ryuk | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1789s
max time network
1633s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Size

273KB
MD5

0eed6a270c65ab473f149b8b13c46c68
SHA1

bffb380ef3952770464823d55d0f4dfa6ab0b8df
SHA256

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
SHA512

1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff
SSDEEP

3072:n/YRw64GUbH9dpWYEFq5hY9e1Z36NS31gs03ApyCb6DnE/PdrfS6sOK5hI+z7XI:Qa6owYEFq5hY9aqNS1y4/PdzS+s64I

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'lRwc4TXe'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

XPXotRlxbrep.exefEeRUdfbElan.exeFHXaNYSqFlan.exe

pid process

1048 XPXotRlxbrep.exe
4416 fEeRUdfbElan.exe
7708 FHXaNYSqFlan.exe

pid	process
1048	XPXotRlxbrep.exe
4416	fEeRUdfbElan.exe
7708	FHXaNYSqFlan.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Ryuk_21_03_2021_274KB.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SuspendUnlock.crw.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Users\Admin\Pictures\TestSend.tif.RYK	Ryuk_21_03_2021_274KB.exe
File renamed	C:\Users\Admin\Pictures\PingConvertFrom.crw => C:\Users\Admin\Pictures\PingConvertFrom.crw.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Users\Admin\Pictures\DebugReceive.crw.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectStep.raw.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Users\Admin\Pictures\EnableConnect.png.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Users\Admin\Pictures\PingConvertFrom.crw.RYK	Ryuk_21_03_2021_274KB.exe
File renamed	C:\Users\Admin\Pictures\EnableConnect.png => C:\Users\Admin\Pictures\EnableConnect.png.RYK	Ryuk_21_03_2021_274KB.exe
File renamed	C:\Users\Admin\Pictures\ReadRepair.tif => C:\Users\Admin\Pictures\ReadRepair.tif.RYK	Ryuk_21_03_2021_274KB.exe
File renamed	C:\Users\Admin\Pictures\TestSend.tif => C:\Users\Admin\Pictures\TestSend.tif.RYK	Ryuk_21_03_2021_274KB.exe
File renamed	C:\Users\Admin\Pictures\DebugReceive.crw => C:\Users\Admin\Pictures\DebugReceive.crw.RYK	Ryuk_21_03_2021_274KB.exe
File renamed	C:\Users\Admin\Pictures\DisconnectStep.raw => C:\Users\Admin\Pictures\DisconnectStep.raw.RYK	Ryuk_21_03_2021_274KB.exe
File renamed	C:\Users\Admin\Pictures\SuspendUnlock.crw => C:\Users\Admin\Pictures\SuspendUnlock.crw.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRepair.tif.RYK	Ryuk_21_03_2021_274KB.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ryuk_21_03_2021_274KB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Ryuk_21_03_2021_274KB.exe

Drops startup file 1 IoCs

Processes:

Ryuk_21_03_2021_274KB.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html Ryuk_21_03_2021_274KB.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

32268 icacls.exe
32280 icacls.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe

pid	process
32268	icacls.exe
32280	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

Ryuk_21_03_2021_274KB.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Ryuk_21_03_2021_274KB.exe

Drops file in Program Files directory 64 IoCs

Processes:

Ryuk_21_03_2021_274KB.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fr-CA.pak.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-down_32.svg	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_24.svg	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages.properties.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\plugin.js.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\PYCC.pf	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\selector.js	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js.RYK	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\RyukReadMe.html	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt_get.svg	Ryuk_21_03_2021_274KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png	Ryuk_21_03_2021_274KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

206060 SCHTASKS.exe
Runs net.exe

pid	process
206060	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ryuk_21_03_2021_274KB.exe

