ryuk | 40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

Analysis

max time kernel
119s
max time network
116s
platform
windows11_x64
resource
win11
submitted
28-01-2022 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

execute.exe
Size

196KB
MD5

484a2bcb1335ac97ee91194f4c0964bc
SHA1

ad11ed52ab33ad05eb9b1e9ade134ca1348acc81
SHA256

40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
SHA512

6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\$WinREAgent\Scratch\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

HrjRHtq.exe

pid process

4316 HrjRHtq.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

4272 icacls.exe
4504 icacls.exe
1088 icacls.exe
3604 icacls.exe

pid	process
4316	HrjRHtq.exe

pid	process
4272	icacls.exe
4504	icacls.exe
1088	icacls.exe
3604	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\execute.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HrjRHtq.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

execute.exeHrjRHtq.exe

pid	process
4068	execute.exe
4068	execute.exe
4068	execute.exe
4068	execute.exe
4316	HrjRHtq.exe
4316	HrjRHtq.exe
4068	execute.exe
4068	execute.exe
4068	execute.exe
4068	execute.exe
4316	HrjRHtq.exe
4316	HrjRHtq.exe
4068	execute.exe
4068	execute.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

execute.exeHrjRHtq.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4068	execute.exe
Token: SeBackupPrivilege	4316	HrjRHtq.exe
Token: SeIncreaseQuotaPrivilege	2392	WMIC.exe
Token: SeSecurityPrivilege	2392	WMIC.exe
Token: SeTakeOwnershipPrivilege	2392	WMIC.exe
Token: SeLoadDriverPrivilege	2392	WMIC.exe
Token: SeSystemProfilePrivilege	2392	WMIC.exe
Token: SeSystemtimePrivilege	2392	WMIC.exe
Token: SeProfSingleProcessPrivilege	2392	WMIC.exe
Token: SeIncBasePriorityPrivilege	2392	WMIC.exe
Token: SeCreatePagefilePrivilege	2392	WMIC.exe
Token: SeBackupPrivilege	2392	WMIC.exe
Token: SeRestorePrivilege	2392	WMIC.exe
Token: SeShutdownPrivilege	2392	WMIC.exe
Token: SeDebugPrivilege	2392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2392	WMIC.exe
Token: SeRemoteShutdownPrivilege	2392	WMIC.exe
Token: SeUndockPrivilege	2392	WMIC.exe
Token: SeManageVolumePrivilege	2392	WMIC.exe
Token: 33	2392	WMIC.exe
Token: 34	2392	WMIC.exe
Token: 35	2392	WMIC.exe
Token: 36	2392	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2392	WMIC.exe
Token: SeSecurityPrivilege	2392	WMIC.exe
Token: SeTakeOwnershipPrivilege	2392	WMIC.exe
Token: SeLoadDriverPrivilege	2392	WMIC.exe
Token: SeSystemProfilePrivilege	2392	WMIC.exe
Token: SeSystemtimePrivilege	2392	WMIC.exe
Token: SeProfSingleProcessPrivilege	2392	WMIC.exe
Token: SeIncBasePriorityPrivilege	2392	WMIC.exe
Token: SeCreatePagefilePrivilege	2392	WMIC.exe
Token: SeBackupPrivilege	2392	WMIC.exe
Token: SeRestorePrivilege	2392	WMIC.exe
Token: SeShutdownPrivilege	2392	WMIC.exe
Token: SeDebugPrivilege	2392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2392	WMIC.exe
Token: SeRemoteShutdownPrivilege	2392	WMIC.exe
Token: SeUndockPrivilege	2392	WMIC.exe
Token: SeManageVolumePrivilege	2392	WMIC.exe
Token: 33	2392	WMIC.exe
Token: 34	2392	WMIC.exe
Token: 35	2392	WMIC.exe
Token: 36	2392	WMIC.exe
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe
Token: SeBackupPrivilege	4068	execute.exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

