ryuk | 00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

Analysis

max time kernel
1800s
max time network
1586s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-05-2022 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Size

448KB
MD5

bf7b854542cfa423dee3b7233c4a255e
SHA1

a9b09989972cc063b34c4afcd82ebe9203d61be2
SHA256

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de
SHA512

147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 9 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

Executes dropped EXE 2 IoCs

Processes:

pvdDzhQ.exepvdDzhQ.exe

pid process

1840 pvdDzhQ.exe
3744 pvdDzhQ.exe

pid	process
1840	pvdDzhQ.exe
3744	pvdDzhQ.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BlockRead.raw.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectRegister.png.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToConvert.raw.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\Pictures\GrantDismount.tif.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveConnect.raw.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeReset.crw.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\Pictures\TestLock.png.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\Pictures\WaitUninstall.tiff.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

Drops startup file 2 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1628 icacls.exe
588 icacls.exe
6772 icacls.exe
6784 icacls.exe

pid	process
1628	icacls.exe
588	icacls.exe
6772	icacls.exe
6784	icacls.exe

Drops file in System32 directory 64 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MUI\0410\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WCN\fr-FR\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_wceusbs.inf_amd64_14c260219afb84d0\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_767b2d723d0fe83b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdminfot.inf_amd64_1fdfa80956d76f96\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbhub3.inf_amd64_6ea6830940f8f4e2\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_f1a7a2fbd6554d60\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhpcl2.inf_amd64_17ed6c3130d87c50\amd64\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_cabeac16a0ac4ce6\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\migration\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\amd64\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_09cfec8a6e90d634\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl008.inf_amd64_e90cb51f9ac48173\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_689c091fcb0721a2\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmvdot.inf_amd64_ad55c5e225f831f3\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\ja-JP\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\es-ES\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_ec8d0fdfe67e99bf\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_nettrans.inf_amd64_ffd65b4c2eac1604\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_144351277838b429\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\da-DK\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iagpio.inf_amd64_8df3c3e4f563fd12\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_e1283070eae21ee3\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\LogFiles\SQM\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\it-IT\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_e4992c1693234ea0\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttp.inf_amd64_cb7c8349fd73523e\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_07ee1bb78d96a8d3\Amd64\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_faa2804656671550\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\ras\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\SR\fr-FR\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\es-ES\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_e9e1b7ce2ab0e894\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttte.inf_amd64_79399306c52e04ea\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fshsm.inf_amd64_5701a150984e2034\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmisdn.inf_amd64_a777d8576ccb203f\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndisvirtualbus.inf_amd64_311b5482b2fc4ccc\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaek002.inf_amd64_f5e1942118a448c2\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidi2c.inf_amd64_23d078b56f375ebe\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnokcl1.inf_amd64_d54b831cc2bc714b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\pl-PL\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\wbem\AutoRecover\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\es-ES\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_8c91422ace1c804c\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_dfad30680e077153\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exepvdDzhQ.exe

description	pid	process	target process
PID 1308 set thread context of 1136	1308	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
PID 1840 set thread context of 3744	1840	pvdDzhQ.exe	pvdDzhQ.exe

Drops file in Program Files directory 64 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bw_60x42.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_32x32x32.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-200.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3899_20x20x32.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\ui-strings.js.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_40x40x32.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\InvertColorEffectPS_UV.cso	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.Tests.ps1	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-256.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\Relicensing Statement.txt	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\PlayStore_icon.svg.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\tmi.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-100.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_11h.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\complete.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\EnterConvertTo.mpe	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-72_altform-unplated.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_hint.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Should.Tests.ps1	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png.RYK	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\ConstantsPerObjectLighted.fx	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\DirectionsWide.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\CompositeSurface\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.scale-100.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

Drops file in Windows directory 64 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