pid	process
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe
4860	Ryuk_21_03_2021_274KB.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ryuk_21_03_2021_274KB.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4860 wrote to memory of 1048	4860	Ryuk_21_03_2021_274KB.exe	XPXotRlxbrep.exe
PID 4860 wrote to memory of 1048	4860	Ryuk_21_03_2021_274KB.exe	XPXotRlxbrep.exe
PID 4860 wrote to memory of 1048	4860	Ryuk_21_03_2021_274KB.exe	XPXotRlxbrep.exe
PID 4860 wrote to memory of 4416	4860	Ryuk_21_03_2021_274KB.exe	fEeRUdfbElan.exe
PID 4860 wrote to memory of 4416	4860	Ryuk_21_03_2021_274KB.exe	fEeRUdfbElan.exe
PID 4860 wrote to memory of 4416	4860	Ryuk_21_03_2021_274KB.exe	fEeRUdfbElan.exe
PID 4860 wrote to memory of 7708	4860	Ryuk_21_03_2021_274KB.exe	FHXaNYSqFlan.exe
PID 4860 wrote to memory of 7708	4860	Ryuk_21_03_2021_274KB.exe	FHXaNYSqFlan.exe
PID 4860 wrote to memory of 7708	4860	Ryuk_21_03_2021_274KB.exe	FHXaNYSqFlan.exe
PID 4860 wrote to memory of 32268	4860	Ryuk_21_03_2021_274KB.exe	icacls.exe
PID 4860 wrote to memory of 32268	4860	Ryuk_21_03_2021_274KB.exe	icacls.exe
PID 4860 wrote to memory of 32268	4860	Ryuk_21_03_2021_274KB.exe	icacls.exe
PID 4860 wrote to memory of 32280	4860	Ryuk_21_03_2021_274KB.exe	icacls.exe
PID 4860 wrote to memory of 32280	4860	Ryuk_21_03_2021_274KB.exe	icacls.exe
PID 4860 wrote to memory of 32280	4860	Ryuk_21_03_2021_274KB.exe	icacls.exe
PID 4860 wrote to memory of 53156	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 53156	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 53156	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 53164	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 53164	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 53164	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 53164 wrote to memory of 51696	53164	net.exe	net1.exe
PID 53164 wrote to memory of 51696	53164	net.exe	net1.exe
PID 53164 wrote to memory of 51696	53164	net.exe	net1.exe
PID 4860 wrote to memory of 53140	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 53140	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 53140	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 53156 wrote to memory of 53192	53156	net.exe	net1.exe
PID 53156 wrote to memory of 53192	53156	net.exe	net1.exe
PID 53156 wrote to memory of 53192	53156	net.exe	net1.exe
PID 4860 wrote to memory of 51764	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 51764	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 51764	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 53140 wrote to memory of 53300	53140	net.exe	net1.exe
PID 53140 wrote to memory of 53300	53140	net.exe	net1.exe
PID 53140 wrote to memory of 53300	53140	net.exe	net1.exe
PID 51764 wrote to memory of 53312	51764	net.exe	net1.exe
PID 51764 wrote to memory of 53312	51764	net.exe	net1.exe
PID 51764 wrote to memory of 53312	51764	net.exe	net1.exe
PID 4860 wrote to memory of 206060	4860	Ryuk_21_03_2021_274KB.exe	SCHTASKS.exe
PID 4860 wrote to memory of 206060	4860	Ryuk_21_03_2021_274KB.exe	SCHTASKS.exe
PID 4860 wrote to memory of 206060	4860	Ryuk_21_03_2021_274KB.exe	SCHTASKS.exe
PID 4860 wrote to memory of 496708	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 496708	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 496708	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 496708 wrote to memory of 496524	496708	net.exe	net1.exe
PID 496708 wrote to memory of 496524	496708	net.exe	net1.exe
PID 496708 wrote to memory of 496524	496708	net.exe	net1.exe
PID 4860 wrote to memory of 494224	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 494224	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 494224	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 494224 wrote to memory of 496820	494224	net.exe	net1.exe
PID 494224 wrote to memory of 496820	494224	net.exe	net1.exe
PID 494224 wrote to memory of 496820	494224	net.exe	net1.exe
PID 4860 wrote to memory of 500276	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 500276	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 500276	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 500276 wrote to memory of 500340	500276	net.exe	net1.exe
PID 500276 wrote to memory of 500340	500276	net.exe	net1.exe
PID 500276 wrote to memory of 500340	500276	net.exe	net1.exe
PID 4860 wrote to memory of 500288	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 500288	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 4860 wrote to memory of 500288	4860	Ryuk_21_03_2021_274KB.exe	net.exe
PID 500288 wrote to memory of 500316	500288	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Ryuk_21_03_2021_274KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Ryuk_21_03_2021_274KB.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\XPXotRlxbrep.exe
  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\XPXotRlxbrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\fEeRUdfbElan.exe
  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\fEeRUdfbElan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\FHXaNYSqFlan.exe
  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\FHXaNYSqFlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:7708
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:32268
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:32280
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:53164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:51696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:53156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:53192
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:53140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:53300
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:51764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:53312
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /NP /SC DAILY /TN "PrintVo" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\b90jt.dll" /ST 10:25 /SD 09/15/2022 /ED 09/22/2022
  2⤵
  - Creates scheduled task(s)
  PID:206060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:496708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:496524
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:494224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:496820
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:500276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:500340
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:500288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:500316
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:669620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:669400
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:669248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:669272
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:784380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:780856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:784348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:784252
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:885948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:886040
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:885940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:886060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:885976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:886264
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:885888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:886176
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:886524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:886604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:886736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:886720
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:879560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:465320
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:463480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:496760
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:986084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:986128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:986168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:986240
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.089828e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.089992e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.0926e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.092572e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.202076e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.20214e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.20216e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.201876e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.220428e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.220524e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.220216e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.219868e+06

