wrote to memory of 2616	4712	xXx.exe	svchost.exe
PID 4712 wrote to memory of 2632	4712	xXx.exe	sihost.exe
PID 4712 wrote to memory of 792	4712	xXx.exe	net.exe
PID 4712 wrote to memory of 792	4712	xXx.exe	net.exe
PID 4712 wrote to memory of 792	4712	xXx.exe	net.exe
PID 792 wrote to memory of 1380	792	net.exe	net1.exe
PID 792 wrote to memory of 1380	792	net.exe	net1.exe
PID 792 wrote to memory of 1380	792	net.exe	net1.exe
PID 4712 wrote to memory of 1700	4712	xXx.exe	net.exe
PID 4712 wrote to memory of 1700	4712	xXx.exe	net.exe
PID 4712 wrote to memory of 1700	4712	xXx.exe	net.exe
PID 4712 wrote to memory of 2912	4712	xXx.exe	taskhostw.exe
PID 1700 wrote to memory of 3900	1700	net.exe	net1.exe
PID 1700 wrote to memory of 3900	1700	net.exe	net1.exe
PID 1700 wrote to memory of 3900	1700	net.exe	net1.exe
PID 4712 wrote to memory of 3372	4712	xXx.exe	ShellExperienceHost.exe
PID 4712 wrote to memory of 3384	4712	xXx.exe	SearchUI.exe
PID 4712 wrote to memory of 3644	4712	xXx.exe	RuntimeBroker.exe
PID 4712 wrote to memory of 3920	4712	xXx.exe	DllHost.exe
PID 2108 wrote to memory of 1776	2108	EnCycoW.exe	icacls.exe
PID 2108 wrote to memory of 1776	2108	EnCycoW.exe	icacls.exe
PID 2108 wrote to memory of 1776	2108	EnCycoW.exe	icacls.exe
PID 2108 wrote to memory of 4496	2108	EnCycoW.exe	icacls.exe
PID 2108 wrote to memory of 4496	2108	EnCycoW.exe	icacls.exe
PID 2108 wrote to memory of 4496	2108	EnCycoW.exe	icacls.exe
PID 2108 wrote to memory of 4480	2108	EnCycoW.exe	cmd.exe
PID 2108 wrote to memory of 4480	2108	EnCycoW.exe	cmd.exe
PID 2108 wrote to memory of 4480	2108	EnCycoW.exe	cmd.exe
PID 2108 wrote to memory of 4484	2108	EnCycoW.exe	vssadmin.exe
PID 2108 wrote to memory of 4484	2108	EnCycoW.exe	vssadmin.exe
PID 2108 wrote to memory of 4484	2108	EnCycoW.exe	vssadmin.exe
PID 4480 wrote to memory of 2008	4480	cmd.exe	WMIC.exe
PID 4480 wrote to memory of 2008	4480	cmd.exe	WMIC.exe
PID 4480 wrote to memory of 2008	4480	cmd.exe	WMIC.exe
PID 4712 wrote to memory of 2820	4712	xXx.exe	icacls.exe
PID 4712 wrote to memory of 2820	4712	xXx.exe	icacls.exe
PID 4712 wrote to memory of 2820	4712	xXx.exe	icacls.exe
PID 4712 wrote to memory of 360	4712	xXx.exe	icacls.exe
PID 4712 wrote to memory of 360	4712	xXx.exe	icacls.exe
PID 4712 wrote to memory of 360	4712	xXx.exe	icacls.exe
PID 4712 wrote to memory of 3272	4712	xXx.exe	cmd.exe
PID 4712 wrote to memory of 3272	4712	xXx.exe	cmd.exe
PID 4712 wrote to memory of 3272	4712	xXx.exe	cmd.exe
PID 4712 wrote to memory of 4240	4712	xXx.exe	vssadmin.exe
PID 4712 wrote to memory of 4240	4712	xXx.exe	vssadmin.exe
PID 4712 wrote to memory of 4240	4712	xXx.exe	vssadmin.exe
PID 4712 wrote to memory of 4228	4712	xXx.exe	cmd.exe
PID 4712 wrote to memory of 4228	4712	xXx.exe	cmd.exe
PID 4712 wrote to memory of 4228	4712	xXx.exe	cmd.exe
PID 3272 wrote to memory of 2928	3272	cmd.exe	WMIC.exe
PID 3272 wrote to memory of 2928	3272	cmd.exe	WMIC.exe
PID 3272 wrote to memory of 2928	3272	cmd.exe	WMIC.exe
PID 4228 wrote to memory of 2252	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 2252	4228	cmd.exe	reg.exe
PID 4228 wrote to memory of 2252	4228	cmd.exe	reg.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2632

