ryuk | 2d3b8208e42e72b356add50649a91ffab352498a0cfe4a4c4828e6a331e63a6d | Triage

Analysis

max time kernel
1630s
max time network
1567s
platform
windows10_x64
resource
win10-en-20211014
submitted
27-10-2021 08:52

Sharing

Report Analysis Logs

General

Target

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

oqbrBsQMlrep.exewCNMkRxUslan.exeJWPZKncnulan.exe

pid process

2760 oqbrBsQMlrep.exe
1168 wCNMkRxUslan.exe
880 JWPZKncnulan.exe

Modifies extensions of user files 22 IoCs

Ransomware generally changes the extension on encrypted files.

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ExportSwitch.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockDeny.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromConvert.tiff	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockDeny.tiff	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UseStep.tiff	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\NewSave.crw => C:\Users\Admin\Pictures\NewSave.crw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\CopyTest.tiff => C:\Users\Admin\Pictures\CopyTest.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertOpen.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ApproveRegister.png => C:\Users\Admin\Pictures\ApproveRegister.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromConvert.tiff => C:\Users\Admin\Pictures\ConvertFromConvert.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromConvert.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\DismountResize.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UnlockDeny.tiff => C:\Users\Admin\Pictures\UnlockDeny.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ExportSwitch.tif => C:\Users\Admin\Pictures\ExportSwitch.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UseStep.tiff => C:\Users\Admin\Pictures\UseStep.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\CopyTest.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\CopyTest.tiff	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ConvertOpen.tif => C:\Users\Admin\Pictures\ConvertOpen.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\DismountResize.png => C:\Users\Admin\Pictures\DismountResize.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveRegister.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\NewSave.crw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UseStep.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Drops startup file 1 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3044 icacls.exe
4060 icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ui-strings.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

3636 SCHTASKS.exe
Runs net.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

pid	process
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2828 wrote to memory of 2760	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	oqbrBsQMlrep.exe
PID 2828 wrote to memory of 2760	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	oqbrBsQMlrep.exe
PID 2828 wrote to memory of 2760	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	oqbrBsQMlrep.exe
PID 2828 wrote to memory of 1168	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	wCNMkRxUslan.exe
PID 2828 wrote to memory of 1168	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	wCNMkRxUslan.exe
PID 2828 wrote to memory of 1168	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	wCNMkRxUslan.exe
PID 2828 wrote to memory of 880	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	JWPZKncnulan.exe
PID 2828 wrote to memory of 880	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	JWPZKncnulan.exe
PID 2828 wrote to memory of 880	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	JWPZKncnulan.exe
PID 2828 wrote to memory of 4060	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 2828 wrote to memory of 4060	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 2828 wrote to memory of 4060	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 2828 wrote to memory of 3044	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 2828 wrote to memory of 3044	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 2828 wrote to memory of 3044	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 2828 wrote to memory of 3320	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3320	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3320	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3296	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3296	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3296	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3716	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3716	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 3716	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 1228	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 1228	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 1228	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 3320 wrote to memory of 368	3320		net1.exe
PID 3320 wrote to memory of 368	3320		net1.exe
PID 3320 wrote to memory of 368	3320		net1.exe
PID 3296 wrote to memory of 2188	3296	net.exe	net1.exe
PID 3296 wrote to memory of 2188	3296	net.exe	net1.exe
PID 3296 wrote to memory of 2188	3296	net.exe	net1.exe
PID 1228 wrote to memory of 2332	1228	net.exe	net1.exe
PID 1228 wrote to memory of 2332	1228	net.exe	net1.exe
PID 1228 wrote to memory of 2332	1228	net.exe	net1.exe
PID 3716 wrote to memory of 1208	3716	net.exe	net1.exe
PID 3716 wrote to memory of 1208	3716	net.exe	net1.exe
PID 3716 wrote to memory of 1208	3716	net.exe	net1.exe
PID 2828 wrote to memory of 3636	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	SCHTASKS.exe
PID 2828 wrote to memory of 3636	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	SCHTASKS.exe
PID 2828 wrote to memory of 3636	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	SCHTASKS.exe
PID 2828 wrote to memory of 147384	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 147384	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 147384	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 147204	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 147204	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 147204	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 147384 wrote to memory of 146720	147384	net.exe	net1.exe
PID 147384 wrote to memory of 146720	147384	net.exe	net1.exe
PID 147384 wrote to memory of 146720	147384	net.exe	net1.exe
PID 147204 wrote to memory of 147112	147204	net.exe	net1.exe
PID 147204 wrote to memory of 147112	147204	net.exe	net1.exe
PID 147204 wrote to memory of 147112	147204	net.exe	net1.exe
PID 2828 wrote to memory of 233324	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 233324	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 233324	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 233440	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 233440	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2828 wrote to memory of 233440	2828	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 233324 wrote to memory of 233224	233324	net.exe	net1.exe
PID 233324 wrote to memory of 233224	233324	net.exe	net1.exe
PID 233324 wrote to memory of 233224	233324	net.exe	net1.exe
PID 233440 wrote to memory of 233252	233440	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\oqbrBsQMlrep.exe
"C:\Users\Admin\AppData\Local\Temp\oqbrBsQMlrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:2760