description	ioc	process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-gameexplorer.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_4e89760c651f778c\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_10.0.15063.0_de-de_1cedc2483a5f2f0b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.15063.0_none_6771310c94f65435\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_10.0.15063.0_none_3c05ed69692a9c2b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ndis-tdi-bindingengine_31bf3856ad364e35_10.0.15063.0_none_4f28c09d5e567ff6\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\msil_windowsbase.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_b8929dd34edd88ac\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-e..extension.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_d848455295049ef7\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-directshow-mpeg2_31bf3856ad364e35_10.0.15063.0_none_6b04685322b67236\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..vider-exe.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_dda34d0ce2887dd9\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_qd3x64.inf_31bf3856ad364e35_10.0.15063.0_none_d4c34c06ea6ae415\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.SmartTag\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\InstallUtil.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.NetworkInformation\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-console.resources_31bf3856ad364e35_10.0.15063.0_it-it_1be024d345496575\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.15063.0_ro-ro_5a51437c920448a4\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000454_31bf3856ad364e35_10.0.15063.0_none_03fecb78d08cc2a7\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.15063.0_es-es_150b6585428842db\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-n..structure.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d1ffca5ecd6154c7\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-aero.resources_31bf3856ad364e35_10.0.15063.0_de-de_a26985cda3f5017d\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fdeploy-adm.resources_31bf3856ad364e35_10.0.15063.0_en-us_42d940738dde0707\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-smbminirdr.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_7f1c8d7de9c8e222\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_rdvgwddmdx11.inf.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_c2c2cf55c3f04bd6\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\msil_system.data.sqlxml.resources_b77a5c561934e089_4.0.14917.0_ja-jp_d1066015f01e1f66\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_0d4597ab2fc44e95\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..se-client.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_cd753d43a9ad91bb\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-microsoft.jscript.resources_b03f5f7f11d50a3a_4.0.14917.0_de-de_8f1dfa278cfac917\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.15063.0_de-de_52b30c630370b47b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dafupnp.resources_31bf3856ad364e35_10.0.15063.0_en-us_42357e930c57f865\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-holosi-desktop_31bf3856ad364e35_10.0.15063.0_none_06483e429e99bc03\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-icm-dccw.resources_31bf3856ad364e35_10.0.15063.0_en-us_d5f4f6ed54bd850e\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..-printbrm.resources_31bf3856ad364e35_10.0.15063.0_es-es_5a23e52b2da3b1a6\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..extension.resources_31bf3856ad364e35_10.0.15063.0_it-it_b81b914737d5c27a\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_netb57va.inf_31bf3856ad364e35_10.0.15063.0_none_0d3da08003550fd5\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-autoconv.resources_31bf3856ad364e35_10.0.15063.0_de-de_12ce31e02c961c35\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_fsencryption.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_6de75a735021c219\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_fusionv2.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_59c40466bb4315f5\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-devices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_5faf4b1023374f1e\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\b7a0f17a1350d801fb1c00009801c808\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_sensorsservicedriver.inf.resources_31bf3856ad364e35_10.0.15063.0_de-de_2789e49cd7330362\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-o..y-webauth.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_14963a521b626f3e\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-system.net_b03f5f7f11d50a3a_4.0.14917.0_none_6e50bf127b071752\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\INF\MSDTC\0411\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ssionstaticbinaries_31bf3856ad364e35_10.0.15063.0_none_68ced98364a3bb7b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-printer-mof_31bf3856ad364e35_10.0.15063.0_none_ca4265591ba8211b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-system.data.linq.resources_b03f5f7f11d50a3a_4.0.14917.0_fr-fr_96381f3b5938d477\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_06752cdc0ebab357\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..plus-admin-comadmin_31bf3856ad364e35_10.0.15063.0_none_4275086df7cff7ea\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l2gpstore.resources_31bf3856ad364e35_10.0.15063.0_it-it_c90cadc414b85f30\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-_networkingperfcounters_v2_ini_b03f5f7f11d50a3a_4.0.15552.17062_none_8309b913acab6565\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mpr.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_04be59be5e759405\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..changjieds-binaries_31bf3856ad364e35_10.0.15063.0_none_561077b390a037fc\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l..education.resources_31bf3856ad364e35_10.0.15063.0_en-us_b3864d00b112a36a\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..ecore-winrt-storage_31bf3856ad364e35_10.0.15063.0_none_138abea83bf8bb40\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wsp-health.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d523a2f8704a4e1a\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a20928e221e45f35\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ne-dsmgmt.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2f422241603f5710\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_10.0.15063.0_de-de_a88f36240d094a11\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wcl-core_31bf3856ad364e35_10.0.15063.0_none_97cab8982f919ed0\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..ilterservice-client_31bf3856ad364e35_10.0.15063.0_none_db0a8bff5c2b8561\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..comserver.resources_31bf3856ad364e35_10.0.15063.0_de-de_42168a526a3a6ce5\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..ng-legacy.resources_31bf3856ad364e35_11.0.15063.0_en-us_3b702f5b9a7eca4b\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

647248 1136 WerFault.exe 00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2668 vssadmin.exe
7412 vssadmin.exe
Runs net.exe

pid	pid_target	process	target process
647248	1136	WerFault.exe	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

pid	process
2668	vssadmin.exe
7412	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exepvdDzhQ.exe

pid	process
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe
3744	pvdDzhQ.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exepvdDzhQ.exe

pid process

1308 00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1840 pvdDzhQ.exe

pid	process
1308	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1840	pvdDzhQ.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exevssvc.exepvdDzhQ.exe

description	pid	process
Token: SeBackupPrivilege	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeBackupPrivilege	3744	pvdDzhQ.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exepvdDzhQ.exe

pid process

1308 00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1840 pvdDzhQ.exe

pid	process
1308	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1840	pvdDzhQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exepvdDzhQ.exenet.exenet.execmd.exenet.exenet.exepvdDzhQ.execmd.exenet.exe

