ryuk | 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

Analysis

max time kernel
150s
max time network
104s
platform
windows10_x64
resource
win10v20201028
submitted
11-03-2021 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a563c50c5fa0fd541248acaf72cc4e7d.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

Processes:

resource	yara_rule
behavioral2/memory/1192-4-0x00000000022B0000-0x00000000022D2000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

SOyMLhrXQrep.exenMmKpNWSklan.exehgrBEFwjLlan.exe

pid process

808 SOyMLhrXQrep.exe
1456 nMmKpNWSklan.exe
744 hgrBEFwjLlan.exe

pid	process
808	SOyMLhrXQrep.exe
1456	nMmKpNWSklan.exe
744	hgrBEFwjLlan.exe

Drops startup file 1 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4552 icacls.exe
4564 icacls.exe

pid	process
4552	icacls.exe
4564	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	a563c50c5fa0fd541248acaf72cc4e7d.exe

Drops file in Program Files directory 64 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office32ww.msi.16.x-none.vreg.dat	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\ui-strings.js	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.INF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\ui-strings.js	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Crossmark_White@1x.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected-hover.svg	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\ui-strings.js	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessLetter.dotx	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ui-strings.js	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms	a563c50c5fa0fd541248acaf72cc4e7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

pid	process
1192	a563c50c5fa0fd541248acaf72cc4e7d.exe
1192	a563c50c5fa0fd541248acaf72cc4e7d.exe
1192	a563c50c5fa0fd541248acaf72cc4e7d.exe
1192	a563c50c5fa0fd541248acaf72cc4e7d.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exeSOyMLhrXQrep.exenMmKpNWSklan.exehgrBEFwjLlan.exe

pid	process
1192	a563c50c5fa0fd541248acaf72cc4e7d.exe
1192	a563c50c5fa0fd541248acaf72cc4e7d.exe
808	SOyMLhrXQrep.exe
808	SOyMLhrXQrep.exe
1456	nMmKpNWSklan.exe
1456	nMmKpNWSklan.exe
744	hgrBEFwjLlan.exe
744	hgrBEFwjLlan.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1192 wrote to memory of 808	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	SOyMLhrXQrep.exe
PID 1192 wrote to memory of 808	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	SOyMLhrXQrep.exe
PID 1192 wrote to memory of 808	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	SOyMLhrXQrep.exe
PID 1192 wrote to memory of 1456	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	nMmKpNWSklan.exe
PID 1192 wrote to memory of 1456	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	nMmKpNWSklan.exe
PID 1192 wrote to memory of 1456	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	nMmKpNWSklan.exe
PID 1192 wrote to memory of 744	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	hgrBEFwjLlan.exe
PID 1192 wrote to memory of 744	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	hgrBEFwjLlan.exe
PID 1192 wrote to memory of 744	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	hgrBEFwjLlan.exe
PID 1192 wrote to memory of 4552	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1192 wrote to memory of 4552	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1192 wrote to memory of 4552	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1192 wrote to memory of 4564	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1192 wrote to memory of 4564	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1192 wrote to memory of 4564	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1192 wrote to memory of 4680	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4680	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4680	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 5024	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 5024	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 5024	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4560	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4560	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4560	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4652	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4652	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1192 wrote to memory of 4652	1192	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 4560 wrote to memory of 1452	4560	net.exe	net1.exe
PID 4560 wrote to memory of 1452	4560	net.exe	net1.exe
PID 4560 wrote to memory of 1452	4560	net.exe	net1.exe
PID 4652 wrote to memory of 5068	4652	net.exe	net1.exe
PID 4652 wrote to memory of 5068	4652	net.exe	net1.exe
PID 4652 wrote to memory of 5068	4652	net.exe	net1.exe
PID 4680 wrote to memory of 4724	4680	net.exe	net1.exe
PID 4680 wrote to memory of 4724	4680	net.exe	net1.exe
PID 4680 wrote to memory of 4724	4680	net.exe	net1.exe
PID 5024 wrote to memory of 4992	5024	net.exe	net1.exe
PID 5024 wrote to memory of 4992	5024	net.exe	net1.exe
PID 5024 wrote to memory of 4992	5024	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a563c50c5fa0fd541248acaf72cc4e7d.exe
"C:\Users\Admin\AppData\Local\Temp\a563c50c5fa0fd541248acaf72cc4e7d.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\SOyMLhrXQrep.exe
"C:\Users\Admin\AppData\Local\Temp\SOyMLhrXQrep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808

