ryuk | 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

Analysis

max time kernel
106s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479
SSDEEP

6144:LA+0uP79QAbIhsU2Hl7A6P+ZT6EnW5TMGRx4S7SM22C4:LACbIhs5He6PtgvS7SM2T4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral2/memory/852-140-0x0000000002260000-0x0000000002282000-memory.dmp	dave

Executes dropped EXE 3 IoCs

pid	Process
4956	LXUDxnPZorep.exe
640	wzxOZpiHtlan.exe
4032	mCbEXKcXTlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
23580	icacls.exe
23592	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit-press.svg	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemui.msi.16.en-us.vreg.dat	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\ui-strings.js	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-loaders.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\export.svg	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBENDF98.CHM	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
4956	LXUDxnPZorep.exe
4956	LXUDxnPZorep.exe
640	wzxOZpiHtlan.exe
640	wzxOZpiHtlan.exe
4032	mCbEXKcXTlan.exe
4032	mCbEXKcXTlan.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 4956	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	79
PID 852 wrote to memory of 4956	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	79
PID 852 wrote to memory of 4956	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	79
PID 852 wrote to memory of 640	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	80
PID 852 wrote to memory of 640	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	80
PID 852 wrote to memory of 640	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	80
PID 852 wrote to memory of 4032	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	81
PID 852 wrote to memory of 4032	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	81
PID 852 wrote to memory of 4032	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	81
PID 852 wrote to memory of 23580	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	82
PID 852 wrote to memory of 23580	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	82
PID 852 wrote to memory of 23580	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	82
PID 852 wrote to memory of 23592	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	84
PID 852 wrote to memory of 23592	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	84
PID 852 wrote to memory of 23592	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	84
PID 852 wrote to memory of 38828	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	86
PID 852 wrote to memory of 38828	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	86
PID 852 wrote to memory of 38828	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	86
PID 852 wrote to memory of 42028	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	88
PID 852 wrote to memory of 42028	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	88
PID 852 wrote to memory of 42028	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	88
PID 852 wrote to memory of 42780	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	90
PID 852 wrote to memory of 42780	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	90
PID 852 wrote to memory of 42780	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	90
PID 852 wrote to memory of 42008	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	92
PID 852 wrote to memory of 42008	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	92
PID 852 wrote to memory of 42008	852	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	92
PID 38828 wrote to memory of 42076	38828	net.exe	94
PID 38828 wrote to memory of 42076	38828	net.exe	94
PID 38828 wrote to memory of 42076	38828	net.exe	94
PID 42028 wrote to memory of 42088	42028	net.exe	95
PID 42028 wrote to memory of 42088	42028	net.exe	95
PID 42028 wrote to memory of 42088	42028	net.exe	95
PID 42780 wrote to memory of 42752	42780	net.exe	96
PID 42780 wrote to memory of 42752	42780	net.exe	96
PID 42780 wrote to memory of 42752	42780	net.exe	96
PID 42008 wrote to memory of 42476	42008	net.exe	97
PID 42008 wrote to memory of 42476	42008	net.exe	97
PID 42008 wrote to memory of 42476	42008	net.exe	97

C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
"C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\LXUDxnPZorep.exe
  "C:\Users\Admin\AppData\Local\Temp\LXUDxnPZorep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\wzxOZpiHtlan.exe
  "C:\Users\Admin\AppData\Local\Temp\wzxOZpiHtlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:640
- C:\Users\Admin\AppData\Local\Temp\mCbEXKcXTlan.exe
  "C:\Users\Admin\AppData\Local\Temp\mCbEXKcXTlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4032
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:23580
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:23592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:38828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:42076
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:42028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:42088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:42780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:42752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:42008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:42476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
6f81203a37e4d687ee538c2ad82bea17

SHA1
2c7ecdebbb8cb2b23a1ddfdbdc24e655bc2aa2af

SHA256
5af101b3e8be50a57fd27b33a559a6d7dda19431620f0f6f07a6499a1044d99b

SHA512
8d8f4f37997d57592aae5ac8138ac4d33ec1baa74388423712885c16016d1473e034144f16c9a2b9c472052a3ee57b9881a6479b6354b2178b30dee21a159525