description	pid	process	target process
PID 1308 wrote to memory of 1136	1308	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
PID 1308 wrote to memory of 1136	1308	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
PID 1308 wrote to memory of 1136	1308	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
PID 1308 wrote to memory of 1136	1308	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
PID 1136 wrote to memory of 1840	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	pvdDzhQ.exe
PID 1136 wrote to memory of 1840	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	pvdDzhQ.exe
PID 1136 wrote to memory of 1840	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	pvdDzhQ.exe
PID 1136 wrote to memory of 3140	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 3140	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 3140	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1840 wrote to memory of 3744	1840	pvdDzhQ.exe	pvdDzhQ.exe
PID 1840 wrote to memory of 3744	1840	pvdDzhQ.exe	pvdDzhQ.exe
PID 1840 wrote to memory of 3744	1840	pvdDzhQ.exe	pvdDzhQ.exe
PID 1840 wrote to memory of 3744	1840	pvdDzhQ.exe	pvdDzhQ.exe
PID 1136 wrote to memory of 3952	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 3952	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 3952	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 3140 wrote to memory of 2596	3140	net.exe	net1.exe
PID 3140 wrote to memory of 2596	3140	net.exe	net1.exe
PID 3140 wrote to memory of 2596	3140	net.exe	net1.exe
PID 3952 wrote to memory of 1176	3952	net.exe	net1.exe
PID 3952 wrote to memory of 1176	3952	net.exe	net1.exe
PID 3952 wrote to memory of 1176	3952	net.exe	net1.exe
PID 1136 wrote to memory of 1628	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	icacls.exe
PID 1136 wrote to memory of 1628	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	icacls.exe
PID 1136 wrote to memory of 1628	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	icacls.exe
PID 1136 wrote to memory of 588	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	icacls.exe
PID 1136 wrote to memory of 588	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	icacls.exe
PID 1136 wrote to memory of 588	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	icacls.exe
PID 1136 wrote to memory of 3972	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	cmd.exe
PID 1136 wrote to memory of 3972	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	cmd.exe
PID 1136 wrote to memory of 3972	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	cmd.exe
PID 3972 wrote to memory of 2668	3972	cmd.exe	vssadmin.exe
PID 3972 wrote to memory of 2668	3972	cmd.exe	vssadmin.exe
PID 3972 wrote to memory of 2668	3972	cmd.exe	vssadmin.exe
PID 1136 wrote to memory of 1940	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 1940	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 1940	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1940 wrote to memory of 1652	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1652	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1652	1940	net.exe	net1.exe
PID 1136 wrote to memory of 2172	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 2172	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 1136 wrote to memory of 2172	1136	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	net.exe
PID 2172 wrote to memory of 4692	2172	net.exe	net1.exe
PID 2172 wrote to memory of 4692	2172	net.exe	net1.exe
PID 2172 wrote to memory of 4692	2172	net.exe	net1.exe
PID 3744 wrote to memory of 6772	3744	pvdDzhQ.exe	icacls.exe
PID 3744 wrote to memory of 6772	3744	pvdDzhQ.exe	icacls.exe
PID 3744 wrote to memory of 6772	3744	pvdDzhQ.exe	icacls.exe
PID 3744 wrote to memory of 6784	3744	pvdDzhQ.exe	icacls.exe
PID 3744 wrote to memory of 6784	3744	pvdDzhQ.exe	icacls.exe
PID 3744 wrote to memory of 6784	3744	pvdDzhQ.exe	icacls.exe
PID 3744 wrote to memory of 6804	3744	pvdDzhQ.exe	cmd.exe
PID 3744 wrote to memory of 6804	3744	pvdDzhQ.exe	cmd.exe
PID 3744 wrote to memory of 6804	3744	pvdDzhQ.exe	cmd.exe
PID 6804 wrote to memory of 7412	6804	cmd.exe	vssadmin.exe
PID 6804 wrote to memory of 7412	6804	cmd.exe	vssadmin.exe
PID 6804 wrote to memory of 7412	6804	cmd.exe	vssadmin.exe
PID 3744 wrote to memory of 8332	3744	pvdDzhQ.exe	net.exe
PID 3744 wrote to memory of 8332	3744	pvdDzhQ.exe	net.exe
PID 3744 wrote to memory of 8332	3744	pvdDzhQ.exe	net.exe
PID 8332 wrote to memory of 8396	8332	net.exe	net1.exe
PID 8332 wrote to memory of 8396	8332	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
"C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
"C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe"
2⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\pvdDzhQ.exe
"C:\Users\Admin\AppData\Local\Temp\pvdDzhQ.exe" 8 LAN
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\pvdDzhQ.exe
"C:\Users\Admin\AppData\Local\Temp\pvdDzhQ.exe" 8 LAN
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
5⤵
- Modifies file permissions
PID:6772

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
5⤵
- Modifies file permissions
PID:6784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
5⤵
- Suspicious use of WriteProcessMemory
PID:6804

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
6⤵
- Interacts with shadow copies
PID:7412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
- Suspicious use of WriteProcessMemory
PID:8332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:8396

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:97800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:98208

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:188104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:188728

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:307928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:308048

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:327852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:328352