C:\Users\Admin\AppData\Local\Temp\wCNMkRxUslan.exe
"C:\Users\Admin\AppData\Local\Temp\wCNMkRxUslan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\JWPZKncnulan.exe
"C:\Users\Admin\AppData\Local\Temp\JWPZKncnulan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:880

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4060

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2332

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "Print67" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\6HVPl.dll" /ST 10:25 /SD 10/28/2021 /ED 11/04/2021
2⤵
- Creates scheduled task(s)
PID:3636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:147384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:146720

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:147204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:147112

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:233324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:233224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:233440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:233252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:293736

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:293880

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:293664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:293552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:293540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:293356

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:294828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:293640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:294468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294432

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:179964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:293952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294136

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:293900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:294244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:321228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:321120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:321196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:321404

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:490984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:492116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:490976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:491076

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:691996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:692088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:692008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:692108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:790632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:790744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:790628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:790740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:942024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:942072

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:942060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:941808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Permissions Modification

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\$Recycle.Bin\S-1-5-21-941723256-3451054534-3089625102-1000\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\BOOTSECT.BAK.RYK
MD5
3a0da1ce1e0ef13927c37ea079a78f1d

SHA1
1e7a86eccad30501bd08f7dc9fa4c7c584ae5be0

SHA256
a768626e63e22ddb7e133ab7db4f1900e94b5818c840745df260ecf2c85828ec

SHA512
60cee604f22fea88d68dd85a2459cff76cab2819df77b3a39eb7d7e6b0c61d05e30330eaeb244b4b42d8ef598171fa997b8e3031bba6e1276de74064214b779e

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK
MD5
1101c7d8200bb38a6681fdfdaf6ed417

SHA1
0a666b922a904cc869a3bb66b8448ec797033351

SHA256
82109a8d9f9948c6dce15b7ac79159d64ea430bc04e23ff134f765bf7f9c619c

SHA512
adf2553d743d3d45b01a05c0d4fc3b0ed2111627818f6f9ec165b7e6bab8c63a0ecc70e756aa3f453b131d511524ef313ec870b168c679471ef731e1642ce1a3

Download Submit
C:\Boot\Fonts\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\Resources\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\bg-BG\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\da-DK\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\de-DE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\el-GR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\en-GB\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\en-US\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\es-ES\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\es-MX\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\et-EE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fi-FI\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fr-CA\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fr-FR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\hr-HR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\hu-HU\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\it-IT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ja-JP\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ko-KR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\lt-LT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\lv-LV\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\nb-NO\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\nl-NL\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pl-PL\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pt-BR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pt-PT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ro-RO\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ru-RU\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sk-SK\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sl-SI\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sv-SE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\tr-TR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\uk-UA\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\zh-CN\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\zh-TW\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
9eb7ea53c6fa55e08acc980b7fbdfa61