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

Filesize
1KB

MD5
d94b531e8b095512a6d17270970843dc

SHA1
8674f0bd48a44df33d0a284f2d3b49c689dad553

SHA256
e8dd5a5966ca13c901836f5fd6b2486accf8a508fc81c18d3811ac373f476843

SHA512
2321cdbf05afb85e07fd33a0b8af30f9c09ce2398077925b93d1dfad5fe0b6f3b86dcea1b2416310e100bb6541c2d734a221dedd440d387ca2a79dab65690382

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

Filesize
80KB

MD5
9d547f5de86292fc3c232fc31b22de5d

SHA1
04d28254e81103bb9a99cefecdbf87f27a2087c7

SHA256
6950cf4a857051a4ec60afa7b184cb44ea4f85be0479298736c92f6e9a6f6ac9

SHA512
897a51fca51e9a230425897d62a3131cbfa48606ef9a9596bef3115844749e42634ee79f26baa490abd5b516a1bed08d65c3f7b7eccfa0e644f2fff9a7d72dd9

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

Filesize
9KB

MD5
61339f9a5ecd721031e723474c13cf27

SHA1
e0335ad922bb32afc7e407cee998f6aaace44182

SHA256
c4c37858e08fca01a0368044f7b8f831163a699e59c0d7b55bf7466a461f037c

SHA512
fc01036eaebf2dcdd1c5fb3a94fc389cd1b79b259af0d737599dcb3d61db0d92a00d8a7ab9c0b71b15a90dc54ecd8260cf9ecd58a39540e821cbc7b1e47b92c2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

Filesize
68KB

MD5
cb4b79273ddf4d684fbbbd45bcc43c18

SHA1
a1c7d0237103bbc133897d2f7eb3665cb9259ed8

SHA256
f38f7a25e47f7de22f1d0d82e24a352394a85e86ed1934162a975e4758d99bcd

SHA512
fc9d4c1a46e368252693120bf035941d59fc4532ceccab9bb20312ff4ed8319c80dbc9f18005e937ed469a76f07cb1813dffa6f1b250b56c36ffb4411c3e94ba

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

Filesize
12KB

MD5
3ac97266edaefdcdeb7859259135809e

SHA1
a1759c454243ed237cb159857ba52931f58129e9

SHA256
4e2d6fe25af88f1d4bc0ad9086e7438fa28bf858a64ab86bd1677ed79f9e8a22

SHA512
ac92c8f25c9e128406242081344511f829b1b4023e536967c509e363109bdbdbaefe7c09971a199cf2bf28b30fce6f213f130c73971186e2df213861f8e5e76b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

Filesize
32KB

MD5
50826d87b7bbedea51cd54fdeaae611c

SHA1
b07061b578e7d95c8e03824190041c3897d3543a

SHA256
aa1cb57d57077d08c81257b0205dc2357856c6926adf26b1cea6d37a8d2ea2b9

SHA512
5b0afb79e735aeb43e3bf9aad1bf54a43648d2cea5cd74b2637cfd8c44a60237a968b3a6b8cedc0f6460d3200098af70b8a1fc71544b9cb9f372cba04b57479f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

Filesize
1KB

MD5
ba6f4412bf6b24e9bbaee0bec138c9b1

SHA1
8e4845a052c6fc4478e5ea05023d74bc4ee0988f

SHA256
00f87b3a3ffc3cf4480f7004b9ffd4d48214cdcc15cc1e44cbc5bf517f3d9e47

SHA512
18a2dd41cdb43c3ab9edc07cb3f54054d507a2521ff9d0774ab5ced05c7e818a04797290dd55a23532ccea2cea1dd1f5a10019a6feaf9ba23f4e14cf11bef636

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
ca8863686e30c6e63926a046974fbf21