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:439224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:439344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:514508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:514916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:629768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:630464

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:679796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:679844

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:708084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:708132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:738220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:738284

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:761912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:761960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:785932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:785976

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:801688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:801744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:814596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:814656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:837808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:837956

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:870360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:6836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:319492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:691808

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:691628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:681784

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:890496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:890752

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:910628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:910676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:959652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:959700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.027428e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.027508e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.066596e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.066652e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.087268e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.087456e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.114408e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.114816e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:985804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.148932e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.148952e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.149e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.149048e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.149096e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.171136e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.17122e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.190408e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.190456e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.246632e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.246752e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.313672e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.313848e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.34532e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.345376e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
PID:1.365552e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:1.365608e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1176

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1628

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:1652

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:4692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:77420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:77436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:80712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:81124

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:171200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:171980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:173408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:173816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:291428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:292220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:294184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:294596

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:313432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:313484

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:313528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:313576

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:426976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:427032

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:428288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:428344

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:493384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:493436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:496596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:496612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:618264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:618316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:619500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:619840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 591980
3⤵
- Program crash
PID:647248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
Filesize
338B

MD5
23f0a7221181db4287ce2821e4b9b98a

SHA1
ed4cdbd32279359b3788ef9c708adcc79fdb74ae

SHA256
66be13b8dd3626fcda15bd67a15ebaf8c09185758a20e5cfcdf54c9a66093cf8

SHA512
1112e5b4f55cce23a1dd1f33faef1d7e97999227e4713a15cf5283cdcd8ce17bfac4dc1009e8926f71b4824c73aa56533b8659cd305a41bb167516fecce12810

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
Filesize
1KB

MD5
ed9debd36ac0f92f36e4dffcee6e37ef

SHA1
e93ef410f2b62e8ac1040f1004ef1d127a4b508b

SHA256
dd5860f436ed65fdf41986052be81eb084becfbca6f2122088762d5e42026e8e

SHA512
16aa17aaeef1ff6d582358eb9072f2f4d6c1304a8e58e54d96b4b9be4aa2f4d43091884ded7444bad9df478d6ab36a5695686c8ad7f5e90a78885a426030467f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
Filesize
72KB

MD5
cab431e551783f987f231c35c801aa1a

SHA1
e49cf28b2bcf072d2c439fa48f5b3fc5e2563e61

SHA256
6a014175dfa8c327b24d11dccd6f22150866f7389ac864db588fc8f662308a56

SHA512
8df75c3c6c7bae17febf7d1482fe831835c0c8ccab1a9ec3253551ae7875f25ba401f1dd2cdb255cafb9da6bb649974250d2a73b1159b59fb50759a082be8a09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
Filesize
9KB

MD5
8b5a405c5bd9eda7fcc30d2f542edd40

SHA1
54ffba53f947300ba4c53f3c4fea2d86f51db2e8

SHA256
701521fc32a8516243c020e5af692cc765a01d264a38cd96a0cc9b80ec695728

SHA512
5d50e148f746681f2f0aa2e0f1d0d830a86e9ac52ac0c56a638b0ba58aaa9e384ac996bc88cbdca54c3805954353d33b1f710b2e89c77282fdb1f7094deeb18f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
Filesize
68KB

MD5
c571332d2640d97b514419a9131dcbab

SHA1
9058a97ab2eebb1e6dc8f72e2015c34e38bffe3d

SHA256
7582c8500012cc6d5bccd85915cc921517d3de235e8095a4e52ff7f34add2a55

SHA512
d09a63dc2ce8717431b34fac8dded5928b4473d1cce25b4c29763881f06232d5c46d68d6f866ea1a7a0dc7011195a42bb8e6c6a8e59cbe1babf3af4d0ce37f5b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK
Filesize
12KB

MD5
93c0bb855406448b8b1b56334d66c1c6

SHA1
168b32aa5f7eb9851db86bbf3dda319c0d5a09c1

SHA256
6eca6846d0f08f127ffbe6bb79476b496ac9dde365b1914d6d8eae3e7659eed9

SHA512
ef047bf403fdfeca7be344080e6aadb384ba1bbac33cdb8cd48f8a8375709564ab218040877a69c8c3d42253c43a3bb10d3701d254c82519829f151648536f32

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK
Filesize
31KB

MD5
b280a28aa39b62660c16153a35819190

SHA1
82206d2a96e69a810951a210188f4aef20fbc220

SHA256
cebc44f1a619d2ecfd833f797bb3058c8d5b9f21d5e20ec524d0d1078f01e943

SHA512
038a916a8ccac274de127d81142ea6128141b71336e6329f6e9e7be076d426963016ceede80ea45353c9b6f3a1005eff723c03f9bec4e3179aae7d2ceb3ac656