SHA1
43de4349676ae330af32d2bdd9838b295d2da350

SHA256
87efac0848d9d86241b888621619520f502dc6a090641e1eb3cd26dac1859c34

SHA512
514d220f9ba2655a9d0df8da7fecc8382bc651bcb6df341fca5598b9a4c80a54c5d977c62f3ff6e7fdd2ed775d75a0822965f0a70db16829373d0b4702b38fa9

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
MD5
beba83e9576c7edfc7262d5a17c542dd

SHA1
8d8fae1a3674d02847aa4d7a31e5589629834684

SHA256
d858061af9b1efe3bf20cd8ef0e536a2c023cef34fcc82a2b75b957ce71e1db7

SHA512
f43e59f3be120b98b9244e5a1c732bafa1dd7bd366ccc61fb2ce4df0c184e4e2fd41df79ca7224355122a8eac1560f05a53066c4f2d4a303ddd6fd0bf146d256

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
MD5
6b5c4eaf65a1d02dd71b7cb838b4ea1d

SHA1
607c950b7c411f2acc7e4f920b2827831d25efcc

SHA256
d651597b7fc2dab014e157155bf6b4d66a7ca8d002bd8a9f34643d166a5d1726

SHA512
fbe5f8695dcd5734ccc6c5ae37f997f774220d5e85a5e53320cf2d69a6dfbd8e4f7e84f9aaa552aa2c1c7de001d1b1facef72ba98a8484e20398fc5815e23003

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
MD5
dbfea450faec216071a82682dc1aa486

SHA1
9975cad9a93100c8dbf213073ad94be3230b463f

SHA256
98cb7b3d5b59169a69cca3958ec1959e1f5c02f6c395805efa12697ebc6309a1

SHA512
0ec101a6138d278ef2aa545511c6c3ae19944052ad9f65a81c62df79935d719054f950b080a20191c5554771812cbc45ad9479ba21371ea9a95d41c70ed9a7ab

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
MD5
e932d326d68229a2892788e2aeb990bd

SHA1
473dab45b0b1f25e9628a3a26a4bcf148f0d3171

SHA256
0a3a69b89344e1627f401bf7e1bf5768331d7197c01c28c672acdf773c4b51b0

SHA512
0249b5bfedfef3c3f489dd4b7553cabedbb16e4362829f62678d92a6747434edf1928e3f26e76f8d2dc3e95b8c1d561c794f159b21075fcea1a1093f5fc0e496

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWPZKncnulan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWPZKncnulan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqbrBsQMlrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqbrBsQMlrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCNMkRxUslan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCNMkRxUslan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\odt\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\odt\config.xml.RYK
MD5
73af39f2ca5edab03273ec915f15b89a

SHA1
80fba4ac959fae2f097ee75aea8e9c0a69cf8865

SHA256
adcd3764b5fc65153bd2dd358e73418266aae5d8dea9c1ab06701d3a23b83d93

SHA512
672b96ebda7cd63380cc87b91e3ef16e88e387f91942bf43383320cceecf45b15bb7c12a34156ae885d4bbaba9174107ed43696bf7f760dc5bc275b8a155ae66

Download Submit
C:\users\Public\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
memory/368-139-0x0000000000000000-mapping.dmp

