ryuk | 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

Analysis

max time kernel
99s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
SSDEEP

1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
4700	JniLjiPDzrep.exe
4628	zgHWiHhdylan.exe
3816	gZieoCmGdlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
27672	icacls.exe
27684	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AIRWER.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons2x.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_unshare_18.svg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_selected_18.svg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSLID.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sybase.xsl	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4700	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	78
PID 3628 wrote to memory of 4700	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	78
PID 3628 wrote to memory of 4700	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	78
PID 3628 wrote to memory of 4628	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	79
PID 3628 wrote to memory of 4628	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	79
PID 3628 wrote to memory of 4628	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	79
PID 3628 wrote to memory of 3816	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	80
PID 3628 wrote to memory of 3816	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	80
PID 3628 wrote to memory of 3816	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	80
PID 3628 wrote to memory of 27672	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	81
PID 3628 wrote to memory of 27672	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	81
PID 3628 wrote to memory of 27672	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	81
PID 3628 wrote to memory of 27684	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	82
PID 3628 wrote to memory of 27684	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	82
PID 3628 wrote to memory of 27684	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	82
PID 3628 wrote to memory of 48956	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	86
PID 3628 wrote to memory of 48956	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	86
PID 3628 wrote to memory of 48956	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	86
PID 3628 wrote to memory of 48964	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	85
PID 3628 wrote to memory of 48964	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	85
PID 3628 wrote to memory of 48964	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	85
PID 3628 wrote to memory of 49088	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	89
PID 3628 wrote to memory of 49088	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	89
PID 3628 wrote to memory of 49088	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	89
PID 3628 wrote to memory of 52820	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	91
PID 3628 wrote to memory of 52820	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	91
PID 3628 wrote to memory of 52820	3628	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	91
PID 49088 wrote to memory of 52860	49088	net.exe	95
PID 49088 wrote to memory of 52860	49088	net.exe	95
PID 49088 wrote to memory of 52860	49088	net.exe	95
PID 48956 wrote to memory of 52852	48956	net.exe	93
PID 48956 wrote to memory of 52852	48956	net.exe	93
PID 48956 wrote to memory of 52852	48956	net.exe	93
PID 48964 wrote to memory of 52876	48964	net.exe	94
PID 48964 wrote to memory of 52876	48964	net.exe	94
PID 48964 wrote to memory of 52876	48964	net.exe	94
PID 52820 wrote to memory of 52960	52820	net.exe	96
PID 52820 wrote to memory of 52960	52820	net.exe	96
PID 52820 wrote to memory of 52960	52820	net.exe	96

C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\JniLjiPDzrep.exe
  "C:\Users\Admin\AppData\Local\Temp\JniLjiPDzrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\zgHWiHhdylan.exe
  "C:\Users\Admin\AppData\Local\Temp\zgHWiHhdylan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\gZieoCmGdlan.exe
  "C:\Users\Admin\AppData\Local\Temp\gZieoCmGdlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:27672
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:27684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:48964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:52876
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:48956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:52852
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:49088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:52860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:52820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:52960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
320c2b1b954c5e694e455f40bdbd43c6

SHA1
8c9919d913ad6fe4a07330d05bdd2c0030bccf52

SHA256
6084a3bbc669d34c6806750a0a632f573e4aab29deb06554f2d175124bd206c0

SHA512
55fb21194995e549e88dd1b7cb8f7275f3fe150b2121b338fb51393eebef44c80b50aed9bcf75e34d9dc27fd7d5bd9f888f8e08b0fe766e312e49877403f93bf

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

Filesize
1KB

MD5
3923318a107b0b9612542540eade34f6

SHA1
c0321302af8222105595804580822a02990438e1

SHA256
99c2f7c56a9bf041da3b4ec1d596e7f1e365ebaa1db55f318f800f0d9aa7358d

SHA512
89ca6a3815c6522cf06c16e2c9e8380969f9396761a976f3b8ad0b820b8260566a54b36318023975e376928744598e2f5dc5ff8bc423ddc9dc313ca5341f96af