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK
Filesize
1KB

MD5
24dccc7f8fec390fd6c12c84c041a06e

SHA1
cfa2a3438b7f1c6cf0ac5f2b384999513da41a1f

SHA256
d768f4534a78d98cdf07b90c584f4b2cd662bbd95e7e601906c9482f6bb8a1f6

SHA512
e3b69bd4904d4b94a5402d7c571de22782f2d25c6ea35e5ee6feb02c2bd199bd8dcaf342d70e13b675340b472bb02e9d8803a5ce19f557ca90a6dfe10591d7f0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
Filesize
2KB

MD5
f980a03ffc88a90921f0c7c395fee7d0

SHA1
f3864eab24c19dd4cff18584f5369b6a0a0316a1

SHA256
7a6a854a3861c276e38273560b699092cf59bee672bf43d3f9585afa98d6ed1c

SHA512
5a35c9cbcd30ecf6311501da97a351ffa27e501ee5b7853d0b526a8044599667f3c3d9f1b9d176fae6d45a04b9f1264ad2b4662d82c00dfbe3a5725a2267c8f3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
Filesize
64KB

MD5
bcc235ee26b22296c55b9274d65bfaf2

SHA1
50a3f8a023123b6cde9301af9f5e2cc3c2324448

SHA256
91af892fe23a1c1e6bc3b2a3bd144fd113e7f51cd32cac4815ca76646da57bc0

SHA512
d0d3e32c436542758165bb21ed7a5008879dd9b16b2c148b07abb6c143c1a1a15845c17ba67bc8adbf5abf3ae1a9aa01b6f2e954dfa534bd133bea7855659827

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK
Filesize
16KB

MD5
3090c3516e2c442174735b60a72e8bea

SHA1
6f9d9696dcd9cfba6160f8213151685f8459763a

SHA256
e60875374c876f35d3648276eaaacb43c38f1022d921e96b37baff702359aed6

SHA512
56d7674cca1dd4c4c2952dba62718d2637b9340de93993f9f356974c165ceb2fe6ce7785d23629625872c81fddb2817463ce88dca7d9744b2ff90accfc351b64

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol.RYK
Filesize
6.5MB

MD5
b49b624564f0dc19836f11b77e6dca0f

SHA1
f68a7167f3931d31976403e7eaf0958114378cd1

SHA256
77bcd51056aa60e5c0c84535ab624c93d4fdad8d94398d755a55a6eb6cc6b01b

SHA512
b26e91d77c3fb158584b2e34e4ce30e692f9e011b9363397718851f951bae2a34448953a5676d9f5c0de78bdb936094f18ac104d6f23f919099245bd744715e1

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Packages\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Packages\windows_ie_ac_001\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\PeerDistRepub\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2858165151\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK
Filesize
2KB

MD5
24287b6790aa021147d4bdc9c1e2933d

SHA1
05414f30c2bc2b4daa40403add5b478f85cf0874

SHA256
cabcd6b7da7041347810c13d3293b1d534979c91ee117f8e1c1c86a6bf5ead55

SHA512
b6fdf09b63a1b49453adc6715e5e9a9f846acf650511b453f9f3265519663c2f72e3b3e2750d3cf2b25caca233a92f389caf52cacf475cc0153c013b6ab753cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK
Filesize
25KB

MD5
d1c5d93ae3593d6c08829d559c33bb59

SHA1
3358293117f96780e33132ecaada26ea4af61a93

SHA256
5e97bbf222cb615691932f5354278c677de365790040a5b1237fc29e166d9ffb

SHA512
7948d8ea0dae1800d2f84facf097b1cc5fb27f458149edcd17379475f961df357b3e3d8100c638e7903ef1780d2fed31de945df0d40a29c91cdab5b0c321df9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOOVVPMV-20220414-1530.log.RYK
Filesize
58KB

MD5
98f4cf2a99ba9002c4080f162c94e56e

SHA1
858f45bb71b14c03d39ad68f933676efba01c599

SHA256
1d52dbd9afa525354400b7afe67d991a3e339333ca6c76855a5207b29c6585ad

SHA512
d247898c3b1cdac80919355c6b18f3e69c3cd2723b65fa6e29c8420cc0af1f207a07fd76ba5ea6196be9b5747052d8eb0c8c9e3352f3f7345032655e2c99a94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOOVVPMV-20220414-1530a.log.RYK
Filesize
187KB

MD5
f06953551e18f5cb32cea410e03b9a11

SHA1
31ce53e8f8044f2f9739fa39141873653ec1b5d6

SHA256
db0c304e2001b8f5e3742904546c0d788bb814a86226e279834e6e06d1c71d0d

SHA512
9beb29fe7cb3d64fcf52d646ade5e5592d407f087105051dddd65d1b50a94e38fd521db95d960b9a27c94b520fde65befe207a8c4104ec88c6493c8a6cbef74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.RYK
Filesize
2KB

MD5
ea0457dc1774149709ffc1655bb59c14

SHA1
c289f74338b8c1ce4149aa3822487bd602418a91

SHA256
6b4dbcd90ba5348ae28ff377b64b4e95020fe29637f57e4ca159a8d6d2e4f0d7

SHA512
5b75c1493be3b0d5a4e286882e3e171069a0c0899f48fc24eb37188295b038526008ab1046c3bbcc655f28ca24c5b68c05c5c80287e81f08dc2daf1e9c9a4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.RYK
Filesize
2KB

