ryuk | 4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3

Analysis

max time kernel
300s
max time network
291s
platform
windows10_x64
resource
win10v20210408
submitted
04-07-2021 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ff457Rk.bin.exe.bin.exe
Size

304KB
MD5

5ecae137bf33ecbb981f3b637b06efc5
SHA1

371e01949b1c7316164021e38d624ffbcba3090a
SHA256

4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3
SHA512

753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'yxFS7vMc'; $torlink = 'http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 2 IoCs

Processes:

1073r.exezbcRDXBUMlan.exe

pid process

1200 1073r.exe
1540 zbcRDXBUMlan.exe

pid	process
1200	1073r.exe
1540	zbcRDXBUMlan.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

35ff457Rk.bin.exe.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InitializeFormat.tiff.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreMove.png.RYK	35ff457Rk.bin.exe.bin.exe
File renamed	C:\Users\Admin\Pictures\ImportSync.png => C:\Users\Admin\Pictures\ImportSync.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeFormat.tiff	35ff457Rk.bin.exe.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeFormat.tiff => C:\Users\Admin\Pictures\InitializeFormat.tiff.RYK	35ff457Rk.bin.exe.bin.exe
File renamed	C:\Users\Admin\Pictures\RestoreMove.png => C:\Users\Admin\Pictures\RestoreMove.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ImportSync.png.RYK	35ff457Rk.bin.exe.bin.exe

Drops startup file 1 IoCs

Processes:

35ff457Rk.bin.exe.bin.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html 35ff457Rk.bin.exe.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

35ff457Rk.bin.exe.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	35ff457Rk.bin.exe.bin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

35ff457Rk.bin.exe.bin.exe

description	ioc	process
File opened (read-only)	\??\Z:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\X:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\Q:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\I:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\H:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\J:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\Y:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\W:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\V:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\R:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\P:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\N:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\M:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\E:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\O:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\L:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\U:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\T:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\S:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\K:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\G:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\F:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\B:	35ff457Rk.bin.exe.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

35ff457Rk.bin.exe.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-nodes.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ALRTINTL.DLL.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado26.tlb	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\core.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js	35ff457Rk.bin.exe.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

35ff457Rk.bin.exe.bin.exe

pid process

3920 35ff457Rk.bin.exe.bin.exe
3920 35ff457Rk.bin.exe.bin.exe
3920 35ff457Rk.bin.exe.bin.exe
3920 35ff457Rk.bin.exe.bin.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

35ff457Rk.bin.exe.bin.exe

pid process

3920 35ff457Rk.bin.exe.bin.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 3936 svchost.exe
Token: SeTcbPrivilege 3936 svchost.exe

pid	process
3920	35ff457Rk.bin.exe.bin.exe
3920	35ff457Rk.bin.exe.bin.exe
3920	35ff457Rk.bin.exe.bin.exe
3920	35ff457Rk.bin.exe.bin.exe

pid	process
3920	35ff457Rk.bin.exe.bin.exe

description	pid	process
Token: SeTcbPrivilege	3936	svchost.exe
Token: SeTcbPrivilege	3936	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

35ff457Rk.bin.exe.bin.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3920 wrote to memory of 1200	3920	35ff457Rk.bin.exe.bin.exe	1073r.exe
PID 3920 wrote to memory of 1200	3920	35ff457Rk.bin.exe.bin.exe	1073r.exe
PID 3920 wrote to memory of 1200	3920	35ff457Rk.bin.exe.bin.exe	1073r.exe
PID 3920 wrote to memory of 1540	3920	35ff457Rk.bin.exe.bin.exe	zbcRDXBUMlan.exe
PID 3920 wrote to memory of 1540	3920	35ff457Rk.bin.exe.bin.exe	zbcRDXBUMlan.exe
PID 3920 wrote to memory of 1540	3920	35ff457Rk.bin.exe.bin.exe	zbcRDXBUMlan.exe
PID 3920 wrote to memory of 2352	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2352	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2352	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2504	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2504	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2504	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2308	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2308	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2308	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 3604	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 3604	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 3604	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2780	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2780	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2780	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2652	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2652	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 3920 wrote to memory of 2652	3920	35ff457Rk.bin.exe.bin.exe	net.exe
PID 2352 wrote to memory of 1644	2352	net.exe	net1.exe
PID 2352 wrote to memory of 1644	2352	net.exe	net1.exe
PID 2352 wrote to memory of 1644	2352	net.exe	net1.exe
PID 2308 wrote to memory of 1104	2308	net.exe	net1.exe
PID 2308 wrote to memory of 1104	2308	net.exe	net1.exe
PID 2308 wrote to memory of 1104	2308	net.exe	net1.exe
PID 2652 wrote to memory of 3488	2652	net.exe	net1.exe
PID 2652 wrote to memory of 3488	2652	net.exe	net1.exe
PID 2652 wrote to memory of 3488	2652	net.exe	net1.exe
PID 3604 wrote to memory of 2136	3604	net.exe	net1.exe
PID 3604 wrote to memory of 2136	3604	net.exe	net1.exe
PID 3604 wrote to memory of 2136	3604	net.exe	net1.exe
PID 2780 wrote to memory of 2252	2780	net.exe	net1.exe
PID 2780 wrote to memory of 2252	2780	net.exe	net1.exe
PID 2780 wrote to memory of 2252	2780	net.exe	net1.exe
PID 2504 wrote to memory of 1260	2504	net.exe	net1.exe
PID 2504 wrote to memory of 1260	2504	net.exe	net1.exe
PID 2504 wrote to memory of 1260	2504	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\35ff457Rk.bin.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\35ff457Rk.bin.exe.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\1073r.exe
"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Temp\zbcRDXBUMlan.exe
"C:\Users\Admin\AppData\Local\Temp\zbcRDXBUMlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1260