SHA1
fbf81c4ca2004f94c63bf13394142e3ee4fbffa2

SHA256
fff7928324fe9fac4c1a7302b3df27c048c3238ee8437ac7350e12ee4989bf7a

SHA512
e81f77b7771fdbe313a06c044bb4c84f718e5f4bae046c68d9e4de242dfa8b205af5907bef65516cb510140d41c08daaa0193b636c2880d2f42a00dd0df55008

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
d053939b8e2edec5a2b1d8781169f838

SHA1
da5693718a252f3d158eb18077fff52067461394

SHA256
dabf968b06383d1a615a32d9030fe99ed6af4c7339fcf349b7d3f9e987bc9a42

SHA512
7c737d51160da99ed33fa2634cad5eec662f53ef330005a1ff286744ae4fa0ae13fcf968e8c425f61f6407006b315966649c501ddf990ab0b15cee6fdcbd529a

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK

Filesize
8KB

MD5
72ba773128eae3f4b4f6ca5cf35950cc

SHA1
3f57db4c5c0f27aad2a6b628581ca7a17e6681d4

SHA256
a8d970ccb1c36109e8a543bc95bfd27caff1770b8509599c04e541bfdfe3a7e1

SHA512
3f3ff5a72b1864a076254e96c4f0656f3e5c44f900eafeea273d4142beed62c08aae54ba613005f44610e24f5421e6f52d1ad73fd50b4bc84e2b6a4b46feb687

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK

Filesize
16KB

MD5
f7f1f18a7573fef453798269b4859ff0

SHA1
b99238dfffe45b686d77be4aa4094d328e7e9eec

SHA256
f6eb794384eb81c620263550d33b9fe44c9b87230e59174f29bcd0bdc4c0bd01

SHA512
cf76535dc112c2c311809b954e878cf497c716ef2d9b66ec04f6581dc84d1069b96084602c0334a986e20beac2529dd9cc4f6ed3c5bea1c4380dbf785cb3b391

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol.RYK

Filesize
6.0MB

MD5
5f42674ba308b06b0aee2be7871c0bc3

SHA1
c0262fed8dbfd63d5509018e8b011775c3381cf1

SHA256
5b133cfa503371730144556b3492541f53863960bf42d756c6a418b91c5d486d

SHA512
4f87fe3707170dd0f545794c385029d52471aecfb2de7b332af9da9b415e32302a226a91080b55e024dc8bd461de1f5751617159c90e2722036ded718461e04e

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK

Filesize
2KB

MD5
50e41215a56cd209bf79df8dcdebf55c

SHA1
81861130df66992b1c4b7a6f27e4eca7bc240a2a

SHA256
48141bacfb175ff8e982b2d94fe2b2fd16b3dd1c93486d52b90dff8094a8eff4

SHA512
c5b7faabbfc0b935f4e79d313eae866e97ae0b340bb0cef1f860bf0de436d3ebe89b13b608c1d4018f1c4ec2826dbd6c7ce0b78f4df8d3a5e1830efaa2c90cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.RYK

Filesize
25KB

MD5
064ef0068219a9350986451998735860

SHA1
d0df0a8e408bf62018d7ed49250bc761e9f39481

SHA256
484fff3efaf06e6da107047df8b6fd1716d8e2e4e7b3eec29077cfafb5cda888

SHA512
9d82a482b0491756155824ff94310e57f6ca0cdac1b71867a613e4aa0e02d93d7f793ba036d08e8dfe5f8b99751a02687609e73cacd3dd17be0210cd29f3c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXUDxnPZorep.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXUDxnPZorep.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log

Filesize
4KB

MD5
ada77f4454a3607d39777014b519502f

SHA1
f5563ace6954b0d8714e6c052ed8147ca179a808

SHA256
d97c498ced1d96a99688024c83173474cafef43cac64fa89d7dd98191d19db4a

SHA512
d9d6242d9b5d2c7c18498143bf1ee6425b379356ec8192958aca6bee36f043d3f9c99d2c4c308588099d4bc7419d8db4d267b05caf46f240b58931cf6b25af5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4828.log