MD5
5faf1187e11fb1051cfca357ef058c08

SHA1
02a0fe8c5c4ad9025a385647b8709714b24baecc

SHA256
6ebdd18f1e5353c3b913f15529e376d6c9a4046f5b763f02acb89761ca79e42b

SHA512
1df9173974a4a5eec8c9dbc6f6ba09cc991d479ec5f22b235be924d21f27344c1d9a869db15906457edb223f11ea687cd397a0eadec2fe9e80863899abe916a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7C50.txt.RYK
Filesize
426KB

MD5
9bfce8850c5ce827d01fb049ad1040a3

SHA1
f4c1b1c33c80e519a7a3b908f6bf540ce8fc719f

SHA256
4e6068632214afa08024944914dfd85ba13cac48feae5771c53e8da944783b28

SHA512
8f043d7dbea7da1c04f0e6d526eb0ff3d0480857e654857f4550f23b16e2234457ee670cb33d75705e4a6344ff13cfffdb47671ce3ddc32cee3abe08d61953ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7C77.txt.RYK
Filesize
413KB

MD5
0a0fcf0a5fc3cacac00e4314f54c408f

SHA1
5cb974568904ad9708642c91397389c1fefe79c6

SHA256
7f92b8166514f7a110c90e6db5ac1a329c48969e2caaf88f5f43e748e5a3623e

SHA512
dbe7be682d4f44a677f84544f53c6ac1c74538097806a8ec9578c39a8b27f87d6e81fa55d1c81b4323e26e5ebf981bb4fe7fc235310f6409c35df9487a78d4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7C50.txt.RYK
Filesize
11KB

MD5
2ba0f2e6dca1ed5257841a97a1d96ae8

SHA1
fe5ccbe5fc72030172c30ce31e69ac70214560f6

SHA256
39248a821adff7cad6408c37f5d803ca46f91f58ed7812cdb56bb7d279e1dc24

SHA512
8c0ca0992192d7b49898d31a4e30e7728c9dffa8e0c9da97b679977ee41dbf6df07f8c8f9de78c202db6f38c61e66339f13f3491629ce1026db1954bc42f0a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7C77.txt.RYK
Filesize
11KB

MD5
94161f7ced4278be0fa9e02c16717381

SHA1
aa6a7d7253e9bce82a32d19b95b3dfa0f6c53db7

SHA256
88c80f6f46ba3902514c6591947f3645d820b7610c287ebbeee0e14167b6b418

SHA512
fe4415af12205fefbde91d11902f12e994a91e06b5f1159e042de1156470c51a6c54db5e0eb7e9145a12bb67d31b5ff84f128dfb89e9a3b91da376086ab8a8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK
Filesize
266KB

MD5
b113fd10824dfdb726f38f55f620165c

SHA1
12dec68e8dbed1712d72ae1e5d0b379a902d8a4d

SHA256
406222d3c72390e71d839bde98106c621fabfc063bc997c470e628bf45c76f64

SHA512
09de94923bba382878e2cf7cb9325fca29fc29f5c637d8f4ce78e61087b88e3036316ed72a31e5d70217e8ba9cf7b8550b87b15ffdda45846fd29b2175cda8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvdDzhQ.exe
Filesize
448KB

MD5
bf7b854542cfa423dee3b7233c4a255e

SHA1
a9b09989972cc063b34c4afcd82ebe9203d61be2

SHA256
00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

SHA512
147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvdDzhQ.exe
Filesize
448KB

MD5
bf7b854542cfa423dee3b7233c4a255e

SHA1
a9b09989972cc063b34c4afcd82ebe9203d61be2

SHA256
00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

SHA512
147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvdDzhQ.exe
Filesize
448KB

MD5
bf7b854542cfa423dee3b7233c4a255e

SHA1
a9b09989972cc063b34c4afcd82ebe9203d61be2

SHA256
00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

SHA512
147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E1D.tmp.RYK
Filesize
17.0MB

MD5
092848d56cd1fac843b096310f3fa7d2

SHA1
6fb9bb3d7d21bd23259865dd0eb47271df536537

SHA256
e962bb5acfcaebfebe087218f30ba2bcee476ca2a0b188470451d2a621f7ef98

SHA512
4eea8127fddb986136f3388de1bda160bad6582ee2545e8810b08ec8517d3ba3f89d08a7c3054d5e0e78c39b468b01eef3e0c833e8496c6baad099c4f0a00937

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6021.tmp.RYK
Filesize
17.0MB

