ryuk | 8b94e0c9693aa1bd89eb828a8b61fdf8ca2398b8e92dcf91d509cdb888285223

Analysis

max time kernel
147s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Size

468KB
MD5

9296a9b81bfe119bd786a6f5a8ad43ad
SHA1

581cf7c453358cd94ceed70088470c32a7307c8e
SHA256

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591
SHA512

64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

YOQPLLlEcrep.exemHniydKdWlan.exeHgIgzeloLlan.exe

pid process

3836 YOQPLLlEcrep.exe
1584 mHniydKdWlan.exe
2720 HgIgzeloLlan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4540 icacls.exe
4552 icacls.exe

pid	process
3836	YOQPLLlEcrep.exe
1584	mHniydKdWlan.exe
2720	HgIgzeloLlan.exe

pid	process
4540	icacls.exe
4552	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Drops file in Program Files directory 64 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxUnselected.svg	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\trdtv2r41.xsl	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_cancel_18.svg	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

pid	process
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 880 wrote to memory of 3836	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	YOQPLLlEcrep.exe
PID 880 wrote to memory of 3836	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	YOQPLLlEcrep.exe
PID 880 wrote to memory of 3836	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	YOQPLLlEcrep.exe
PID 880 wrote to memory of 1584	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	mHniydKdWlan.exe
PID 880 wrote to memory of 1584	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	mHniydKdWlan.exe
PID 880 wrote to memory of 1584	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	mHniydKdWlan.exe
PID 880 wrote to memory of 2720	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	HgIgzeloLlan.exe
PID 880 wrote to memory of 2720	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	HgIgzeloLlan.exe
PID 880 wrote to memory of 2720	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	HgIgzeloLlan.exe
PID 880 wrote to memory of 4540	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 880 wrote to memory of 4540	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 880 wrote to memory of 4540	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 880 wrote to memory of 4552	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 880 wrote to memory of 4552	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 880 wrote to memory of 4552	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 880 wrote to memory of 5108	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 5108	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 5108	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 4712	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 4712	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 4712	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 4060	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 4060	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 4060	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 2416	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 2416	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 880 wrote to memory of 2416	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 4712 wrote to memory of 5016	4712	net.exe	net1.exe
PID 4712 wrote to memory of 5016	4712	net.exe	net1.exe
PID 4712 wrote to memory of 5016	4712	net.exe	net1.exe
PID 4060 wrote to memory of 4972	4060	net.exe	net1.exe
PID 4060 wrote to memory of 4972	4060	net.exe	net1.exe
PID 4060 wrote to memory of 4972	4060	net.exe	net1.exe
PID 5108 wrote to memory of 4724	5108	net.exe	net1.exe
PID 5108 wrote to memory of 4724	5108	net.exe	net1.exe
PID 5108 wrote to memory of 4724	5108	net.exe	net1.exe
PID 2416 wrote to memory of 4648	2416	net.exe	net1.exe
PID 2416 wrote to memory of 4648	2416	net.exe	net1.exe
PID 2416 wrote to memory of 4648	2416	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
"C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\YOQPLLlEcrep.exe
"C:\Users\Admin\AppData\Local\Temp\YOQPLLlEcrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:3836

C:\Users\Admin\AppData\Local\Temp\mHniydKdWlan.exe
"C:\Users\Admin\AppData\Local\Temp\mHniydKdWlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\HgIgzeloLlan.exe
"C:\Users\Admin\AppData\Local\Temp\HgIgzeloLlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4540

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5016

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4972

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\BOOTSECT.BAK.RYK

MD5
5b047f8416b09b5d42b3cbdbec9ba8d3

SHA1
a73d0827f899c25c2e03f00e40050784fff20e0a

SHA256
12a9e9206aa4b57b064fb0d5cfd46c9620ce60b33ff1cb1d144327974f92ab6d

SHA512
5c37191e2547d61285b89f3a2cc289298a6c1fc733dc1121b123414cb6b50230965050c806a6a5a645dcc23e6de95fe32b3c41460b87e4d9e340e0b9e347faa7

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK

MD5
684f02dd187b555936eba917fb850340

SHA1
4bdbe8f703123ca5eeb0f06f9235463adaf5094c

SHA256
f918904dc613cfc5fa27acb9c1bfa2452dee844f71a352e52e888e391788a407

SHA512
00df640a3985f8c4023199a6f282b8b93a4c30e22728af1d4c28ad3facb8058a4f2e7b1ec6bc56c8de6b40ef0e63ffa33eac6528ed92a8fbfd9939a801adeed7