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1104

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2136

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "coremessagingregistrar" /y
3⤵
PID:3488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "coremessagingregistrar" /y
3⤵
PID:2252

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
5ecae137bf33ecbb981f3b637b06efc5

SHA1
371e01949b1c7316164021e38d624ffbcba3090a

SHA256
4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3

SHA512
753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
5ecae137bf33ecbb981f3b637b06efc5

SHA1
371e01949b1c7316164021e38d624ffbcba3090a

SHA256
4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3

SHA512
753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbcRDXBUMlan.exe

MD5
5ecae137bf33ecbb981f3b637b06efc5

SHA1
371e01949b1c7316164021e38d624ffbcba3090a

SHA256
4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3

SHA512
753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbcRDXBUMlan.exe

MD5
5ecae137bf33ecbb981f3b637b06efc5

SHA1
371e01949b1c7316164021e38d624ffbcba3090a

SHA256
4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3

SHA512
753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Download Submit
C:\users\Public\RyukReadMe.html

MD5
2e5e14067765d72863acbaf732761db9

SHA1
33838b34e60adefa7fc8d3902261bf5e00be72e1

SHA256
0a085157f9c55b7114323a46134663d8bc77763924a0480cb2f1da7c71d2ee5d

SHA512
00dc6162f1a46fbf08c651c146d235ab540eb725b2cbf34cef82492ca0d47d3b53bfd2b54601ebf700c665f85d00cd1dfa00dbdc40ba0c2aac0cc84177e31f16

Download Submit
\??\UNC\10.10.0.34\C$\$Recycle.Bin\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\BOOTSTAT.DAT.RYK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\Fonts\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\Resources\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\Resources\en-US\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\bg-BG\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\cs-CZ\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\da-DK\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\de-DE\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\el-GR\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\en-GB\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\en-US\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\es-ES\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\es-MX\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\et-EE\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\fi-FI\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\fr-CA\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\fr-FR\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\hr-HR\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\hu-HU\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\it-IT\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\ja-JP\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\ko-KR\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\lt-LT\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\lv-LV\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\nb-NO\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\nl-NL\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\pl-PL\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\pt-BR\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\pt-PT\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\qps-ploc\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\ro-RO\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\ru-RU\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\sk-SK\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\sl-SI\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\sr-Latn-RS\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\sv-SE\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\tr-TR\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\uk-UA\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\Boot\zh-CN\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.34\C$\RyukReadMe.html

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1104-133-0x0000000000000000-mapping.dmp

Download
memory/1200-116-0x0000000000000000-mapping.dmp

Download
memory/1200-122-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/1200-123-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/1260-137-0x0000000000000000-mapping.dmp

Download
memory/1540-124-0x00000000004E0000-0x0000000000506000-memory.dmp

Filesize
152KB

Download
memory/1540-125-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/1540-119-0x0000000000000000-mapping.dmp

Download
memory/1644-132-0x0000000000000000-mapping.dmp

Download
memory/2136-135-0x0000000000000000-mapping.dmp

Download
memory/2252-136-0x0000000000000000-mapping.dmp

Download
memory/2308-128-0x0000000000000000-mapping.dmp

Download
memory/2352-126-0x0000000000000000-mapping.dmp

Download
memory/2504-127-0x0000000000000000-mapping.dmp

Download
memory/2652-131-0x0000000000000000-mapping.dmp

Download
memory/2780-130-0x0000000000000000-mapping.dmp

Download
memory/3488-134-0x0000000000000000-mapping.dmp

Download
memory/3604-129-0x0000000000000000-mapping.dmp

Download
memory/3920-115-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/3920-114-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download