MD5
3dc9243ab9296a8671d8e24c153c3885

SHA1
f2410348f301caa4725bc2203553f0fb49761010

SHA256
97279119f85dc324af85c5f6db16f6ddfffc4145316993c2bb17386080d3bb05

SHA512
eeeee7fdfaf086679b448b0bdd788e682b2d24d367fb325ba1243cbe2e71871f7c2165e704a2e63314bbe468edede1e82999cd992ffab17e4fb933125b945f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8147.tmp.RYK
Filesize
17.0MB

MD5
13c5f890f75df8b060c5236532b1b540

SHA1
66726042c8de653a82da509adc2d671e6c76efef

SHA256
dd6d78b87132be24be8fabbaedbf4c3320af38bb264f6455f42fccab1fb2dab8

SHA512
1a43bebca3debe4e91e955481eba5842ad37fa71ecc9ad750bf8324c9c867de8ffe0f606bbd8992969ead9300c2d0a78dabc0444d215688b31cbacefe1d572dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp834A.tmp.RYK
Filesize
17.0MB

MD5
7d4bc79bfb288fb21d0a653a416b8490

SHA1
f76e839ddebac2a722157960c337c337529a9fb2

SHA256
c4d290dd3863e942ab9168cbca56c521a5238fe364fac00e36baf8fa1224457f

SHA512
ac34925636f1e93b65881b353498c375a419a26e5b5197847c36e616305db7b2a2296cc57ccb12213f426a16c7cdd75dc7320bace2fe977b341553ad43d226da

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK
Filesize
962B

MD5
a2cc2270eb579ed99d2934e0e48ba29b

SHA1
7bc0ac3689d5571ab1507dd9216020392253f10a

SHA256
aa17d0c8e7d878128e9bbbac09408deb620b155f4f9296e6fa971e7c4d6575cd

SHA512
d77966e811b9c660669334613fb89c46a3d91da6221acd42bbabb9856eb5e512149cc3a5ba39054d42683813bfe1a451984a50ad9e6bf86cc0ce3f3ef47da7b9

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDB.chk.RYK
Filesize
8KB

MD5
0b64141c3554cdf0830ea140862ed57b

SHA1
fa0bab21ff7625daea0db11622ef31666ac586da

SHA256
2d5e853716b30d7e8919d7b493b06c016c949b931fe4a629a720c478e3175e29

SHA512
2b293fb64db672699e3bf1239f326722e9d37a802105295b7ec0b7a5ffd5caff383613127864fe2105d557de20f06a3f0d1cd4a5ad8f114267d8829900b9fab3

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDB00001.log.RYK
Filesize
2.0MB

MD5
8528ece8335af5a35635c11642000898

SHA1
444a6d9060cda5d7aa92e5a298bd0da6d9344ef5

SHA256
a48d0cf9084c284283d91378917c3cb0333c882ab1739b52bd62a8f45097d263

SHA512
1fb68761a907e97c0b156a66d8ea42863fbe104e6a0ce6524af1dddb379fb85c1fd832cda410886b9ee70c435c00944d578e7083f5be52a0b7fb4e0ce6f59244

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDBres00001.jrs.RYK
Filesize
2.0MB

MD5
a880ae54cada16cef03a1b3c04423b2b

SHA1
3d1e21ac3e943b0f2e524e3677d7b300c6a90d2f

SHA256
a46ac71c330ef1963affa28b778dc6083acaf9a705ee31363ab51e3cf5644381

SHA512
407180ae98a07fa233dca6e2863d6b2c4b83e473dbf473d2afe07d001447021b0195c315e6d51cf58bd91db49704ab6bec1bc5bfd59862e654591162b7e65149

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDBres00002.jrs.RYK
Filesize
2.0MB

MD5
8eb1b64850ac4c89fb92afe56135d6fd

SHA1
4c1c40ce1e8b5a530406ae5e620fdf4820d23c31

SHA256
f30705f77859488e80927abf3175a95257845298f9772c0259275cdcec3bf9de

SHA512
80278a8ff49bc22f67095acf56afdd7906549f4403f2d78f9afb28ccbacf7100569065a3f43e92dd412125059fcb8d9d83370562cd462a8769ec2cd8129dd2ab

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDBtmp.log.RYK
Filesize
2.0MB

MD5
942ca9b39d700e1538de3721ee56ca4c

SHA1
bc9fdb46d56eb5f7ab81a511385de69e43b996a3

SHA256
f122d8129fcaf1c376d160b13a71c3aba72fc19554c8a38b6e0782112f29d149

SHA512
fe769945a2bb092ecc877265da2d24171ebbc7862e39339ff74ac1bee42c6903586de2465708bcfb9ab1a9f3a242e56db5256d0a99834a248a92eabc747f7b6e

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\RyukReadMe.html
Filesize
627B

MD5
5bfa9bbd92e2313dcebef3737e31fcd3

SHA1
1962115ecc2e5a1cd8077bcdcfa156d0647e71f5

SHA256
79d10ce3c722175cef4e348bd5fce74ffd82eadc3da71aa6b9f50a65c9d2aace

SHA512
024ae8ab82b080141c062188a6a8c3a6d014ac42a87ebb53492baf674cd482778c6abaf566c908a092fb7c4d35120004fff8141dda593cbceabe027c74cdd49e