C:\Users\Admin\AppData\Local\Temp\nMmKpNWSklan.exe
"C:\Users\Admin\AppData\Local\Temp\nMmKpNWSklan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Users\Admin\AppData\Local\Temp\hgrBEFwjLlan.exe
"C:\Users\Admin\AppData\Local\Temp\hgrBEFwjLlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4552

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\BOOTSECT.BAK.RYK
MD5
9ad32ac86c69debc27f2e0fb42e42884

SHA1
31f091184b8494500e48d1f16d1525a90cd02c1d

SHA256
9a93cc179a8bd310f0eae0b1c52f2b97f82538acb35d76d1f54940430dcb45c6

SHA512
971444ac9d733c8e5148b3320a354fab4329c2c3041076b156fbef966dca3a8a0252ac64b442537505dee3f19f4866eb204954921d50f1a66b0007e42fb9c743

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK
MD5
00d730a3330345904dd6869aca8a5d78

SHA1
651c5d91b98e364a135c3631242498befac38ae8

SHA256
f1a0928c52419f4810b456780d3b86eae085fd18e5c44886464b79a9929326cd

SHA512
1d7f5e62fefa2d9cd477da9ca7377f94af3c1c6dcace632ae9731eb3e03f9710c3f74fdd72472b7d27cd0a9a5553b88e20b926fe95a58a06ca484d9497dd78ba

Download Submit
C:\Boot\Fonts\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\Resources\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\bg-BG\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\da-DK\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\de-DE\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\el-GR\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\en-GB\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\en-US\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\es-ES\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\es-MX\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\et-EE\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\fi-FI\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\fr-CA\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\fr-FR\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\hr-HR\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\hu-HU\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\it-IT\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\ja-JP\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\ko-KR\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\lt-LT\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\lv-LV\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\nb-NO\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\nl-NL\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\pl-PL\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\pt-BR\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\pt-PT\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\ro-RO\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\ru-RU\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\sk-SK\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\sl-SI\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\sv-SE\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\tr-TR\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\uk-UA\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\zh-CN\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Boot\zh-TW\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
MD5
96b1b1316175e06afce3eb7dbe3b2616

SHA1
a3cdfbbe5514d4dca7c91120c9d51f888c4d996f

SHA256
5877f009ebceb0e25117044882a8e540db91870229d6777138e9a1fb1cb73b59

SHA512
7795b005590423f82b985cd137e804a1698de421995f204729ef90d69cc4d3af1e8a9fb538b2a6be95b074e145191f9da2bb9f0157f60e418c3be9ca3556049a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
MD5
7139d423552f6ddfbf9fe335453dd057

SHA1
00bb19f8b7f7afb2fd52da7f7b7ee9bd40b4102f

SHA256
3cd185668ec7ea0c77ca266fc601e45a6787285c0fea06f086b55a22b0f8a729

SHA512
ccb26c0bad422004f049c8c7f1387047382498d525273fad72fa9eab702d1ad80953ea213bf1de4700fccf60ca01decb8176f11c757873f5066922132374c8c8

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
MD5
b58a1d76c86d1bbf23353b03e4734ce5

SHA1
68096175ea2bae197c8d3e06079aff58b36d4f6a

SHA256
7c692b403c7c74a063e3a58b188cf76dd820463a787e46ae212b8ad81389d0ec

SHA512
ed9fadbcb0d2cdc5c13c64f8a0fea08f74c3b5317924be8285c1269870030dab6b6d28780808dde952012687677fdc5e47988a3d4d595a3d8ac384e44d1764a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOyMLhrXQrep.exe
MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOyMLhrXQrep.exe
MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgrBEFwjLlan.exe
MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgrBEFwjLlan.exe
MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMmKpNWSklan.exe
MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMmKpNWSklan.exe
MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
a199fe89b525ab2b11d8d293fe6dcde9

