ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
126s
max time network
153s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
Size

208KB
MD5

aa5abadf25aa3f30c1c83c5d43a7ee8f
SHA1

ff50650068de776d2c0a8962cbccd7ffc431327a
SHA256

0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702
SHA512

033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'JZwuk732'; $torlink = 'http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

RegMmSkEKrep.exerChahhASZlan.exeesnhJBQuelan.exe

pid process

3548 RegMmSkEKrep.exe
2556 rChahhASZlan.exe
3860 esnhJBQuelan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4484 icacls.exe
4496 icacls.exe

pid	process
3548	RegMmSkEKrep.exe
2556	rChahhASZlan.exe
3860	esnhJBQuelan.exe

pid	process
4484	icacls.exe
4496	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe

Drops file in Program Files directory 64 IoCs

Processes:

0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_cn_135x40.svg	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELM	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_it.jar	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_18.svg	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons.png	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\RyukReadMe.html	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\ui-strings.js	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe

pid	process
648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 648 wrote to memory of 3548	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	RegMmSkEKrep.exe
PID 648 wrote to memory of 3548	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	RegMmSkEKrep.exe
PID 648 wrote to memory of 3548	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	RegMmSkEKrep.exe
PID 648 wrote to memory of 2556	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	rChahhASZlan.exe
PID 648 wrote to memory of 2556	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	rChahhASZlan.exe
PID 648 wrote to memory of 2556	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	rChahhASZlan.exe
PID 648 wrote to memory of 3860	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	esnhJBQuelan.exe
PID 648 wrote to memory of 3860	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	esnhJBQuelan.exe
PID 648 wrote to memory of 3860	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	esnhJBQuelan.exe
PID 648 wrote to memory of 4484	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	icacls.exe
PID 648 wrote to memory of 4484	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	icacls.exe
PID 648 wrote to memory of 4484	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	icacls.exe
PID 648 wrote to memory of 4496	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	icacls.exe
PID 648 wrote to memory of 4496	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	icacls.exe
PID 648 wrote to memory of 4496	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	icacls.exe
PID 648 wrote to memory of 5080	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 5080	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 5080	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 2336	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 2336	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 2336	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 4788	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 4788	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 4788	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 4944	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 4944	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 648 wrote to memory of 4944	648	0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe	net.exe
PID 2336 wrote to memory of 5096	2336	net.exe	net1.exe
PID 2336 wrote to memory of 5096	2336	net.exe	net1.exe
PID 2336 wrote to memory of 5096	2336	net.exe	net1.exe
PID 4788 wrote to memory of 4588	4788	net.exe	net1.exe
PID 4788 wrote to memory of 4588	4788	net.exe	net1.exe
PID 4788 wrote to memory of 4588	4788	net.exe	net1.exe
PID 5080 wrote to memory of 4456	5080	net.exe	net1.exe
PID 5080 wrote to memory of 4456	5080	net.exe	net1.exe
PID 5080 wrote to memory of 4456	5080	net.exe	net1.exe
PID 4944 wrote to memory of 4864	4944	net.exe	net1.exe
PID 4944 wrote to memory of 4864	4944	net.exe	net1.exe
PID 4944 wrote to memory of 4864	4944	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
"C:\Users\Admin\AppData\Local\Temp\0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\RegMmSkEKrep.exe
"C:\Users\Admin\AppData\Local\Temp\RegMmSkEKrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:3548

C:\Users\Admin\AppData\Local\Temp\rChahhASZlan.exe
"C:\Users\Admin\AppData\Local\Temp\rChahhASZlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Temp\esnhJBQuelan.exe
"C:\Users\Admin\AppData\Local\Temp\esnhJBQuelan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4484

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4496

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4588

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\BOOTSECT.BAK.RYK

MD5
e46d791b09f8e47057c4981410d9a4e7

SHA1
2d5567c468350f0c3222878c156db25c3b06fe65

SHA256
8e469f92f7dc8b1f723f30fcea034fb766ba569462837ae0029916964acc4941

SHA512
c884cdde2ad4b9aff6947f2f3c8de5a89d0ed3e7af263d4e62d2317c3774c781a9acdc159954755291e049e27e445058772cff6b873fa401bad69688f670921e

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK

MD5
1b81dcccfd86d6bc63b7eb94c49b8459

SHA1
527089bb1d2218b4780bdb8ef5d903736e576849

SHA256
4b7385fbfb0aa52d2a07835dbbbea56931962f9edb623f3d40e0b6043c05ecfa

SHA512
fb6c78143b5fe288a5d78fd315d1475669c0c5fb2d055b57fee83ffc370f9c993cd912a0f61f62e370a38c957e2ca8971eccea4e56dd7e77c2166840a2b2bd14

Download Submit
C:\Boot\Fonts\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\Resources\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\bg-BG\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\da-DK\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\de-DE\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\el-GR\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\en-GB\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\en-US\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\es-ES\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\es-MX\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\et-EE\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\fi-FI\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\fr-CA\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\fr-FR\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\hr-HR\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\hu-HU\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\it-IT\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\ja-JP\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\ko-KR\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\lt-LT\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\lv-LV\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\nb-NO\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\nl-NL\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\pl-PL\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\pt-BR\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\pt-PT\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\ro-RO\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\ru-RU\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\sk-SK\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\sl-SI\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\sv-SE\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\tr-TR\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\uk-UA\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\zh-CN\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Boot\zh-TW\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