Download
memory/880-121-0x0000000000000000-mapping.dmp

Download
memory/1168-118-0x0000000000000000-mapping.dmp

Download
memory/1208-142-0x0000000000000000-mapping.dmp

Download
memory/1228-138-0x0000000000000000-mapping.dmp

Download
memory/1400-225-0x0000000000000000-mapping.dmp

Download
memory/2188-140-0x0000000000000000-mapping.dmp

Download
memory/2332-141-0x0000000000000000-mapping.dmp

Download
memory/2760-115-0x0000000000000000-mapping.dmp

Download
memory/3044-125-0x0000000000000000-mapping.dmp

Download
memory/3296-136-0x0000000000000000-mapping.dmp

Download
memory/3320-135-0x0000000000000000-mapping.dmp

Download
memory/3636-160-0x0000000000000000-mapping.dmp

Download
memory/3716-137-0x0000000000000000-mapping.dmp

Download
memory/4060-124-0x0000000000000000-mapping.dmp

Download
memory/146720-195-0x0000000000000000-mapping.dmp

Download
memory/147112-196-0x0000000000000000-mapping.dmp

Download
memory/147204-194-0x0000000000000000-mapping.dmp

Download
memory/147384-193-0x0000000000000000-mapping.dmp

Download
memory/179964-221-0x0000000000000000-mapping.dmp

Download
memory/233224-199-0x0000000000000000-mapping.dmp

Download
memory/233252-200-0x0000000000000000-mapping.dmp

Download
memory/233324-197-0x0000000000000000-mapping.dmp

Download
memory/233440-198-0x0000000000000000-mapping.dmp

Download
memory/293356-211-0x0000000000000000-mapping.dmp

Download
memory/293496-210-0x0000000000000000-mapping.dmp

Download
memory/293520-222-0x0000000000000000-mapping.dmp

Download
memory/293540-212-0x0000000000000000-mapping.dmp

Download
memory/293552-207-0x0000000000000000-mapping.dmp

Download
memory/293608-201-0x0000000000000000-mapping.dmp

Download
memory/293636-202-0x0000000000000000-mapping.dmp

Download
memory/293640-213-0x0000000000000000-mapping.dmp

Download
memory/293664-208-0x0000000000000000-mapping.dmp

Download
memory/293676-218-0x0000000000000000-mapping.dmp

Download
memory/293736-203-0x0000000000000000-mapping.dmp

Download
memory/293736-206-0x0000000000000000-mapping.dmp

Download
memory/293788-209-0x0000000000000000-mapping.dmp

Download
memory/293876-205-0x0000000000000000-mapping.dmp

Download
memory/293880-204-0x0000000000000000-mapping.dmp

Download
memory/293900-226-0x0000000000000000-mapping.dmp

Download
memory/293952-224-0x0000000000000000-mapping.dmp

Download
memory/294136-223-0x0000000000000000-mapping.dmp

Download
memory/294244-228-0x0000000000000000-mapping.dmp

Download
memory/294432-220-0x0000000000000000-mapping.dmp

Download
memory/294468-217-0x0000000000000000-mapping.dmp

Download
memory/294672-215-0x0000000000000000-mapping.dmp

Download
memory/294712-216-0x0000000000000000-mapping.dmp

Download
memory/294772-219-0x0000000000000000-mapping.dmp

Download
memory/294828-214-0x0000000000000000-mapping.dmp

Download
memory/294900-227-0x0000000000000000-mapping.dmp

Download
memory/321120-231-0x0000000000000000-mapping.dmp

Download
memory/321196-230-0x0000000000000000-mapping.dmp

Download
memory/321228-229-0x0000000000000000-mapping.dmp

Download
memory/321404-232-0x0000000000000000-mapping.dmp

Download
memory/490976-233-0x0000000000000000-mapping.dmp

Download
memory/490984-234-0x0000000000000000-mapping.dmp

Download
memory/491076-235-0x0000000000000000-mapping.dmp

Download
memory/492116-236-0x0000000000000000-mapping.dmp

Download
memory/691996-237-0x0000000000000000-mapping.dmp

Download
memory/692008-238-0x0000000000000000-mapping.dmp

Download
memory/692088-239-0x0000000000000000-mapping.dmp

Download
memory/692108-240-0x0000000000000000-mapping.dmp

Download
memory/790628-241-0x0000000000000000-mapping.dmp

Download
memory/790632-242-0x0000000000000000-mapping.dmp

Download