Download Submit
C:\Boot\Fonts\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\Resources\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\bg-BG\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\da-DK\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\de-DE\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\el-GR\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\en-GB\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\en-US\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\es-ES\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\es-MX\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\et-EE\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\fi-FI\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\fr-CA\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\fr-FR\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\hr-HR\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\hu-HU\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\it-IT\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\ja-JP\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\ko-KR\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\lt-LT\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\lv-LV\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\nb-NO\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\nl-NL\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\pl-PL\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\pt-BR\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\pt-PT\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\ro-RO\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\ru-RU\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\sk-SK\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\sl-SI\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\sv-SE\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\tr-TR\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\uk-UA\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\zh-CN\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Boot\zh-TW\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

MD5
2ebb03f279bc9ac3492814fcca889f22

SHA1
6cd2ec60da189df0d36ccbef37d7c4c6e7a898dc

SHA256
7fe8ff5c7e66ecb13ca92aa2ce6e40ec17d7187100b998ee211ed35567bd396a

SHA512
cdfe1afa7c24f58c7e500cef5294562e50a7a9d86a8717492eba6ad16dced257b7b2a2cc3a3c75ce2847c3a03ef1e31a9fb6d110040760e8529b9ea0270dc964

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

MD5
b4a495e82a735eb6332de7ecaaf5b69c

SHA1
1cfee848f92ad3f84c96d94e112389e7f94b4d84

SHA256
088cfb3edf722e781e70801b8c94da61a1b25a57b7e52187b258e01713b58747

SHA512
49314ded43ebd60d646dfa0eaf71cc57ebf90d089ff0de59ec5fdc4cabcaa28faa950c2deea45a7d40c5e946e5775aaa908e3e34eb3197f875b83662586498d5

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

MD5
53b7d26fba8fd8feb63e4aa312284c4c

SHA1
a225bd866459a0aa1717fdc0ab0cb63c05471d34

SHA256
910811f56b8d98383b5f53c5123c05f57252aa6c5d8d7b86803e18bdbfb3bff0

SHA512
cf1f2f1fd41a2ebf721abefdd4417679d82f2f9db7f3a02fd5b6fe881df3a9decc0a9c7fc3d87e6f5f054c90c30e2f1d8ed301821882e42998c6469396807e66

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

MD5
7ca4545efcac4b74375421a5ef539d23

SHA1
522656b52470eea78d174f5a0aecd5ef8519929e

SHA256
dc10a7b66ce9322649574f3504f8d7fa30bd1e9b0f67630ee692af9c9403a3ef

SHA512
310c11a948557cd56b3b6fb1fe470337bdb6a6205a296b0528f7ec9e1a5c5c0a493fda7252aeb4e9589f2252b0f96bd70f0fac708146fd3dc9e94c54402fca08

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5
160ba850202ace7b6ee2649ede4f892d

SHA1
e363bb2104a6689f0135b8e4e40f016e5dd26f61

SHA256
f67ebc075c8cf513870551e5d25fd789f07971e7df40cfe064a2a666ea7fada4

SHA512
6e98348f04655fe9978cf96f566af79b37bc2dd3638d3cdbceb339dbc6431dea7096e6341eead15540d3e0082fe4bd5e50cb3ccd0798b78ab8fbddb993672e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgIgzeloLlan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgIgzeloLlan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOQPLLlEcrep.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOQPLLlEcrep.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mHniydKdWlan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mHniydKdWlan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\odt\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\odt\config.xml.RYK

MD5
8392abc28bfdf09de2be9af60943cf06

SHA1
583fa15de3c7ac3d73c30952f2609f07502e8f92

SHA256
5ce386c613ce62285792ab24d5a9ce29e7ceab98a58a35a0cb63b629b066b596

SHA512
2af4db20401cdee8c0a5ec15e24db8c335ee6377b2a549e1486bceeaf466fe96c6acc7a96369234ebecafec795ac6c532a4bc5c2a13dd14fc55e9178d651873a

Download Submit
C:\users\Public\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
memory/880-20-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/880-3-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/880-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/880-21-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/1584-9-0x0000000000000000-mapping.dmp

Download
memory/2416-77-0x0000000000000000-mapping.dmp

Download
memory/2720-14-0x0000000000000000-mapping.dmp

Download
memory/3836-4-0x0000000000000000-mapping.dmp

Download
memory/4060-76-0x0000000000000000-mapping.dmp

Download
memory/4540-22-0x0000000000000000-mapping.dmp

Download
memory/4552-23-0x0000000000000000-mapping.dmp

Download
memory/4648-81-0x0000000000000000-mapping.dmp

Download
memory/4712-75-0x0000000000000000-mapping.dmp

Download
memory/4724-80-0x0000000000000000-mapping.dmp

Download
memory/4972-79-0x0000000000000000-mapping.dmp

Download
memory/5016-78-0x0000000000000000-mapping.dmp

Download
memory/5108-74-0x0000000000000000-mapping.dmp

Download