ryuk | 2b23e704cfd8d62a359ef0325bfd4aaef5249cf6567ab8eceb88395978e3291a

Analysis

max time kernel
144s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
30-03-2021 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
Size

836KB
MD5

c5cd1f0fe551a0ce5678a7c9d86e6450
SHA1

f584c89c1539520f280efd9bcd4cb3da37588979
SHA256

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894
SHA512

40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'DQlMnNo'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

Processes:

resource	yara_rule
behavioral2/memory/496-4-0x00000000022D0000-0x00000000022F1000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

jPKOSSRMprep.exeFfSjcDQAYlan.exefeYuzNglflan.exe

pid process

2384 jPKOSSRMprep.exe
2620 FfSjcDQAYlan.exe
4476 feYuzNglflan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4552 icacls.exe
4564 icacls.exe

pid	process
2384	jPKOSSRMprep.exe
2620	FfSjcDQAYlan.exe
4476	feYuzNglflan.exe

pid	process
4552	icacls.exe
4564	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Drops file in Program Files directory 64 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.ELM	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nextarrow_default.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_en_135x40.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

pid	process
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exejPKOSSRMprep.exeFfSjcDQAYlan.exefeYuzNglflan.exe

pid	process
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
2384	jPKOSSRMprep.exe
2384	jPKOSSRMprep.exe
2620	FfSjcDQAYlan.exe
2620	FfSjcDQAYlan.exe
4476	feYuzNglflan.exe
4476	feYuzNglflan.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 496 wrote to memory of 2384	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	jPKOSSRMprep.exe
PID 496 wrote to memory of 2384	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	jPKOSSRMprep.exe
PID 496 wrote to memory of 2384	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	jPKOSSRMprep.exe
PID 496 wrote to memory of 2620	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	FfSjcDQAYlan.exe
PID 496 wrote to memory of 2620	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	FfSjcDQAYlan.exe
PID 496 wrote to memory of 2620	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	FfSjcDQAYlan.exe
PID 496 wrote to memory of 4476	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	feYuzNglflan.exe
PID 496 wrote to memory of 4476	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	feYuzNglflan.exe
PID 496 wrote to memory of 4476	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	feYuzNglflan.exe
PID 496 wrote to memory of 4552	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 496 wrote to memory of 4552	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 496 wrote to memory of 4552	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 496 wrote to memory of 4564	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 496 wrote to memory of 4564	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 496 wrote to memory of 4564	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 496 wrote to memory of 4608	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 4608	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 4608	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 5096	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 5096	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 5096	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 2480	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 2480	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 2480	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 1064	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 1064	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 496 wrote to memory of 1064	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1064 wrote to memory of 4956	1064	net.exe	net1.exe
PID 4608 wrote to memory of 4644	4608	net.exe	net1.exe
PID 1064 wrote to memory of 4956	1064	net.exe	net1.exe
PID 4608 wrote to memory of 4644	4608	net.exe	net1.exe
PID 1064 wrote to memory of 4956	1064	net.exe	net1.exe
PID 4608 wrote to memory of 4644	4608	net.exe	net1.exe
PID 2480 wrote to memory of 5060	2480	net.exe	net1.exe
PID 2480 wrote to memory of 5060	2480	net.exe	net1.exe
PID 2480 wrote to memory of 5060	2480	net.exe	net1.exe
PID 5096 wrote to memory of 4824	5096	net.exe	net1.exe
PID 5096 wrote to memory of 4824	5096	net.exe	net1.exe
PID 5096 wrote to memory of 4824	5096	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
"C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Local\Temp\jPKOSSRMprep.exe
"C:\Users\Admin\AppData\Local\Temp\jPKOSSRMprep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Users\Admin\AppData\Local\Temp\FfSjcDQAYlan.exe
"C:\Users\Admin\AppData\Local\Temp\FfSjcDQAYlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Users\Admin\AppData\Local\Temp\feYuzNglflan.exe
"C:\Users\Admin\AppData\Local\Temp\feYuzNglflan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4552

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4824

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4956

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\BOOTSECT.BAK.RYK

MD5
ae86d30f9562bb1e861e7b7b23874190

SHA1
8015fab96f11d9aab7ef740bb699edd27a97db90

SHA256
edc280e99eeef4fe159c1c47d2dd0b46a2fbfbf5da353c41c83f1496cf758f71

SHA512
39cb0d1ebb53b6e747a9bb8e2290f2150fedd0f059126b5aa05364fa194ad30e457c47ea2480b8c0298294c543c80899b4a00d6aeddedf67eff0107c7179d946

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK

MD5
d05f1f12c532cf0b18d09230cd5b1990

SHA1
7517f291d5840d9ef9a31d9818e680d73f483352

SHA256
ad853e602c678d7603e360bdc9730579b54ac207f56790b3e8e95c13b357febc

SHA512
35c5e5527155d157aeebbf46ebc167d3ec4133a289c7bc05f73b190f901b82b380eeed165762eba4f5897073bdff17e5740e4070925a4c036a0789a4230b98a1