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3644

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3372

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\xXx.exe
"C:\Users\Admin\AppData\Local\Temp\xXx.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 904
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 916
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 988
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1032
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1020
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1104
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Local\Temp\EnCycoW.exe
"C:\Users\Admin\AppData\Local\Temp\EnCycoW.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1776

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 676
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 484
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 756
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 832
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1100
3⤵
- Program crash
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1064
3⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1144
3⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1180
3⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 820
3⤵
- Program crash
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1260
3⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1252
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 740
3⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1244
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1300
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1124
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1264
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1292
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2820

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:360

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xXx.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xXx.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1384
2⤵
- Program crash
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1656
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Boot\Fonts\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\Resources\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\bg-BG\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\da-DK\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\de-DE\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\el-GR\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\en-GB\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\en-US\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\es-ES\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\es-MX\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\et-EE\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\fi-FI\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\fr-CA\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\fr-FR\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\hr-HR\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\hu-HU\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\it-IT\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\ja-JP\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\ko-KR\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\lt-LT\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\lv-LV\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\nb-NO\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\nl-NL\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\pl-PL\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\pt-BR\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\pt-PT\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\ro-RO\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\ru-RU\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\sk-SK\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\sl-SI\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\sv-SE\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\tr-TR\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\uk-UA\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\zh-CN\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Boot\zh-TW\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnCycoW.exe

MD5
81bb3763db2a1affb2bf64ec94032227

SHA1
a4697a87c564905d01e26051e565dd02acac0c0a

SHA256
0ab020889b427c4acadabd81033b78738ee09cf755c11a6cc55b8338296c8014

SHA512
918322d20b18309e84d264c6ece39d822b708d0bdbed70f8045841e04284c67560e0b0e5238d32d15e8b41d27f841318e8c39fb75a42ee0a4a1a6d6896f47b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnCycoW.exe

MD5
81bb3763db2a1affb2bf64ec94032227

SHA1
a4697a87c564905d01e26051e565dd02acac0c0a

SHA256
0ab020889b427c4acadabd81033b78738ee09cf755c11a6cc55b8338296c8014

SHA512
918322d20b18309e84d264c6ece39d822b708d0bdbed70f8045841e04284c67560e0b0e5238d32d15e8b41d27f841318e8c39fb75a42ee0a4a1a6d6896f47b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\RyukReadMe.html

MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
memory/360-77-0x0000000000000000-mapping.dmp

Download
memory/500-11-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/784-12-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/792-31-0x0000000000000000-mapping.dmp

Download
memory/804-29-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/804-26-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/900-81-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1176-32-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/1380-33-0x0000000000000000-mapping.dmp

Download
memory/1548-56-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1548-57-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1572-60-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1596-34-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1700-35-0x0000000000000000-mapping.dmp

Download
memory/1776-40-0x0000000000000000-mapping.dmp

Download
memory/1956-53-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2008-45-0x0000000000000000-mapping.dmp

Download
memory/2108-51-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2108-30-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2108-22-0x0000000000000000-mapping.dmp

Download
memory/2108-52-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2124-38-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/2252-96-0x0000000000000000-mapping.dmp

Download
memory/2732-44-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2820-76-0x0000000000000000-mapping.dmp

Download
memory/2928-95-0x0000000000000000-mapping.dmp

Download
memory/2996-25-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3084-64-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/3132-63-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/3140-143-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/3272-78-0x0000000000000000-mapping.dmp

Download
memory/3340-15-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3396-7-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3396-6-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3680-74-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/3900-39-0x0000000000000000-mapping.dmp

Download
memory/4076-18-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/4108-71-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/4200-92-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4228-80-0x0000000000000000-mapping.dmp

Download
memory/4240-79-0x0000000000000000-mapping.dmp

Download
memory/4256-19-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4480-42-0x0000000000000000-mapping.dmp

Download
memory/4484-43-0x0000000000000000-mapping.dmp

Download
memory/4496-41-0x0000000000000000-mapping.dmp

Download
memory/4624-48-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/4712-10-0x0000000030000000-0x000000003016F000-memory.dmp

Filesize
1.4MB

Download
memory/4712-9-0x0000000000550000-0x0000000000581000-memory.dmp

Filesize
196KB

Download
memory/4712-2-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/4876-67-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/5000-68-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download