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

Filesize
80KB

MD5
42d53cc88e0f1a43215b7dd988f0c63f

SHA1
8a859df2324b96b2139e57fa57b7be9ad43f30be

SHA256
1e9d44277814f3121db906a9a523f39aa3e90396e92bf9c61183bf93b4c901e2

SHA512
1c5b7624718e10ea1b449061ec325b1eae22f46f801d146c29c3fcbc1e214d3589e8d79fa8297d1188901574c208624f0209d6994d67471683b2ac03df4da1a3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

Filesize
9KB

MD5
1d9ccd5a0310a0d14633fb1e25161748

SHA1
4a12690c8a719069423c1aea472a3686833e9b31

SHA256
5bab15fbf1c0b883fffcd70c70a5a6fea848b7a24c428a7a6774f4eeb615065b

SHA512
08bc227820dfec5d787ff3dc7f5ee28f8805384b90578628e43f09d84e0fdb9918d574b84cbd4b154d2bc9401bc6a247b9bab2c06f657d76528c949704e28c3e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

Filesize
68KB

MD5
1421c0fd74ef5450ff2abd567cec69b9

SHA1
bb7d9293cfaa2908fd67c9999256e4244c1d24d5

SHA256
88c0e8e0fba7faf940ab63a03937d67b37810043fe625dcd94f9d8360f105500

SHA512
3d544e9fea8b7da87d1558be0f95b609938026891c84e4816f6106a4170bcbb102ae338b765b3cf3ab947c594c4866c589cb919715e821dcbed2fc93ca19d089

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

Filesize
12KB

MD5
adea5ee57396ea21605e28c18ecda121

SHA1
e970806ea9652cda1659c60dad77e54ccd63d1eb

SHA256
fa2268fea33529040fd2b792f51af374b04da28eb67b4393dc3f6c51095857d8

SHA512
09e26b45d2a1141171f4e319531773c0876313467a46bd476791a3912dfa8a28b5e5e0153e27fb1c0768fa738a075e9dfdc452a07531d30cb8484fd7b06ad020

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

Filesize
32KB

MD5
ca71bf3bc3d03a63402f31209a13a7b6

SHA1
eaecd0e4f141e6f4234b6f27ab517327be9c21c7

SHA256
031692097ac675645c169a24dab9b1d587c1deadb53876af18fc18766b7b4ea9

SHA512
a6518acdeffea55d443991cb43c0926fc581567a07571df0024766026f3568094664d716ac39eb7deb7a0976ff7c1151eb1a0de28c967a3174458a6be955ec05

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

Filesize
1KB

MD5
bd4f6edcee167bd29953d20ff94c0e6c

SHA1
4fa12381d7529c15222f7f30db55a62059b4dd82

SHA256
ec775849d3e88dfc8db781ea91aa7fc64bd83a22b42bc5065c0e764ea1bb05c0

SHA512
6b166cdc7bb59558586663ca6c3c1918c0634a789f5046b3588faa111f6c10f070a3bbc736b6267a03515c446ef25ff045aa7c6da72bcb5d2c0c1995a59a7f41

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
8e7f31948eda7bd1235b0e49f0728ca8

SHA1
e3a3429fd796d170329cfbbd8ddcb7b89d527b44

SHA256
559c1724bc6a57f9acd1a049de4e9f8612159cb1c335141deebfc5b9976f91bb

SHA512
28a6bab75479d98b4cae36dce5d291e717b7515a150e6747126e13fd4f9b5ce825191c1436e115c943b1e4f0b03d327ccda5d0f911084f9f06a9483282399b65

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
3a7bd822cb26634b27ea9b648d99dd95

SHA1
5dd98d07e7d722c2bda76748e868777d25fafdcb

SHA256
0585e47a09b2b05b989717cadd097a09c25b9e47bfa375b916a1d6ac5304a320

SHA512
f8da8ba94881c9102f308ee3eaa2de154fa6a9c8880f45b9a9425676317e094006bc24ebad73e7458e3851345a5a16c47003695d61c48dfbdd0a9244ab588031

