ryuk | 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

Resubmissions

18-10-2023 22:01

231018-1xkmmsbg3v 10

09-07-2021 09:45

210709-w8k71s621j 10

Analysis

max time kernel
123s
max time network
266s
platform
windows10_x64
resource
win10v20210410
submitted
09-07-2021 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Size

144KB
MD5

89895cf4c88f13e5797aab63dddf1078
SHA1

1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512

d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'UWUEbcQLr'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

1073r.exezpttZFcBylan.exeSocTmVGrelan.exe

pid process

2508 1073r.exe
2612 zpttZFcBylan.exe
3084 SocTmVGrelan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3684 icacls.exe
3464 icacls.exe

pid	process
2508	1073r.exe
2612	zpttZFcBylan.exe
3084	SocTmVGrelan.exe

pid	process
3684	icacls.exe
3464	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

description	ioc	process
File opened (read-only)	\??\Z:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\R:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\N:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\L:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\J:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\I:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\H:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\V:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\P:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\O:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\G:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\F:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\E:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Y:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Q:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\K:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\T:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\S:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\M:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\X:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\W:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\U:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Drops file in Program Files directory 64 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3980 4732 WerFault.exe PaintStudio.View.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

2304 SCHTASKS.exe
Runs net.exe

pid	pid_target	process	target process
3980	4732	WerFault.exe	PaintStudio.View.exe

pid	process
2304	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

pid	process
3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

description	pid	process	target process
PID 3424 wrote to memory of 2508	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 3424 wrote to memory of 2508	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 3424 wrote to memory of 2508	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 3424 wrote to memory of 2612	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	zpttZFcBylan.exe
PID 3424 wrote to memory of 2612	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	zpttZFcBylan.exe
PID 3424 wrote to memory of 2612	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	zpttZFcBylan.exe
PID 3424 wrote to memory of 3084	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	SocTmVGrelan.exe
PID 3424 wrote to memory of 3084	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	SocTmVGrelan.exe
PID 3424 wrote to memory of 3084	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	SocTmVGrelan.exe
PID 3424 wrote to memory of 3684	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 3424 wrote to memory of 3684	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 3424 wrote to memory of 3684	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 3424 wrote to memory of 3464	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 3424 wrote to memory of 3464	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 3424 wrote to memory of 3464	3424	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\1073r.exe
"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
2⤵
- Executes dropped EXE
PID:2508

C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe
"C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2612

C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe
"C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:3084

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3684

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3464

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:1968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:4972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4360

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4436

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintIv" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\WuPbJ.dll" /ST 10:25 /SD 07/10/2021 /ED 07/17/2021
2⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5524

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3464

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SendAssert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1112

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\BackupNew.jpeg" /ForceBootstrapPaint3D
1⤵
PID:3408

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\BackupNew.jpeg" /ForceBootstrapPaint3D
1⤵
PID:4860

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DsSvc
1⤵
PID:4100

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
PID:4732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4732 -s 3752
2⤵
- Program crash
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\BOOTSECT.BAK.RYK
MD5
84686df2f35de28080b306c1871c9afc

SHA1
a31095f40912af6b1a7eedb960fa928f26623633

SHA256
fac81184796f028263beb147f162dfa695fdcb088b7fe98580a7146adaca0330

SHA512
d37e947cea3127ff6c5df5ddd5b2a4e5c38a60245930287793fa462ab5ce9c78fd72022b734af7601638f48ea1c980bb6ac15e72b03cc1a1f0c95f09a93814d5

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK
MD5
649c0f2c273c69ed7ab4560beaf8f16d

SHA1
7ac0011189eb94f2455f05e9c6332058cf183efe

SHA256
3fc528fcbd18acc78d18bcd536addc074c4c8983b4a5cea1668bbef4110528bc

SHA512
9db7909fdb66516c8e40b18d63f23a6b7f95c01f9af3a753cf4345186ec9b3b7651162a8b913e743574bd7c54cd5f422fd2ce1c908c29995fa3624c2a0d7fd6c

Download Submit
C:\Boot\Fonts\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\Resources\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\bg-BG\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\da-DK\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\de-DE\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\el-GR\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\en-GB\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\en-US\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\es-ES\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\es-MX\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\et-EE\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\fi-FI\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\fr-CA\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\fr-FR\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\hr-HR\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\hu-HU\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\it-IT\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\ja-JP\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\ko-KR\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\lt-LT\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\lv-LV\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\nb-NO\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\nl-NL\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\pl-PL\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\pt-BR\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\pt-PT\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\ro-RO\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\ru-RU\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\sk-SK\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\sl-SI\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\sv-SE\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\tr-TR\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\uk-UA\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\zh-CN\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Boot\zh-TW\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
109b470e6787557bfd3ca8056cd0c976