MD5
1f33ed58795c15a2d6d592a6f5e76f86

SHA1
3d87b1cc41273814b9472a03a8576cf744d42148

SHA256
3c0b1a1f0d1b6ce85f5da3aff1ff114d2cfb68c85c0989a96a9deb8fe9f22226

SHA512
db131db1355c0600e0a57fd98055aed046a6787c079e5a223d3410f25390cdc4d353acdcb8d03339d87d93713ed70a2eb324d01eeb67b2fe2cf9816a947fe959

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

MD5
0fec9f6ba74869fea944bf425bd8abcc

SHA1
171f6d3c272ac45d5ed16200ef303d2440e71032

SHA256
3aedb6d0bd7a676690ba1a9e107997f75f3a4d96784dabab16af7d47dd59bbec

SHA512
5db62bb46c201f936897e656e9c693f3df29ce3582ce4dae9868158321656a5a4148c6e1c80fdecf0b8dfa926a00613451379c2a53126105ec14eb7c69dc8570

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

MD5
258ccd863dfc6350ae76e92a0457791c

SHA1
b2f0c01338bf856fc6c5c0db58d02d678e9aecea

SHA256
91818c286fd013284c348143ddf98530ab8b6111b57d4037199ed360cc1ce3da

SHA512
833683f35b1111fc31cbaa96481f1ebc96d3baa757e9de539dc40857f6ac92f1782a29479202e7056565c7d88baad122d17e7e8dd7c0dac4784f18fb5b48671d

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

MD5
fa99d77b3e60c256fd3bc109d6308f71

SHA1
48dce05fd257c4fa8f8abd5d0c441d479fdc9e6f

SHA256
16ae2a9904c947347aa598a122f6bbdfdd1c46368dac6d5c3bbe36b89a8d1416

SHA512
52c754c67e0c793dc3989a9602b5267133ece18112dd9f7d2e2739a5669e3f7747c3ecefefd6f0326aab7e6c6712f1b1d1b4e06b7ac5a1ad4507f6d1635f0718

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegMmSkEKrep.exe

MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f

SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a

SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegMmSkEKrep.exe

MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f

SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a

SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\Users\Admin\AppData\Local\Temp\esnhJBQuelan.exe

MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f

SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a

SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\esnhJBQuelan.exe

MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f

SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a

SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rChahhASZlan.exe

MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f

SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a

SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rChahhASZlan.exe

MD5
aa5abadf25aa3f30c1c83c5d43a7ee8f

SHA1
ff50650068de776d2c0a8962cbccd7ffc431327a

SHA256
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

SHA512
033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

Download Submit
C:\Users\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\odt\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
C:\odt\config.xml.RYK

MD5
aafe4ce24845c048f501d0332bfb8a60

SHA1
b816b5e142d2d27f0b89e5309d12996194b2cad7

SHA256
d0458689b5cf1240a2c65be523bcdbfa317137933a15f8ecdb0c8445b2c59f3c

SHA512
8f1d95da0245b452071ddd8e0c193d1107f3776d73ef04020f7aac4f1f8bba0c4cbacbf53bd9253bcb5063aecd532af879a71c89e0d8d8e0b72c7d184a5358c7

Download Submit
C:\users\Public\RyukReadMe.html

MD5
99dad7c0e1a2a206df5bbfd09b838057

SHA1
98857fd8fff589d20bae7d0a2168c81b789bb3be

SHA256
72342b5ee6a8a8b6c36570ca95ae7c6aa81c2f35ebef7ea75f438ac52da905f4

SHA512
f329da170a1a00d2b376b0670f6ca5f3823eab52b85ccea4c0a270201791161d7ad721bc4a54dd01822d234ecf26130c685c496f522aff5ce9f1452467258771

Download Submit
\??\UNC\10.10.0.71\C$\Users\Public\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/648-4-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/648-2-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/648-26-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/648-27-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/648-3-0x0000000000550000-0x0000000000570000-memory.dmp

Filesize
128KB

Download
memory/2336-80-0x0000000000000000-mapping.dmp

Download
memory/2556-15-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2556-12-0x0000000000000000-mapping.dmp

Download
memory/3548-6-0x0000000000000000-mapping.dmp

Download
memory/3548-9-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3860-21-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/3860-18-0x0000000000000000-mapping.dmp

Download
memory/4456-86-0x0000000000000000-mapping.dmp

Download
memory/4484-28-0x0000000000000000-mapping.dmp

Download
memory/4496-29-0x0000000000000000-mapping.dmp

Download
memory/4588-85-0x0000000000000000-mapping.dmp

Download
memory/4788-81-0x0000000000000000-mapping.dmp

Download
memory/4864-87-0x0000000000000000-mapping.dmp

Download
memory/4944-82-0x0000000000000000-mapping.dmp

Download
memory/5080-79-0x0000000000000000-mapping.dmp

Download
memory/5096-84-0x0000000000000000-mapping.dmp

Download