Filesize
754B

MD5
812bb020eb5cf7f62829795e18a75139

SHA1
1656a1d6312cf7c582cb3d29f2c279b9cc2c6242

SHA256
36ffe6708a04fbc2f68b0502ac88778dd25672af0483b5459dd0b4a0b36f09f5

SHA512
3f90fa65614d0d21fed7b719bcae1dddd7231edcaab7f348825b8d47116e7711943d5907bb820eaf667aee4a6add71e16b96206d636f8ea37a8b6acd1da4c500

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
2KB

MD5
b0d8889fd41a87f07060273f3edf53dd

SHA1
542e0fb5bde4dc09353866bbd89720118d44c5ce

SHA256
1091e1195ffac8bc4de1888a3fe24041b1ac7521d4a96db3b177b43687cbfecb

SHA512
3ecd2f2b741a6211930d57bb2b30a07c0bb5e7cb467cd48452da8986efa800a48837802cf04705e1fc154962e4ae44e9ced623f5f3e42f25381fadeebd81ae53

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI75EB.txt

Filesize
11KB

MD5
69ede19c462e542160cffd948a2a3316

SHA1
d7aa3b90735e235b78a5c752a326636d006a80a1

SHA256
1a27b2a177e4e4cb09c3a1fb89a636d529883b808690f66e557aad0b834abb60

SHA512
9031c0f12bdf42e300d7e93ef75ba08ca522619ea12320abfbf57364542df0858ec6b9f54c4f2cd7c9838e7905a451e804ce79bc7f2e5a047f8505a4956e81f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7626.txt

Filesize
11KB

MD5
812bfc39f4346ca6d471d5974ecfe136

SHA1
881ded3bc2cf114b0cf48c9d8cd5e9f404b52083

SHA256
4507f8ed67fdbcaceae4dda9da1936f6441a2b531721042ce8ae49a2d6711c3e

SHA512
642dccbc587c9fea52b5348daffb85dbd99f61ec84d2cf531ed332288f2a6560db7bed352896c67940c75d74ca5e68bdb2a96d3532606566a74a4e4e7269f8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log.RYK

Filesize
266KB

MD5
f9564d2b3cde872fb55dea85f3509a15

SHA1
1e0102c5a53f33b6fa813857e223234b84311c40

SHA256
c1a4d9b9f9a6ea7f013f3020d87ef26bb14e4a7890a4ac37c99d08d4ca0cb8ea

SHA512
6957a483c59c941d60d46fc96bcc3e066ce7e2e98b83f799ca7c478c340257a4da52c5df27b828d51ee277ca88d9d33f67ff6a0fcb304f34ea3a612028b2c2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCbEXKcXTlan.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCbEXKcXTlan.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
3KB

MD5
1cd12fec7b47033f21dcf56406d09720

SHA1
ec1102329de146289a1e45b67934cde07ab16aea

SHA256
e801954519c17be9b31ad4458d1d0580cc1c96b8885a15ea3fb1a4ca84884f7e

SHA512
025fe4a14a570d7724864fa0b750f284235a3cb3f0a562d50bb964b29f90954caca643b20efd9a2adcd445883de577ff688cf13a20760a7fd47f5a54d7c05557

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A3C.tmp

Filesize
25.9MB

MD5
9e8f33553e12092af004cbfdb7685679

SHA1
21803541bdba705942e30bf436ff036debe3aae4

SHA256
bf77fea590ebd48344d2884f027d81cd48b28b814248448939d7d3b6b98c0186

SHA512
3b433c8c65ac3be83e9a7841e723178a7e9eae4db55e2c5e09bd4003bf21041af8cc570b70e5dace4c3b810659c373ba451d1d5de92b6d66908f325de98a29bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3CEB.tmp

