ryuk | 3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
Size

397KB
MD5

5af409fe584bed2f8b847bb9d2eca34f
SHA1

b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3
SHA256

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4
SHA512

f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/4880-136-0x00000000006F0000-0x0000000000714000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

TpctBfxATlan.exeGGxojTzIclan.exeSBuIUyptZlan.exe

pid process

4800 TpctBfxATlan.exe
2072 GGxojTzIclan.exe
3012 SBuIUyptZlan.exe

pid	process
4800	TpctBfxATlan.exe
2072	GGxojTzIclan.exe
3012	SBuIUyptZlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4924 icacls.exe
2640 icacls.exe

pid	process
4924	icacls.exe
2640	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.html	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

pid	process
4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

description	pid	process	target process
PID 4880 wrote to memory of 4800	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	TpctBfxATlan.exe
PID 4880 wrote to memory of 4800	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	TpctBfxATlan.exe
PID 4880 wrote to memory of 4800	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	TpctBfxATlan.exe
PID 4880 wrote to memory of 2072	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	GGxojTzIclan.exe
PID 4880 wrote to memory of 2072	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	GGxojTzIclan.exe
PID 4880 wrote to memory of 2072	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	GGxojTzIclan.exe
PID 4880 wrote to memory of 3012	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	SBuIUyptZlan.exe
PID 4880 wrote to memory of 3012	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	SBuIUyptZlan.exe
PID 4880 wrote to memory of 3012	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	SBuIUyptZlan.exe
PID 4880 wrote to memory of 4924	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 4880 wrote to memory of 4924	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 4880 wrote to memory of 4924	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 4880 wrote to memory of 2640	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 4880 wrote to memory of 2640	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 4880 wrote to memory of 2640	4880	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
"C:\Users\Admin\AppData\Local\Temp\3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\TpctBfxATlan.exe
  "C:\Users\Admin\AppData\Local\Temp\TpctBfxATlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\GGxojTzIclan.exe
  "C:\Users\Admin\AppData\Local\Temp\GGxojTzIclan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\SBuIUyptZlan.exe
  "C:\Users\Admin\AppData\Local\Temp\SBuIUyptZlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4924
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
3921128d36bacb5a4047192c303b5a64

SHA1
bfca912c65322cd03e31b887879489ab6e0e771d

SHA256
0d473326b529061c7f0549f36b9c836e0071cd6199e61bbe325aff9828348bfb

SHA512
2982b7361059cff56fa7afdfdc7dc5e0e0c3ba98b868f63ae65161af0398096e14a41dcfdc55ae33c5242001ec6bd7781773b77b623f7a2bac59f300e8ee24bf

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGxojTzIclan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGxojTzIclan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SBuIUyptZlan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SBuIUyptZlan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TpctBfxATlan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TpctBfxATlan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\odt\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\odt\config.xml.RYK

Filesize
978B

MD5
859bdebb38e4ce887b90ced6cb51287a

SHA1
49a91f08cefe6cf0fba6bfcf732da0bd071ca26c

SHA256
e35776664470cf60d11ee222abb7a7824141bfb85583e81829af4cc7c647bb35

SHA512
6a72f8245211cdd5046ebbc19d0e73c7b18be425457068c3910673856560645a9059f74ece78691cb0c3c2c7f5b9f330180d89aec02651012b49857c8dc3d6b4

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
memory/2072-152-0x0000000000000000-mapping.dmp

Download
memory/2072-155-0x00000000006D0000-0x00000000006F6000-memory.dmp

Filesize
152KB

Download
memory/2640-176-0x0000000000000000-mapping.dmp

Download
memory/3012-163-0x0000000000000000-mapping.dmp

Download
memory/3012-166-0x00000000022C0000-0x00000000022E6000-memory.dmp

Filesize
152KB

Download
memory/4800-144-0x00000000022A0000-0x00000000022C6000-memory.dmp

Filesize
152KB

Download
memory/4800-141-0x0000000000000000-mapping.dmp

Download
memory/4880-137-0x0000000035000000-0x000000003502B000-memory.dmp

Filesize
172KB

Download
memory/4880-132-0x0000000000720000-0x0000000000746000-memory.dmp

Filesize
152KB

Download
memory/4880-136-0x00000000006F0000-0x0000000000714000-memory.dmp

Filesize
144KB

Download
memory/4924-175-0x0000000000000000-mapping.dmp

Download