SHA1
85e5a4952010dd8e5d07467a73f6d4719d8e4893

SHA256
c3cbd9f914de3d659217aff4e9a03b44866edf0492a159e4e123313e34dd3547

SHA512
cb9b90ab3627acb1e339738db033cee420c0ab0ae0efe8cab15b557835d00eb5d73a382390da34beba5f1ec4baef867f8990fb6ad4c75382f3248151fa11df45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
5c6801044de4d5f2a73cd7129e859480

SHA1
fbad6189fb1ecb2d421b67d1cd7c846b91607866

SHA256
5d5024d5aa65af14f0e24e401bfca2a822b71d6a62cd8856ed438126ed5c8bcc

SHA512
2d2d89f79f36ed5bf426fa310cdf662972e07a031e8f273c6c7dc100e44b0b90c79df9ae2c97cedd3e89131592713b40a3034e1826ac787f8a0f38853028b3ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
52fbc1a5dce1913cc44bf045759a0641

SHA1
9bcc68a6292cf6dbd6aac050c283fdef59ef6523

SHA256
b8a8f4046a1613376b408d2785a7087861b54d4d9f3abe5e39345f9d157bfc2e

SHA512
ad336bde02ee24dbe044c52d05675354b829260d02b3e7a9f7d37c33862d2781c2884aa45b63dac9de958e83065a5c746e67be647f6d8f083fd37aa225fed603

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
5c6801044de4d5f2a73cd7129e859480

SHA1
fbad6189fb1ecb2d421b67d1cd7c846b91607866

SHA256
5d5024d5aa65af14f0e24e401bfca2a822b71d6a62cd8856ed438126ed5c8bcc

SHA512
2d2d89f79f36ed5bf426fa310cdf662972e07a031e8f273c6c7dc100e44b0b90c79df9ae2c97cedd3e89131592713b40a3034e1826ac787f8a0f38853028b3ef

Download Submit
C:\Users\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\odt\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\odt\config.xml.RYK
MD5
dd052153a1491bb23233e884ae9e301b

SHA1
292b60915c352663f993065d98d2dec26e975993

SHA256
3877a70c8dca4f328574242694cc3a8fff87f01cbd22d1f2b5115357d2a62e22

SHA512
3e1b56da62652729f660793a4cac206376b6113865648cd681ac78f8cc3d899fe839b44b23d70650e458b9a02c1d7abbfa7662c75fe66d69b16f0d4dbaac830e

Download Submit
C:\users\Public\RyukReadMe.html
MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
memory/744-19-0x0000000000000000-mapping.dmp

Download
memory/744-23-0x00000000020A0000-0x00000000020C4000-memory.dmp

Filesize
144KB

Download
memory/808-9-0x0000000002190000-0x00000000021B4000-memory.dmp

Filesize
144KB

Download
memory/808-5-0x0000000000000000-mapping.dmp

Download
memory/1192-27-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1192-28-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/1192-4-0x00000000022B0000-0x00000000022D2000-memory.dmp

Filesize
136KB

Download
memory/1192-3-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1192-2-0x00000000022E0000-0x0000000002304000-memory.dmp

Filesize
144KB

Download
memory/1452-86-0x0000000000000000-mapping.dmp

Download
memory/1456-12-0x0000000000000000-mapping.dmp

Download
memory/1456-16-0x00000000021C0000-0x00000000021E4000-memory.dmp

Filesize
144KB

Download
memory/4552-29-0x0000000000000000-mapping.dmp

Download
memory/4560-84-0x0000000000000000-mapping.dmp

Download
memory/4564-30-0x0000000000000000-mapping.dmp

Download
memory/4652-85-0x0000000000000000-mapping.dmp

Download
memory/4680-82-0x0000000000000000-mapping.dmp

Download
memory/4724-88-0x0000000000000000-mapping.dmp

Download
memory/4992-89-0x0000000000000000-mapping.dmp

Download
memory/5024-83-0x0000000000000000-mapping.dmp

Download
memory/5068-87-0x0000000000000000-mapping.dmp

Download