Filesize
25.9MB

MD5
626c86c8ba3ef14c304dbf76f29aef8a

SHA1
2d97f423bd189930592f63c3c0b875764469edb0

SHA256
93fd03644dcd63661299197a356906cc374e1294c61b264548bec72457a7fe79

SHA512
5e270d351a0e23f9cded862bad8c746f7cac099955de86fbf37f68d1f20be0872e41a66a2a380dff41f7f00320ef757a871d1b24cebd7f2a7201be3a54edda78

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct36E0.tmp.RYK

Filesize
63KB

MD5
98307ab39e20d4dd0858bf10f7c55736

SHA1
d12038babc8642e26f8174737cfbd267cb5f9dcd

SHA256
efe4f30f87218269f1d224d0c553a80cfd6f65f8fe663c468b4156e0d5c5fd92

SHA512
8ece4ff6eca9ef3635f37ea0e842f3540599f06c1beed632558fded4be8dda534ab5196b7d41f1277b6ed689e3170a50fe6508308400e02a74188b7be652d534

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct3A06.tmp.RYK

Filesize
63KB

MD5
16e7a9ae4e76722c35cc726884fe95b5

SHA1
43bfac99ae937c582a7f1765b6b3e5eedb3169da

SHA256
eecfa5d8824e7b4dab050a3ed60ff1eee6db852521199db1abacaa452a213a78

SHA512
3db29d44980241b7491178f867d4d73a59a48daba5a3279c54751f6a3fea3fadd333432fe8811384c10aa60d60dcc052068c6658d9bca06cb96fe96d2b3507d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct4ED3.tmp.RYK

Filesize
63KB

MD5
e75fe17f2980f6a6d7a935c56a3b5d86

SHA1
13f7d2f1bd320de40c7dbaf7caa951567c3ea2e2

SHA256
7933321e9ed405322c74d45d9e89ef7a0ab4a6bd6999f227547c8a05e9157155

SHA512
d3687a5ccdb3724bd763dfded06625df3532f259a17719b3a858ac49d3245962382df1e3626b247c2aca802be5a533deb64da4319ab326c3874e3fff0559e07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC515.tmp.RYK

Filesize
63KB

MD5
872227c8927306724a1f6f310c711fd0

SHA1
f27f492f61a9551a3cc7d2e3acdc89df8915966e

SHA256
ac2ee9571c780fad256a73db5f8ac3914ccfa87c5b40e15f04e39706240f4081

SHA512
936aa25868a72c188bcafad6bdf67638fd21774ceaebbb43ae59c43efa21b43db706b0535745ac23c3a822aaafd18939f4a22a4de515820b6aa7df71919a8a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctEB0B.tmp

Filesize
40.2MB

MD5
a3f3ed706023453b90830427549a33da

SHA1
c2ebc8c1090cbc9eb5f14d8b711e1d0d8083319f

SHA256
73d765c8cf043460f73ba3781bbe47f5b79316123be008afb05d75971cf1ad03

SHA512
f831734ca2ef53c7d57a74bb4ffb6922ed9951cc6800bb4eac3dbb5c5d06a4771359f05260e57bb9d96c794d9697099324ece812143aa935991807648f5598b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctFE60.tmp.RYK

Filesize
63KB

MD5
2d4d508c44408bf2c365644bc8a40e49

SHA1
7542e3467e971bd5edc56730410adad28083967e

SHA256
5404dd85278f02f990c0f120d598fe1d6bf6c103239a01a48217590854c8524c

SHA512
dc36e8ff804adecd19810258695cf16a4f0b2b47a6611adf62b24c43aa09bcda541dd236fff109953de2f2e71e6f8d80d08725e640e86056048b166788b8ffa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.RYK

Filesize
978B

MD5
2da0b437c9955eb88c0bbad7cc2cb88e

SHA1
fa024b94a896abe6e2bb17179d2dc39afe8f9dfb

SHA256
46ac90ad78619d3c67ef2f0a8efc7dae060b6f585ad4120a490cccfeeb5953dc

SHA512
0bb59d347849732af85c56254deee6ebad8965a3cd4b4c24f059073b08441d97d4429d27a41fe1bb7c1467ccb1bb1c45b952b53417c8d314e95026b408ff7b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzxOZpiHtlan.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzxOZpiHtlan.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-929662420-1054238289-2961194603-1000\0f5007522459c86e95ffcc62f32308f1_4cfb5922-b036-4c14-9ed1-03c0dad19fbd