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK

Filesize
8KB

MD5
eb17135bbf122aea95ec69aaa3e5b252

SHA1
65fbe4daaaf964adf9a2cf846b46d6b471b94b83

SHA256
e1237ca98033360105e78d20ce31dbc0b03ddc077bfc13fcbe685c7628a961c1

SHA512
392ad77a8458f406467d059beb6a4e1fe5b1ad96d049fdfa507caabeaab5f6d45353e166ff776c2228a2cd56141c1f17435d50ccd19a9b0bd2f3a7198c66410a

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK

Filesize
16KB

MD5
3672ae621a7fe6ff39ae50c41c8e6019

SHA1
b2e02d44e8cb83b6462f4b210a004493fbaf59ec

SHA256
db996986cd9c5c4119b1842b7ee459fda4aba0ed572e6a82f8b28e7e9e2bb820

SHA512
610b0ef04fe77574b02e0038876675f5b12feed6b238fcbc585926390d49220ccb1a2a6c249d88454cf0a3015bc5450a959677ea359e46474c4d2e5199bb9629

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol.RYK

Filesize
6.0MB

MD5
78a826c9b9aa7da993c213c26507f88e

SHA1
19b6327f159de50785f7ee6a2d29047909056b33

SHA256
c45d51066d7017a7c6327df9429381df92ab093b3d6825d605c0c9caa0e71da5

SHA512
b4f0a3147cde165fe34b74771c6260b0acae084b8818957780a118c37f66f19c5ac13ef77bb56052f01527294fc7575b6b7b5e79180782409319b175cdf930ed

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Packages\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK

Filesize
2KB

MD5
e5a9ac7f3ef74d316dc2ff33686bf698

SHA1
e16552f9af98f39ffd2375db6cb2a632fd96fa07

SHA256
da5ae87f21e8618b44e2ea8a9624c4d4c4f69360d3fc73f42daf1d87b14ada91

SHA512
20431acd6c1456210c81d2a087f66fdf90c1f7c92b39545f778ef0e8ea4b41453060a93a724dc421d30db1187a361062c20ccb2f57c63b5ee8fd1299a4d372a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK

Filesize
25KB

MD5
0ff3c8a0b0e335bbe487ce47876d7658

SHA1
4f6050bbbdc8fdc8a48b5a67cab35d65332aaca0

SHA256
4793f03ad70dfe7e3c96d9390311bd0ec2efdae7d004bae9e95dff9bfcd7f640

SHA512
845bd5fdad8469a221a1f0a1d90d6ba869e2ba4cc5225e4057c7e6d8ddf938f885638fe20108ca8be339beeccfdaa39f441ad573c4cdf327d40fb0a01230cb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\JniLjiPDzrep.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JniLjiPDzrep.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log

Filesize
4KB

MD5
c3f4eafee36601ceb3c5259c76a4f0cb

SHA1
055db3571fd6b61adc309373fd3a2989e210f48a

SHA256
dc1a7cf6c6d318fc369030aae43e57fea4bb271a871eebd0f6f8ffc64e1ab320

SHA512
fb40453f4e26f9c9c943ffc41b03fef36618f2ae114c3da188d228ce2787ff5919ef942912efe02381ddb74dc79d6ccb75db77ab5d5ab24b4871a1d9408ce259

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4828.log

Filesize
754B

MD5
164cf33fcb2a31fe6f7c942a3307b249

SHA1
cf8c5dbca5920dcfed7450e21b307f242a256aa0

SHA256
45c6e0af0bafe0ab342ff5102a6b5aa4d8bed4b792e5d11723cb7f1159643ebf

SHA512
585601d2154de10bd5dfb11e06bf41ebab52a783f8f1f1da9f2774007ed3b95150159733b4bb7cce465950456117fdf5d3d04912495f48b1d95eeb2bc352faa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
2KB

