Malware Analysis Report

2024-08-06 09:24

Sample ID 210709-w8k71s621j
Target 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
Tags
ryuk discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

Threat Level: Known bad

The file 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a was found to be: Known bad.

Malicious Activity Summary

ryuk discovery ransomware

Ryuk

Executes dropped EXE

Modifies file permissions

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
File Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2021-07-09 09:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-09 09:45

Reported

2021-07-09 09:50

Platform

win10v20210410

Max time kernel

123s

Max time network

266s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1073r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tr.txt C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\1073r.exe
PID 3424 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\1073r.exe
PID 3424 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\1073r.exe
PID 3424 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe
PID 3424 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe
PID 3424 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe
PID 3424 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe
PID 3424 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe
PID 3424 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe
PID 3424 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Windows\SysWOW64\icacls.exe
PID 3424 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Windows\SysWOW64\icacls.exe
PID 3424 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Windows\SysWOW64\icacls.exe
PID 3424 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Windows\SysWOW64\icacls.exe
PID 3424 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Windows\SysWOW64\icacls.exe
PID 3424 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SendAssert.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Users\Admin\AppData\Local\Temp\1073r.exe

"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP

C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe

"C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe

"C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe" 8 LAN

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\BackupNew.jpeg" /ForceBootstrapPaint3D

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\BackupNew.jpeg" /ForceBootstrapPaint3D

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DsSvc

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe

"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4732 -s 3752

C:\Windows\SysWOW64\SCHTASKS.exe

SCHTASKS /CREATE /NP /SC DAILY /TN "PrintIv" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\WuPbJ.dll" /ST 10:25 /SD 07/10/2021 /ED 07/17/2021

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 settings-win.data.microsoft.com udp
N/A 51.124.78.146:443 settings-win.data.microsoft.com tcp
N/A 8.8.8.8:53 watson.telemetry.microsoft.com udp
N/A 52.147.198.201:443 watson.telemetry.microsoft.com tcp

Files

memory/2508-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5 89895cf4c88f13e5797aab63dddf1078
SHA1 1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512 d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5 89895cf4c88f13e5797aab63dddf1078
SHA1 1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512 d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

memory/2612-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe

MD5 89895cf4c88f13e5797aab63dddf1078
SHA1 1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512 d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

C:\Users\Admin\AppData\Local\Temp\zpttZFcBylan.exe

MD5 89895cf4c88f13e5797aab63dddf1078
SHA1 1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512 d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

memory/3084-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe

MD5 89895cf4c88f13e5797aab63dddf1078
SHA1 1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512 d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

C:\Users\Admin\AppData\Local\Temp\SocTmVGrelan.exe

MD5 89895cf4c88f13e5797aab63dddf1078
SHA1 1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512 d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

memory/3464-124-0x0000000000000000-mapping.dmp

memory/3684-123-0x0000000000000000-mapping.dmp

C:\$Recycle.Bin\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\odt\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\odt\config.xml.RYK

MD5 ba0fd80315ecd87e93210b5e8bfa5f27
SHA1 ca3f354aa8286efc9575a130ecb10a7249d94124
SHA256 710357850e0433d123105d5df72f5c1eb2827307084a152728ad5bab38277131
SHA512 fc81b1f8b5cc3940e3b3e40f980b1a4657c40dca2a2e22fab7a5fd6c1ebdea881320c8aa4b93c89fc7e3602a40d8d82bb48abaaaf6dd99a4fcbaac0e260a84ea

C:\BOOTSECT.BAK.RYK

MD5 84686df2f35de28080b306c1871c9afc
SHA1 a31095f40912af6b1a7eedb960fa928f26623633
SHA256 fac81184796f028263beb147f162dfa695fdcb088b7fe98580a7146adaca0330
SHA512 d37e947cea3127ff6c5df5ddd5b2a4e5c38a60245930287793fa462ab5ce9c78fd72022b734af7601638f48ea1c980bb6ac15e72b03cc1a1f0c95f09a93814d5