Filesize
1KB

MD5
2a11e707012f11a7964de986d3fc2087

SHA1
7b3d8ef24b82eebe5ea6545e340a00ab3543346c

SHA256
f485451d84705d2c3a0afa1d00f6a24e5bc11783663b1f542168da38e64e7b5c

SHA512
471b0a4aeae7e477212e40db3ca6f31e76d5e7b999a247b1fee849b669ae5b730ff829f33cce42ed63fc870f4f38613a9bf369c6a0074786dcb75382c2aac907

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-929662420-1054238289-2961194603-1000\0f5007522459c86e95ffcc62f32308f1_4cfb5922-b036-4c14-9ed1-03c0dad19fbd

Filesize
1KB

MD5
81d9399d2d70aed095db3a1bdf30755f

SHA1
7177824de2a0e02e14e44e28ebac14cc82b06c4e

SHA256
23e6b0ab49333b67631e49031b715fec34979a06ce8f7650d5c6f321e9ae65b0

SHA512
ce487a56a32d0825ad20deb8d6a4b3c0d97bc8012be9ab8b47f2b2694286362d934ec5e99d72e9eb891e86ef4112124a87b3515977d1cb7941724815995dd80d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-929662420-1054238289-2961194603-1000\0f5007522459c86e95ffcc62f32308f1_4cfb5922-b036-4c14-9ed1-03c0dad19fbd

Filesize
1KB

MD5
2500b20e42c886ced183f50c0ee85e10

SHA1
21f98d70b26e6aaa77973044663a778395bf0163

SHA256
66bbe09db1930dcd02f964b2ae6fd91b954f005e5986d5f9e572d139e71d7a5d

SHA512
3e3c6d1e049156116323df5ae9a28cf44332236f6495e5bf76ee06e17e024d1b375aa1c9f445f5e2bcd0062fe6135267f54607bd465597d84031b3dab292c047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-929662420-1054238289-2961194603-1000\0f5007522459c86e95ffcc62f32308f1_4cfb5922-b036-4c14-9ed1-03c0dad19fbd

Filesize
1KB

MD5
2500b20e42c886ced183f50c0ee85e10

SHA1
21f98d70b26e6aaa77973044663a778395bf0163

SHA256
66bbe09db1930dcd02f964b2ae6fd91b954f005e5986d5f9e572d139e71d7a5d

SHA512
3e3c6d1e049156116323df5ae9a28cf44332236f6495e5bf76ee06e17e024d1b375aa1c9f445f5e2bcd0062fe6135267f54607bd465597d84031b3dab292c047

Download Submit
C:\Users\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\odt\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\odt\config.xml.RYK

Filesize
978B

MD5
023fb475efc3d7e6433e2474700cbeca

SHA1
1cacc94e272be2a3c70d7f3746812f91ca4bc4bb

SHA256
d815292255b5e48271866715872fb2a34d9277bbd6a5bd9429e87bbd81e99321

SHA512
e97a7941a7c4947cbcfbc8823ccec67e0726764619573f83a5b1e049cc21134a05891c09c3403c9aa8a0031e3a79cf91fe20987f626ceed2749fac7e01bcefd9

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
memory/640-157-0x0000000002120000-0x0000000002144000-memory.dmp

Filesize
144KB

Download
memory/852-136-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/852-140-0x0000000002260000-0x0000000002282000-memory.dmp

Filesize
136KB

Download
memory/852-132-0x0000000002430000-0x0000000002454000-memory.dmp

Filesize
144KB

Download
memory/4956-145-0x0000000002210000-0x0000000002234000-memory.dmp

Filesize
144KB

Download