MD5
b8b417762746ba2267b4de9aa8a3d3c0

SHA1
b0a5828858c6eb70a4506b94a34a4b75ef5d840b

SHA256
51ea7eba15fbf770f8d78814b16c19d990a7fc3e93728279a84155af7a4a02d1

SHA512
64b67326b8f011bc53ba6f492cf5a02ac2dede647dca174cf23ca7fb1537e45b8f40ac9d0212cf44dd1144b4a5c84dc20850318851af3a11761ada5bb397794f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI75EB.txt

Filesize
11KB

MD5
e0181ac76b2b83ed7a2c390ae7c58279

SHA1
5d163f07c1186d2543f98690d60206c0a8616500

SHA256
587b70a0d17a86bd75a6bf6c5299d98912f0a620f172e5ef8aed9fa3da73aca1

SHA512
2d91a5a0aad5cb154487ac39ee013da0ea9af317daacd5d1364935c6c3de85c9b3c821a5d1080e5d81f0273ed9f4ac1737c88d6f1e867da6f00097dd233f6347

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7626.txt

Filesize
11KB

MD5
dab025799ef9f9b1fefe03dce172b988

SHA1
f647398dd7f26970dbb91b1c38345b93812d3ffd

SHA256
e43b4154837ed717dcbd6ff8b4be3ab335916c7ada8361f394967692595d3bcc

SHA512
e492a1951ecdc60b7c6b22202a40b6e7ab173e5044a8e8632d3502c5ef52285fcc4cf924a0c8c2790d158be7029f8d0485aebb1f72d835bf8ac01bb47e23e6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZieoCmGdlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZieoCmGdlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK

Filesize
266KB

MD5
bf9d4d059328010186042474e87427bf

SHA1
a02708d5a00dbc675916bb3addf9d885809ff6b5

SHA256
1b996047ba07fd34a5fcb11a192aebb383b4a14dba2b7bc65d7db7f7bef75d7c

SHA512
eeddc97e563cadf6627a9f29f580c01dc7e581b640b7c6af84fd9e6ddb0f6ecea35ce93cf642935831608a8bdfe103b4a9c0a787cbc307dbfd547093793ce999

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
3KB

MD5
2343bb85a77ca2256cf72c5683738e92

SHA1
1ce4c623e1022eea293c6490713248d549087504

SHA256
6f2eaf940047a136a20cc5f1b9f6249f5404984f18c64463883bac2639948c75

SHA512
302daad8214a24f5f38cbfb5943692d4fa28bf673622ce424fd3ea044a43a176ccaaf946e12e5c558ebc2d9b1e03de9e29dac1ff6a964db0bf8670c20d8974dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A3C.tmp

Filesize
25.9MB

MD5
82328e376e9edb911c74a2799b47909e

SHA1
4ab609e11713e1bdfbbeedd1292ecaf94297da48

SHA256
83acca60cba58c482b1eb79837e90fe7f3ac07b1f7b25a326913ec87c4cb3ffd

SHA512
675ec63173ab94bdbad3bd957bb3296631153ce9b0f3874a7b440bbe06e6e5144884fb1db081bdd85dfd205795d0ec135fcfdf48a5e1a45e752c96d8d5b08548

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3CEB.tmp

Filesize
25.9MB

MD5
9e168ed8d22688ef7f569a4515f1d6c3

SHA1
91281fc6b7c7ebc5e73a28b48f7ff3283bb74328

SHA256
1de31b4739991fbdd140aeb90b3e2cae0dc456ad1dd5b5359195084c55163ed5

SHA512
3a7e4a2ad622717a9562498d28e2a550f864c9c9d427783dca9036bcb2ae364ca681a9916c1caa032b8b175e4889a4962f2095b12086547b7464bb17c59304c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct36E0.tmp.RYK

Filesize
63KB

MD5
c1b88b2ebaec94b027f96dc6b582e8b7

SHA1
39faa6e55bd40a2829c1058b7483cf82cd349209

SHA256
7a87dc5234d6bac127d129d04b3972f820359e40a8f2e2cf208022af40859798

SHA512
912a074d809549effa8fc60d9f3412817ba18c383b7ba80a637ffa62d207d1c65c35e0253b790754b3d817d535e50daff707621ab7d17b4cd7f4bc4001399e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct3A06.tmp.RYK