C:\PerfLogs\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

memory/1968-130-0x0000000000000000-mapping.dmp

memory/4972-131-0x0000000000000000-mapping.dmp

memory/4228-132-0x0000000000000000-mapping.dmp

memory/5024-133-0x0000000000000000-mapping.dmp

C:\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

memory/4360-135-0x0000000000000000-mapping.dmp

memory/4160-138-0x0000000000000000-mapping.dmp

memory/4436-137-0x0000000000000000-mapping.dmp

memory/4268-136-0x0000000000000000-mapping.dmp

C:\Users\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\BOOTSTAT.DAT.RYK

MD5 649c0f2c273c69ed7ab4560beaf8f16d
SHA1 7ac0011189eb94f2455f05e9c6332058cf183efe
SHA256 3fc528fcbd18acc78d18bcd536addc074c4c8983b4a5cea1668bbef4110528bc
SHA512 9db7909fdb66516c8e40b18d63f23a6b7f95c01f9af3a753cf4345186ec9b3b7651162a8b913e743574bd7c54cd5f422fd2ce1c908c29995fa3624c2a0d7fd6c

memory/4100-143-0x000001D05AE00000-0x000001D05AE10000-memory.dmp

memory/4100-142-0x000001D05AB80000-0x000001D05AB90000-memory.dmp

memory/4100-144-0x000001D05FC30000-0x000001D05FC31000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 0d4a96b29a4b68a04ed32f8327a6b535
SHA1 85872c99f0502e99d02311aea0b752514ad9c411
SHA256 82ab86c309e9c1038d4356f36c902d35d54cb27ec81594bb200b3bb266d65b3a
SHA512 dc9cb1231a9f3ecca5150cc606e3a8601ef83d337a5465b8620cc12af20ab72f7a77ac690dddb5cfdf8451ca3ade3e58cde60412bbbd44a9763898ed6eabdfae

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

MD5 ab2978889682ed171f37a4a3ee78b4bd
SHA1 2469d43986dc064032c06548ff2831e3d38836e4
SHA256 a34dba7826584b75f45fd45693dff3af691fd534854b086b7ce1de96b8056803
SHA512 6d62ceb63f06e3df292323131991f52b257340551683f9cec40466eef322ea14882e458e90b0f1020d8ef2bbc493c5dc6ea644809302a06d0967d6bdec516c09

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 50a63ffd58f5deb535a424400898c093
SHA1 9abdea1e43549de22db39eae4c637442f1e4cde1
SHA256 75c1af69d67c47feea968bc9a3cf5e8e1c9a8e985852f8fdb851074735871a88
SHA512 cc0d7b88222b909ff3a4e9c4b83e0a4bd0c285897bccc3f7db8ff8cca7137dcedb88ed2015841af5db077ec80a7a6831252ecd5e393cedbbef1d11fa7a0b59dc

memory/2304-148-0x0000000000000000-mapping.dmp

C:\Boot\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\bg-BG\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\cs-CZ\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\da-DK\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\de-DE\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\el-GR\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\en-GB\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\en-US\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\es-ES\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\es-MX\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\et-EE\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\fi-FI\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\Fonts\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\fr-CA\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\fr-FR\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\hr-HR\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\hu-HU\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\it-IT\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\ja-JP\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\ko-KR\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\lt-LT\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\lv-LV\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\nb-NO\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\nl-NL\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\pl-PL\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\pt-BR\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\pt-PT\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\qps-ploc\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\Resources\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\Resources\en-US\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\ro-RO\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\ru-RU\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\sk-SK\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\sl-SI\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\sr-Latn-RS\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\sv-SE\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\tr-TR\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Boot\uk-UA\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

memory/5420-190-0x0000000000000000-mapping.dmp

C:\Boot\zh-CN\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

memory/5460-191-0x0000000000000000-mapping.dmp

memory/5524-193-0x0000000000000000-mapping.dmp

memory/5548-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

MD5 9a05fce79b7bc016837f8091f7c65ccb
SHA1 8f8c946e03fd79ea315246099ac84e895f05d5a9
SHA256 d4e2d6724fbe1e7a4da9dd76a5bf28608f4b997c658640a447cd95cfff80afb6
SHA512 b8c2e52c38065bb2b29e6c2db268fe3360928c9a0fc14ca1ed73b9b44507a6b4353fed12309bff876ac84807d39d960b715272fd6b736e07e4ba4b487687998a

C:\Boot\zh-TW\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 e814cd9c600ee9b146ded05082ee80e8
SHA1 2f9a7b8da2bd57a2bb812374c8e7eee975583214
SHA256 b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b
SHA512 c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 109b470e6787557bfd3ca8056cd0c976
SHA1 5b3cfd5ac8e5350adaf9e95fb27df580af76ee19
SHA256 74aae94582fca8287ce9ccf620e8e9f57a4f659a819c13abe3337919b781eeca
SHA512 7b82c280f63b0f8edebce714d08bfa4d09b26d8b16d0838eedb284d3400600c5b6f1cf93f5875221ada82458552245e404dca447587c4b7e114cc5e9a8aaf14a