execute.exenet.exenet.exeHrjRHtq.execmd.exenet.exenet.execmd.exe

description	pid	process	target process
PID 4068 wrote to memory of 4316	4068	execute.exe	HrjRHtq.exe
PID 4068 wrote to memory of 4316	4068	execute.exe	HrjRHtq.exe
PID 4068 wrote to memory of 4316	4068	execute.exe	HrjRHtq.exe
PID 4068 wrote to memory of 3080	4068	execute.exe	sihost.exe
PID 4068 wrote to memory of 2252	4068	execute.exe	net.exe
PID 4068 wrote to memory of 2252	4068	execute.exe	net.exe
PID 4068 wrote to memory of 2252	4068	execute.exe	net.exe
PID 2252 wrote to memory of 5100	2252	net.exe	net1.exe
PID 2252 wrote to memory of 5100	2252	net.exe	net1.exe
PID 2252 wrote to memory of 5100	2252	net.exe	net1.exe
PID 4068 wrote to memory of 2768	4068	execute.exe	net.exe
PID 4068 wrote to memory of 2768	4068	execute.exe	net.exe
PID 4068 wrote to memory of 2768	4068	execute.exe	net.exe
PID 2768 wrote to memory of 2292	2768	net.exe	net1.exe
PID 2768 wrote to memory of 2292	2768	net.exe	net1.exe
PID 2768 wrote to memory of 2292	2768	net.exe	net1.exe
PID 4068 wrote to memory of 3092	4068	execute.exe	svchost.exe
PID 4068 wrote to memory of 3392	4068	execute.exe	svchost.exe
PID 4068 wrote to memory of 3752	4068	execute.exe	SearchHost.exe
PID 4068 wrote to memory of 3776	4068	execute.exe	StartMenuExperienceHost.exe
PID 4068 wrote to memory of 3928	4068	execute.exe	RuntimeBroker.exe
PID 4068 wrote to memory of 4052	4068	execute.exe	svchost.exe
PID 4068 wrote to memory of 4088	4068	execute.exe	RuntimeBroker.exe
PID 4068 wrote to memory of 3312	4068	execute.exe	DllHost.exe
PID 4068 wrote to memory of 4348	4068	execute.exe	DllHost.exe
PID 4068 wrote to memory of 4664	4068	execute.exe	smartscreen.exe
PID 4316 wrote to memory of 4272	4316	HrjRHtq.exe	icacls.exe
PID 4316 wrote to memory of 4272	4316	HrjRHtq.exe	icacls.exe
PID 4316 wrote to memory of 4272	4316	HrjRHtq.exe	icacls.exe
PID 4316 wrote to memory of 4504	4316	HrjRHtq.exe	icacls.exe
PID 4316 wrote to memory of 4504	4316	HrjRHtq.exe	icacls.exe
PID 4316 wrote to memory of 4504	4316	HrjRHtq.exe	icacls.exe
PID 4316 wrote to memory of 4964	4316	HrjRHtq.exe	cmd.exe
PID 4316 wrote to memory of 4964	4316	HrjRHtq.exe	cmd.exe
PID 4316 wrote to memory of 4964	4316	HrjRHtq.exe	cmd.exe
PID 4964 wrote to memory of 2392	4964	cmd.exe	WMIC.exe
PID 4964 wrote to memory of 2392	4964	cmd.exe	WMIC.exe
PID 4964 wrote to memory of 2392	4964	cmd.exe	WMIC.exe
PID 4316 wrote to memory of 864	4316	HrjRHtq.exe	net.exe
PID 4316 wrote to memory of 864	4316	HrjRHtq.exe	net.exe
PID 4316 wrote to memory of 864	4316	HrjRHtq.exe	net.exe
PID 864 wrote to memory of 1960	864	net.exe	net1.exe
PID 864 wrote to memory of 1960	864	net.exe	net1.exe
PID 864 wrote to memory of 1960	864	net.exe	net1.exe
PID 4068 wrote to memory of 3604	4068	execute.exe	icacls.exe
PID 4068 wrote to memory of 3604	4068	execute.exe	icacls.exe
PID 4068 wrote to memory of 3604	4068	execute.exe	icacls.exe
PID 4068 wrote to memory of 1088	4068	execute.exe	icacls.exe
PID 4068 wrote to memory of 1088	4068	execute.exe	icacls.exe
PID 4068 wrote to memory of 1088	4068	execute.exe	icacls.exe
PID 4068 wrote to memory of 1208	4068	execute.exe	cmd.exe
PID 4068 wrote to memory of 1208	4068	execute.exe	cmd.exe
PID 4068 wrote to memory of 1208	4068	execute.exe	cmd.exe
PID 4068 wrote to memory of 3432	4068	execute.exe	cmd.exe
PID 4068 wrote to memory of 3432	4068	execute.exe	cmd.exe
PID 4068 wrote to memory of 3432	4068	execute.exe	cmd.exe
PID 4068 wrote to memory of 4060	4068	execute.exe	net.exe
PID 4068 wrote to memory of 4060	4068	execute.exe	net.exe
PID 4068 wrote to memory of 4060	4068	execute.exe	net.exe
PID 4060 wrote to memory of 1600	4060	net.exe	net1.exe
PID 4060 wrote to memory of 1600	4060	net.exe	net1.exe
PID 4060 wrote to memory of 1600	4060	net.exe	net1.exe
PID 1208 wrote to memory of 1116	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 1116	1208	cmd.exe	WMIC.exe

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:4664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3312

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3776

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3092

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\execute.exe
"C:\Users\Admin\AppData\Local\Temp\execute.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\HrjRHtq.exe
"C:\Users\Admin\AppData\Local\Temp\HrjRHtq.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4272

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4504

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HrjRHtq.exe" /f /reg:64
3⤵
PID:11028

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HrjRHtq.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:11080

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:23784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:23844

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\execute.exe" /f /reg:64
2⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\execute.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:5508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:13036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:13088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:28828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:28876

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ebb76f6228fba99d4c189e72de9bee88 lkuT3gP0T0Wv5BcugIWdaQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:4856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$WinREAgent\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\$WinREAgent\Scratch\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\Fonts\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\Resources\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\bg-BG\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\da-DK\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\de-DE\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\el-GR\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\en-GB\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\en-US\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\es-ES\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\es-MX\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\et-EE\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\fi-FI\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\fr-CA\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\fr-FR\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\hr-HR\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\hu-HU\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\it-IT\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\ja-JP\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\ko-KR\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\lt-LT\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\lv-LV\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\nb-NO\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\nl-NL\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\pl-PL\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\pt-BR\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\pt-PT\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\qps-plocm\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\ro-RO\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\ru-RU\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\sk-SK\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\sl-SI\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\sv-SE\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\tr-TR\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\uk-UA\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\zh-CN\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Boot\zh-TW\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_ff33445f-a36e-4a95-8e5f-bca99faf3ebd
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK
MD5
57205afb8b9308fd0ea6b622a6685698

SHA1
e6042381908faf3c74a1d9ec203ea232437ec34f

SHA256
04da0f36b1e37539358b66d6fb14e4914341b6af55b96015e154c815276adfa5

SHA512
c71135f7b30f5dedf4a6e5ac0ff1a5b532f4ba813f61c982a48f6da54eabae9039ea2866da3052becf9a37615da0f931698c99fb3c83dbde968bc59cd8862755

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx
MD5
4822673cd2bceaabb300666e3e5157b6

SHA1
14f10db4f7dafcaa0577de8080b51208e40a53da

SHA256
47d56bf1752391b4749c02a652aa8685a5f01180c731cce102cc3bc2a9d1ee26

SHA512
102efb3ed5e202fbf136601dae0f93ead6784ae3e0cdb16dce89d2a3d1604f02318c4a45e5c4cc76859d34f334d6bb140b12e7734c44863a8a5a1eac5f319b76

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00001.jrs.RYK
MD5
deec86e4aa30089737c7b9b36d0fb75d