Filesize
63KB

MD5
89f20ba9139402a93077d75131a80020

SHA1
b277b588ed63ad9f0d68beb63f25d57972b575d7

SHA256
124be64a6a80d252a4858946b44c2b7320cd9dcd334dabc79eb0fad2ad2c12ce

SHA512
b7d907f8987ede1478d93fb12558abca4c97f730b12ca06b9956dc8e6e844d74076c0cf3288ec5b71c8ca6aca983fe07a8d89b56966ce92811189a5cfb287f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct4ED3.tmp.RYK

Filesize
63KB

MD5
0b41d31500f8c5f87e9d4e96ab4018c2

SHA1
ba58ea711b4723ab55a21d3830ba2501415cab7a

SHA256
9b148f1a73f9d574cdf960ef3cf5e5138071496fb14c528bb0a4248913beb58d

SHA512
dad6dfcfd16fe437ed1f6a41538c09d8417b25ce135eb47f7de640f157d9ad3886a87fd51cc65b9ea454143f82078e65710c3c619330d5fe0d6f9e03dcac7dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC515.tmp.RYK

Filesize
63KB

MD5
e0062afcd142e89dff92f17fb026e946

SHA1
bccc90d66a1f149129d6d963716a6075e644fb16

SHA256
1a47c282f4e537b3c32750f180f2779e9f43f544840298ae2a32732d764e0be9

SHA512
07877ab1741fc7e53df4161c4096bd8a96da8b1863690057c886d2b8a0cddebf0e05daeb086de24056a554aac2537b4a2cc78400442b37a24c867813462f1976

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctEB0B.tmp

Filesize
40.2MB

MD5
578d922ae6720f8b447515459789901c

SHA1
5516370213e79242cc9d5c50efd99fb720bbad52

SHA256
04b16d9b9be478d301bf2fb9952ad4c45cd8241daf73723ee8105a0004d8b6dd

SHA512
5ef730990cc3f1854fbf1dcb7598b59784099dbd6c81a5b209220ed635fc62121ccb4811289b64cdcd1322277672aef264d7415fd82927f0055fa276e6b93f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctFE60.tmp.RYK

Filesize
63KB

MD5
36fa4eabf88e02c5342a0dc331111f21

SHA1
e8c63259becc592f0dca4479cc8c0c565f909d0e

SHA256
df1e7bd00fbe97ddaf6e7ed3127c8abcb4f98942d706823b170b0a78279636f2

SHA512
d03e725f5d9b6406bea7554bd5efb711a0a5f1512f05bc43e53254b295924d1fbb1f5c9b7d7b5e4c05f78b60a1d621db277e905c62e4d6ef57ab7ff572c15bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK

Filesize
978B

MD5
2528854469df161e52bee6aa6a4ec9fc

SHA1
9ac9f310285ef364731b7d7ad0d4a58a54bf9564

SHA256
cf9e2f4dafeaec97c512f330b7938c2f0ac78ded6b2d4aa341e1e2a204d13470

SHA512
38ea43bbf8c6fcb6075e7e85b9a1ac8fd05602a33fa6175f47328bde153ad5e999a7c68f1b852445ce3f598a7bf6d48ceb12503dd69ab07da9cf47d134b488c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgHWiHhdylan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgHWiHhdylan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\odt\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\odt\config.xml.RYK

Filesize
978B

MD5
afe5b5e30556f13395d8c069bbe86e79

SHA1
6dab64b1ca3814316b32ac5cced84702f4e40daa

SHA256
c01f66549f199b4c525565731eb2f95fcdf9cb00840ec0c10d3587fbcd934582

SHA512
933a4cb6c45ed1ac3c0ff8c6d0754821d0b936ec5ba322051fd74767430616d3cc2e6ac27a7feea4ddbce5d15c95f5245da01e1aef666e1395ea4663b5201287

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit