ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
118s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Size

544KB
MD5

526fa2ecb5f8fee6aec4b5d7713d909a
SHA1

51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a
SHA256

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
SHA512

f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

fHRutcoQprep.exetQpPURvkulan.exeeAjtbsRcklan.exe

pid process

4188 fHRutcoQprep.exe
3992 tQpPURvkulan.exe
2108 eAjtbsRcklan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2152 icacls.exe
4920 icacls.exe

pid	process
4188	fHRutcoQprep.exe
3992	tQpPURvkulan.exe
2108	eAjtbsRcklan.exe

pid	process
2152	icacls.exe
4920	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Drops file in Program Files directory 64 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main.css	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

pid	process
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4704 wrote to memory of 4188	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	fHRutcoQprep.exe
PID 4704 wrote to memory of 4188	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	fHRutcoQprep.exe
PID 4704 wrote to memory of 4188	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	fHRutcoQprep.exe
PID 4704 wrote to memory of 3992	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	tQpPURvkulan.exe
PID 4704 wrote to memory of 3992	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	tQpPURvkulan.exe
PID 4704 wrote to memory of 3992	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	tQpPURvkulan.exe
PID 4704 wrote to memory of 2108	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	eAjtbsRcklan.exe
PID 4704 wrote to memory of 2108	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	eAjtbsRcklan.exe
PID 4704 wrote to memory of 2108	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	eAjtbsRcklan.exe
PID 4704 wrote to memory of 2152	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 4704 wrote to memory of 2152	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 4704 wrote to memory of 2152	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 4704 wrote to memory of 4920	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 4704 wrote to memory of 4920	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 4704 wrote to memory of 4920	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 4704 wrote to memory of 3776	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 4984	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 3776	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 4984	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 3776	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 4984	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 480	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 480	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 480	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 3876	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 3876	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 4704 wrote to memory of 3876	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 480 wrote to memory of 4340	480	net.exe	net1.exe
PID 480 wrote to memory of 4340	480	net.exe	net1.exe
PID 480 wrote to memory of 4340	480	net.exe	net1.exe
PID 3776 wrote to memory of 4820	3776	net.exe	net1.exe
PID 3776 wrote to memory of 4820	3776	net.exe	net1.exe
PID 3776 wrote to memory of 4820	3776	net.exe	net1.exe
PID 4984 wrote to memory of 4312	4984	net.exe	net1.exe
PID 4984 wrote to memory of 4312	4984	net.exe	net1.exe
PID 4984 wrote to memory of 4312	4984	net.exe	net1.exe
PID 3876 wrote to memory of 3444	3876	net.exe	net1.exe
PID 3876 wrote to memory of 3444	3876	net.exe	net1.exe
PID 3876 wrote to memory of 3444	3876	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
"C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\fHRutcoQprep.exe
"C:\Users\Admin\AppData\Local\Temp\fHRutcoQprep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:4188

C:\Users\Admin\AppData\Local\Temp\tQpPURvkulan.exe
"C:\Users\Admin\AppData\Local\Temp\tQpPURvkulan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:3992

C:\Users\Admin\AppData\Local\Temp\eAjtbsRcklan.exe
"C:\Users\Admin\AppData\Local\Temp\eAjtbsRcklan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2152

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4312

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\BOOTSECT.BAK.RYK

MD5
128e8a3de944d6dabe24affc4fc3020f

SHA1
dd3b4a75173f860360ece512e1433ab9dddc81c7

SHA256
0d320640cb6c869971fa5af459a63714dfc133d09bdd9c776f18c9b9b7d1d23e

SHA512
8a54bdcb818c07f33e148553f81098063efc19e34de179d5e1d5fff035fb7aff7d80602345c7c230294df048971143192b8e48add642357bff97f19c0e81b510

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK

MD5
f1ce241cf41134ee95b146697a9d0395

SHA1
80c87a87c8b42aeb564bdcc6ac42fbca876b181e

SHA256
6d4a8665f191d541d1c34696b80e6068de462376b2ae0ffe69e52f691ea12293

SHA512
6dbc3ea86a7db78b94ce8c962c8f734198c007fce72264ef55ed031b47333931e319384502463509c4c8495188704b100e32a763d8b648e9afdbb4a0265338b1

Download Submit
C:\Boot\Fonts\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\Resources\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\bg-BG\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\da-DK\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\de-DE\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\el-GR\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\en-GB\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\en-US\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\es-ES\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\es-MX\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\et-EE\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\fi-FI\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\fr-CA\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\fr-FR\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\hr-HR\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\hu-HU\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\it-IT\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\ja-JP\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\ko-KR\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\lt-LT\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\lv-LV\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\nb-NO\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\nl-NL\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\pl-PL\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\pt-BR\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\pt-PT\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\ro-RO\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\ru-RU\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\sk-SK\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\sl-SI\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\sv-SE\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\tr-TR\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\uk-UA\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\zh-CN\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Boot\zh-TW\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\939812247\payload.dat

MD5
aabe6e90fbb9dd0d374962f8849aa445

SHA1
0bf93ce86a954666a324511c7d572d302fb7fdbb

SHA256
82ac24084afc62f7a9d76eea78c06cad50c9364e422ebfa2594a024584901807

SHA512
96ad027222e6c1cf6d310538c170049fd0e5f81b4fc92667d9c52331eeb61d7d409f4f65d68eb151c103abaf58c781cfe09156548cf2c43caa09697cb48bfc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

MD5
4481538932beceac965a85ddc81b9024

SHA1
edda38f1dc7ca686b866fd3187c317f7c85ed059

SHA256
473ab553616d15d4e4fd2a5a7afb70d3f38eee2c05bb31965ab8551a6b81d967

SHA512
732d7cb1b2fc0d9f712e61462c1657e63f2cdc349199ee6f72751a7b654e5b3350198e496d4e1ea8b5c731871b17d5dd5980bf4ac25c78adf73ebaf79d0af6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-644.log

MD5
f04571192d95b55e153f1941258cfa17

SHA1
c9329cf10dba3a29f424f20d7f1b0693fe271aeb

SHA256
50fd60875c1064c82ea9aa8b19dad5aabd7c25dc638b56ae1f1d94721478dde2

SHA512
8e93b663aa0b3819446032ebd7d8a82e15e61fa7cc6107c90b38b2819fac9089b03558ece4d28f30bb16c2f9f87786a36c8d266561b8d0a1b49cd5960641b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5
48c9c6f8084d58d803c8129c0fe1acfa

SHA1
cd959bb0a52e842f172b658a3699864597990548

SHA256
805301883de74dc28c7e696b6fd667b3e7f542bb33ac80024e29eda169a39c5c

SHA512
34dc5806fb177d1f146d28b51801e576e9cae0e031db4b50dfa0df93092ec4811c2840ca0191522c5df7303668ffe31fbed0b831f15fe952e551c5d268ff8a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt

MD5
b571336bf15cac096e954b45257ec0fb

SHA1
e1b18382924beac4fa44de30a78a9e364b038089

SHA256
660ef17a760119b40d22b29ab5a0ec0236e63040381335a93987509568ab3de0

SHA512
a1c08ed352e8b4de8c6d9f04af57155a94363d97a4bec79ceeddbc1cc1a71c259db5610e0cc3c025dd6fc6f38b4a718bb7595e00210ae225ad17942a8e86b6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAjtbsRcklan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAjtbsRcklan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHRutcoQprep.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHRutcoQprep.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQpPURvkulan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQpPURvkulan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\odt\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\odt\config.xml.RYK

MD5
02aed81a92cf5fd0960c74acc76715e4

SHA1
f5246853e2f28f142bde7d58e9ab2540f5e0c9ee

SHA256
e6de5cb91710f4f91ed3c9d208b9c0b2d2239a957ab42b1d5963fb4a2ef8c5f7

SHA512
4f63bfd7fbfbb8f9a475d5bb607115cc93208dd500db5b4f7ca6310d140dbac8f43b2216bf2f59e5d8a6c0005ac83961c56923b2b3db5d7efebd79c5aac7f4da

Download Submit
C:\users\Public\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
\??\UNC\10.10.0.71\C$\Users\Public\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/480-63-0x0000000000000000-mapping.dmp

Download
memory/2108-12-0x0000000000000000-mapping.dmp

Download
memory/2152-19-0x0000000000000000-mapping.dmp

Download
memory/3444-69-0x0000000000000000-mapping.dmp

Download
memory/3776-60-0x0000000000000000-mapping.dmp

Download
memory/3876-64-0x0000000000000000-mapping.dmp

Download
memory/3992-8-0x0000000000000000-mapping.dmp

Download
memory/4188-4-0x0000000000000000-mapping.dmp

Download
memory/4312-68-0x0000000000000000-mapping.dmp

Download
memory/4340-66-0x0000000000000000-mapping.dmp

Download
memory/4704-3-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/4704-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4704-17-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4704-18-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/4820-67-0x0000000000000000-mapping.dmp

Download
memory/4920-20-0x0000000000000000-mapping.dmp

Download
memory/4984-61-0x0000000000000000-mapping.dmp

Download