SHA1
5b3cfd5ac8e5350adaf9e95fb27df580af76ee19

SHA256
74aae94582fca8287ce9ccf620e8e9f57a4f659a819c13abe3337919b781eeca

SHA512
7b82c280f63b0f8edebce714d08bfa4d09b26d8b16d0838eedb284d3400600c5b6f1cf93f5875221ada82458552245e404dca447587c4b7e114cc5e9a8aaf14a

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
MD5
9a05fce79b7bc016837f8091f7c65ccb

SHA1
8f8c946e03fd79ea315246099ac84e895f05d5a9

SHA256
d4e2d6724fbe1e7a4da9dd76a5bf28608f4b997c658640a447cd95cfff80afb6

SHA512
b8c2e52c38065bb2b29e6c2db268fe3360928c9a0fc14ca1ed73b9b44507a6b4353fed12309bff876ac84807d39d960b715272fd6b736e07e4ba4b487687998a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
0d4a96b29a4b68a04ed32f8327a6b535

SHA1
85872c99f0502e99d02311aea0b752514ad9c411

SHA256
82ab86c309e9c1038d4356f36c902d35d54cb27ec81594bb200b3bb266d65b3a

SHA512
dc9cb1231a9f3ecca5150cc606e3a8601ef83d337a5465b8620cc12af20ab72f7a77ac690dddb5cfdf8451ca3ade3e58cde60412bbbd44a9763898ed6eabdfae

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
50a63ffd58f5deb535a424400898c093

SHA1
9abdea1e43549de22db39eae4c637442f1e4cde1

SHA256
75c1af69d67c47feea968bc9a3cf5e8e1c9a8e985852f8fdb851074735871a88

SHA512
cc0d7b88222b909ff3a4e9c4b83e0a4bd0c285897bccc3f7db8ff8cca7137dcedb88ed2015841af5db077ec80a7a6831252ecd5e393cedbbef1d11fa7a0b59dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
MD5
ab2978889682ed171f37a4a3ee78b4bd

SHA1
2469d43986dc064032c06548ff2831e3d38836e4

SHA256
a34dba7826584b75f45fd45693dff3af691fd534854b086b7ce1de96b8056803

SHA512
6d62ceb63f06e3df292323131991f52b257340551683f9cec40466eef322ea14882e458e90b0f1020d8ef2bbc493c5dc6ea644809302a06d0967d6bdec516c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe
MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe
MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe
MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe
MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe
MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe
MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\Users\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\odt\RyukReadMe.html
MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\odt\config.xml.RYK
MD5
ba0fd80315ecd87e93210b5e8bfa5f27

SHA1
ca3f354aa8286efc9575a130ecb10a7249d94124

SHA256
710357850e0433d123105d5df72f5c1eb2827307084a152728ad5bab38277131

SHA512
fc81b1f8b5cc3940e3b3e40f980b1a4657c40dca2a2e22fab7a5fd6c1ebdea881320c8aa4b93c89fc7e3602a40d8d82bb48abaaaf6dd99a4fcbaac0e260a84ea

Download Submit
memory/1968-130-0x0000000000000000-mapping.dmp

Download
memory/2304-148-0x0000000000000000-mapping.dmp

Download
memory/2508-114-0x0000000000000000-mapping.dmp

Download
memory/2612-117-0x0000000000000000-mapping.dmp

Download
memory/3084-120-0x0000000000000000-mapping.dmp

Download
memory/3464-124-0x0000000000000000-mapping.dmp

Download
memory/3684-123-0x0000000000000000-mapping.dmp

Download
memory/4100-143-0x000001D05AE00000-0x000001D05AE10000-memory.dmp

Filesize
64KB

Download
memory/4100-144-0x000001D05FC30000-0x000001D05FC31000-memory.dmp

Filesize
4KB

Download
memory/4100-142-0x000001D05AB80000-0x000001D05AB90000-memory.dmp

Filesize
64KB

Download
memory/4160-138-0x0000000000000000-mapping.dmp

Download
memory/4228-132-0x0000000000000000-mapping.dmp

Download
memory/4268-136-0x0000000000000000-mapping.dmp

Download
memory/4360-135-0x0000000000000000-mapping.dmp

Download
memory/4436-137-0x0000000000000000-mapping.dmp

Download
memory/4972-131-0x0000000000000000-mapping.dmp

Download
memory/5024-133-0x0000000000000000-mapping.dmp

Download
memory/5420-190-0x0000000000000000-mapping.dmp

Download
memory/5460-191-0x0000000000000000-mapping.dmp

Download
memory/5524-193-0x0000000000000000-mapping.dmp

Download
memory/5548-194-0x0000000000000000-mapping.dmp

Download