Download Submit
memory/588-139-0x0000000000000000-mapping.dmp

Download
memory/1136-123-0x0000000030007FA3-mapping.dmp

Download
memory/1176-137-0x0000000000000000-mapping.dmp

Download
memory/1308-124-0x0000000002370000-0x00000000023A6000-memory.dmp

Filesize
216KB

Download
memory/1308-119-0x00000000023B0000-0x00000000023E8000-memory.dmp

Filesize
224KB

Download
memory/1628-138-0x0000000000000000-mapping.dmp

Download
memory/1652-143-0x0000000000000000-mapping.dmp

Download
memory/1840-128-0x00000000021E0000-0x0000000002218000-memory.dmp

Filesize
224KB

Download
memory/1840-125-0x0000000000000000-mapping.dmp

Download
memory/1940-142-0x0000000000000000-mapping.dmp

Download
memory/2172-144-0x0000000000000000-mapping.dmp

Download
memory/2596-136-0x0000000000000000-mapping.dmp

Download
memory/2668-141-0x0000000000000000-mapping.dmp

Download
memory/3140-131-0x0000000000000000-mapping.dmp

Download
memory/3744-133-0x0000000030007FA3-mapping.dmp

Download
memory/3952-135-0x0000000000000000-mapping.dmp

Download
memory/3972-140-0x0000000000000000-mapping.dmp

Download
memory/4692-148-0x0000000000000000-mapping.dmp

Download
memory/6772-207-0x0000000000000000-mapping.dmp

Download
memory/6784-208-0x0000000000000000-mapping.dmp

Download
memory/6804-209-0x0000000000000000-mapping.dmp

Download
memory/7412-210-0x0000000000000000-mapping.dmp

Download
memory/8332-211-0x0000000000000000-mapping.dmp

Download
memory/8396-212-0x0000000000000000-mapping.dmp

Download
memory/77420-213-0x0000000000000000-mapping.dmp

Download
memory/77436-214-0x0000000000000000-mapping.dmp

Download
memory/80712-215-0x0000000000000000-mapping.dmp

Download
memory/81124-216-0x0000000000000000-mapping.dmp

Download
memory/97800-217-0x0000000000000000-mapping.dmp

Download
memory/98208-218-0x0000000000000000-mapping.dmp

Download
memory/171200-219-0x0000000000000000-mapping.dmp

Download
memory/171980-220-0x0000000000000000-mapping.dmp

Download
memory/173408-221-0x0000000000000000-mapping.dmp

Download
memory/173816-222-0x0000000000000000-mapping.dmp

Download
memory/188104-223-0x0000000000000000-mapping.dmp

Download
memory/188728-224-0x0000000000000000-mapping.dmp

Download
memory/291428-225-0x0000000000000000-mapping.dmp

Download
memory/292220-226-0x0000000000000000-mapping.dmp

Download
memory/294184-227-0x0000000000000000-mapping.dmp

Download
memory/294596-228-0x0000000000000000-mapping.dmp

Download
memory/307928-229-0x0000000000000000-mapping.dmp

Download
memory/308048-230-0x0000000000000000-mapping.dmp

Download
memory/313432-231-0x0000000000000000-mapping.dmp

Download
memory/313484-232-0x0000000000000000-mapping.dmp

Download
memory/313528-233-0x0000000000000000-mapping.dmp

Download
memory/313576-234-0x0000000000000000-mapping.dmp

Download
memory/327852-235-0x0000000000000000-mapping.dmp

Download
memory/328352-236-0x0000000000000000-mapping.dmp

Download
memory/426976-237-0x0000000000000000-mapping.dmp

Download
memory/427032-238-0x0000000000000000-mapping.dmp

Download
memory/428288-239-0x0000000000000000-mapping.dmp

Download
memory/428344-240-0x0000000000000000-mapping.dmp

Download
memory/439224-241-0x0000000000000000-mapping.dmp

Download
memory/439344-242-0x0000000000000000-mapping.dmp

Download
memory/493384-243-0x0000000000000000-mapping.dmp

Download
memory/493436-244-0x0000000000000000-mapping.dmp

Download
memory/496596-245-0x0000000000000000-mapping.dmp

Download
memory/496612-246-0x0000000000000000-mapping.dmp

Download
memory/514508-247-0x0000000000000000-mapping.dmp

Download
memory/514916-248-0x0000000000000000-mapping.dmp

Download
memory/618264-249-0x0000000000000000-mapping.dmp

Download
memory/618316-250-0x0000000000000000-mapping.dmp

Download
memory/619500-251-0x0000000000000000-mapping.dmp

Download
memory/619840-252-0x0000000000000000-mapping.dmp

Download
memory/629768-253-0x0000000000000000-mapping.dmp

Download
memory/630464-254-0x0000000000000000-mapping.dmp

Download
memory/679796-255-0x0000000000000000-mapping.dmp

Download