Download Submit
C:\Boot\Fonts\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\Resources\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\bg-BG\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\da-DK\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\de-DE\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\el-GR\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\en-GB\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\en-US\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\es-ES\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\es-MX\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\et-EE\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\fi-FI\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\fr-CA\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\fr-FR\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\hr-HR\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\hu-HU\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\it-IT\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\ja-JP\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\ko-KR\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\lt-LT\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\lv-LV\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\nb-NO\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\nl-NL\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\pl-PL\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\pt-BR\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\pt-PT\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\ro-RO\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\ru-RU\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\sk-SK\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\sl-SI\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\sv-SE\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\tr-TR\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\uk-UA\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\zh-CN\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Boot\zh-TW\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfSjcDQAYlan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfSjcDQAYlan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\feYuzNglflan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\feYuzNglflan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jPKOSSRMprep.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jPKOSSRMprep.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\0f5007522459c86e95ffcc62f32308f1_72727c5d-8d0e-47bb-8579-8067735277ff

MD5
7b1ecc20587f6343e9c6ed6a5eba94b2

SHA1
116dc65a6f406bf97e4e0165212cbce5e53ebafb

SHA256
6a4c8fe276aaa399558f6caf2eba32a366212e03dbb1a80d55738981fcf70687

SHA512
f02c1a1761ec9ef43e28e41d59cd56201495820e79a060dea3b14391780bcbd6f10d9149dbebc3de5ab32798d23c7ade2dff0df5cdf37f24801149208d6b8723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\0f5007522459c86e95ffcc62f32308f1_72727c5d-8d0e-47bb-8579-8067735277ff

MD5
beb65fda9d501e2a509516eb210e9f4d

SHA1
f58c0b7f83ef2e9e23c00038ad26f0a90129c7d0

SHA256
2ae3ad0ddd559da10402e2fa47809ebd7179c57974a09a29839b01602117d2cc

SHA512
38eac7be4faa7880c988fe38624b91c028d735fe54939b697999ade35eb6755b8da5141a4b3406ababb89f13ec32b48405456772fd2debf34075e52ad54fa64a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\0f5007522459c86e95ffcc62f32308f1_72727c5d-8d0e-47bb-8579-8067735277ff

MD5
34a8cf31e07c718df320d2ff613ca229

SHA1
8b72ec6f957a11473d9eb6f9695914ef42d37797

SHA256
5aa2f175995cd70710aa1c9c91fa724941ea1c9f09bcad3dab4dda25b151864f

SHA512
82b4a8f76c56f36a297603baeeb3c9f6d443857147a5189b7d558a01eaa189d5faa7dd504e37af82f25df75b8a1506e9711fc9d378be09790ea86c6bb478c597

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\0f5007522459c86e95ffcc62f32308f1_72727c5d-8d0e-47bb-8579-8067735277ff

MD5
62d45e3fe0cba71334adb01228753e6b

SHA1
5b7b8cf4c266a12548123014d7562c9b510ea418

SHA256
5cd05e96fe25550eac1a6dafa2c7b49e8d95069caa391971f554c69701664542

SHA512
bd172d011301b044dc169d36aba684cf2c4db546477648362cdffe21d222fe3f8ee63ff1d45d72989bcb62a7e6e26252aab51048c1a308cb9ba921a942032da0

Download Submit
C:\Users\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\odt\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\odt\config.xml.RYK

MD5
8ef88787a8a20ad8c5d1b5f4213fd926

SHA1
6801797f0c0ad547c3f9db9be91d8991344a4af7

SHA256
ea1dc638c0ef173341ad76ae6bbe976229a3ce4ba776b2267a85091224e2d84a

SHA512
f06e5780153d3ccd8ed028dee819fa1ae279e420fc791dba0ec96af0303d965741a5e05e96e7ae7abe410e563c8597cfa0ff14d401c29b7f002f48cd00c078ee

Download Submit
C:\users\Public\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
memory/496-28-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/496-4-0x00000000022D0000-0x00000000022F1000-memory.dmp

Filesize
132KB

Download
memory/496-3-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/496-2-0x0000000002500000-0x0000000002524000-memory.dmp

Filesize
144KB

Download
memory/496-27-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1064-85-0x0000000000000000-mapping.dmp

Download
memory/2384-5-0x0000000000000000-mapping.dmp

Download
memory/2384-9-0x00000000020A0000-0x00000000020C4000-memory.dmp

Filesize
144KB

Download
memory/2480-84-0x0000000000000000-mapping.dmp

Download
memory/2620-16-0x00000000007B0000-0x00000000007D4000-memory.dmp

Filesize
144KB

Download
memory/2620-12-0x0000000000000000-mapping.dmp

Download
memory/4476-19-0x0000000000000000-mapping.dmp

Download
memory/4476-23-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/4552-29-0x0000000000000000-mapping.dmp

Download
memory/4564-30-0x0000000000000000-mapping.dmp

Download
memory/4608-82-0x0000000000000000-mapping.dmp

Download
memory/4644-87-0x0000000000000000-mapping.dmp

Download
memory/4824-89-0x0000000000000000-mapping.dmp

Download
memory/4956-86-0x0000000000000000-mapping.dmp

Download
memory/5060-88-0x0000000000000000-mapping.dmp

Download
memory/5096-83-0x0000000000000000-mapping.dmp

Download