SHA1
d01cd372068597198d7e4273c478e6856c89e50a

SHA256
a495eacd9c10a15d2b47038738b5ff971fe2a1f2f572c534342c2530aaaaa406

SHA512
454d3f7ee65b29b1a812c4d23b1e09defd6a46b4dea9d4c50249b245e761b55ef5fa796406f8146408360bea77c45cb6330a8b0f40f2cc0701bdabdac1553044

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.RYK
MD5
c81d6b64c9c76aea8f2a0344e65fc78d

SHA1
09d6a04f8e210adb5f5b84e122333b786d908be5

SHA256
a41e71b917430994e04d2ab7b79cc06992cbf202532eaeb8a09599646bda0a1c

SHA512
3a778dd2b4b2bf34667bbc67b6c074d687164e510295b98fd7cfa8804b417cb6e5cba32989000d39382809ebc97b2cb79a5dbffbafd6683060069c9e8359610b

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx.RYK
MD5
c36993e7c06037cf310182291f9b68aa

SHA1
04feaf4728bc4c127ee933d9db63dece78873cae

SHA256
c3c756bb16d1b4c0f2410aebf9e5f5bd8d5260f3ba088e09deb4847373a8d795

SHA512
4a4fde9c78aa62d470cf66096e50cb122068c0d75ff34638cea449b68710a2ed29cfca98ca8e139fa7b8c297e9863f63b7e7c9e8b3b6a9136890cdffdbfcca4a

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK
MD5
147718e66ff74416156a704bc7f8ac20

SHA1
2a4f472dab3a7e2f51665fb64423b230e06e1090

SHA256
a2de1f16fc3da5d83575dbabe959d1b2e2983fae893e66cef4665c3c8d9f3784

SHA512
14059354a59a9fa4928fe8510a58e0d219dbe501f62fa19d588359bec7611a4b64770e8b492524f4cf380135880f26451616ac3aaa8eea56a8be4f5d37d282d8

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol
MD5
ad554955e1504308966461c6e795902c

SHA1
d8331780e62cb7596365e5a4569c110cad0318bb

SHA256
6c34f508e164c6362945f9c0621f82641b0a0028f4b97b3542b56cc49fb3d945

SHA512
1f1ba85afef24fb4d374968740ed850a5fa24c037b7cd3423c9e8b20debc8307f105459d62599d956cdbbbf63292da5184dccd6f5cc8d52545ebbcd4858dea84

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin.cdp.RYK
MD5
737894dbe6d4e74cbc36b5c658e6ebe7

SHA1
31b78f12b112d985416c576a1cb72882f072fe35

SHA256
76e8c73ba79f3c641692f9d72ed974e003256b2afa711af22bba154cb3f32c8b

SHA512
fdcbd163a46d3bfa383fef9172eef8b5cb7ba787f77ad191824f33b6f9cb0b99817d277c30317022777180292e3cc76575c3b637f8fb2063f06ec6fcca09cf40

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\45a5e5b635b28e7a\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HrjRHtq.exe
MD5
484a2bcb1335ac97ee91194f4c0964bc

SHA1
ad11ed52ab33ad05eb9b1e9ade134ca1348acc81

SHA256
40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

SHA512
6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HrjRHtq.exe
MD5
484a2bcb1335ac97ee91194f4c0964bc

SHA1
ad11ed52ab33ad05eb9b1e9ade134ca1348acc81

SHA256
40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

SHA512
6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Download Submit
C:\Users\RyukReadMe.html
MD5
c785e6003f490c485eddb60a31ed4b0a

SHA1
4b0fdbf0f9be1d6b0a2baf7ba7e86136d920cf88

SHA256
bd56c1cb05b20c6a421128f0c6338ce5e070bb6544901f2f782debdd98418742

SHA512
6adf9faeecb063f514b73451ca62f713c5559948c1f80ae81712b91a98f8d6ba08496c28bab0ad5b425c0343fb53ad4f0a79144b8e23c2cbcb0ad7924568b12a

Download Submit