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

Filesize
9KB

MD5
2e9bbdc68f3ad6f0c407c87b5d47c71c

SHA1
15dd2ffffb0ee5f82ab3d759f3ce7c62d10ed214

SHA256
6ae1b70bc44990c0b118bb44ca876ff66c628e02094487e409d2edc7928859b6

SHA512
b93347c84de92d3dd1fd1be1080fe83bfed17bb4e8a36dc97ac47fbbdff8d755a517210b00dcedcdb616108718d4340b102494ae4d03a60dff274944e27f8f7b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
57a9018070bee4854e220cc8186982a1

SHA1
4f69ebf80fd6456cb2a0120366067a00fb41f746

SHA256
82592a996ed1afe8a5849ff42a811aff8c68526f1975184e97b6b422303c0e96

SHA512
d20132490f550953e30ac515517b58abe365a5cd61d9babf1fd48854dfbbb005c81c545a0471e7be8855b0d05e31aceeecf4d1eec99a70bbb1a3f175536e89fd

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK

Filesize
1KB

MD5
5968acbe322cc8f38bd4b9ab42539b47

SHA1
2b3ce1e97378139e345fa61fabd982a2ee53db05

SHA256
d649a7eb51a37cd99571902c76d65b98b3f1d82f5d60bbc5fbe4d11d53bfa5a6

SHA512
c6727f9bc0d44e7a5f98c6fbbbaba60183d82f83adfc4072b14e84546d6c6ce5a1cd9207687331eee9b10cfaae860c4e5f203abc6cc27db7c39a164e5ff6eb0e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK

Filesize
80KB

MD5
c302c666b65ecd2c10e025d2db0f74ba

SHA1
e198c05a13a90a8d417ad0e7820b3729eaadef61

SHA256
b6c9f5953ce8cedf411894c52570e98d17993d7ce639a07e381109d95d66ecc3

SHA512
cb0ee22477cdf214fcc1d28fe6ec992d22bc0ce4bc5d34b0300b63f227024ea8e4743956c51dd210896e56a2a4c4ed5818954977f50c95c0743f9ddea79cd1e3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK

Filesize
9KB

MD5
b8191ea0a76c081fe0d5802a3f9ac0e7

SHA1
0ee567ee1ab95daac5ac04684635420b8901d407

SHA256
467f82c988bb219495723b76e2a51994847426f4e3004a2235e64ecf71e6b59a

SHA512
11115d3922f95cb6481064a89397b238b87396d521138e754f10cdf0be87a598c48c60ad99688921c1531a01a6c83fec342a14b84cfaccd8b065a398ca3b1ecf

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK

Filesize
68KB

MD5
39038fe736597272c02b2455bb02c8cb

SHA1
b10e88b95bb2acc6444ff42ac913e291aff95c47

SHA256
1b1a62a5a79f621e0c384f99269f9fdc620e883e94e579b888a2e049041d7d3d

SHA512
123f854a1614c69d5b25aca464b64f255591842fdc5e4fc9fe17d92bb0f104bb65c2a4f89e5dd8d291b47d65686bebdd739bf79ed657af55991c852a2197525b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

Filesize
12KB

MD5
9301fc5b04014de145b8d4ae64f38a48

SHA1
c62b6c8fed19d028a8e2d33b32e93d6e6b08060c

SHA256
71aee9b23338d6886d368a5e81e686f82da38563d92a56ca84c11d0dbe9a452a

SHA512
6ab82b1a8f3abd799701a507b975e938f749a58ef90fd45d1e424a5f93b02e888b8ef16a9201c460a5283aa41c32580146e88720577ee11b57e25d5753993c63

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

Filesize
32KB

MD5
dd25276c19cebc69419b73c5807001fc

SHA1
83c14d5ea96b52750c06fece53c8b09702ad055f

SHA256
ebd15cee005ab6f5922bfba6e070f8ab636f56c6b37ad1f85228004bdcf8dc76

SHA512
486779fffe4d4fcd5aa9dccc07675030811d04c4807f74e33aa50fa1cae249fee93afda9fdb0bdafef848e2d31e4ebf9afa8e23af310f335c270f60d39a63630

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

Filesize
1KB

MD5
76400edb37eda93f5566a38093a8db03

SHA1
f062ace91b34e76594f09de3907cfb1a822155d3

SHA256
aa3bfaba14c2e730d31cbe4b62602523daae373dd0d180c9051f6029164bcc8b

SHA512
13610756e6c252c8d0c958d65eacf83bc19e2e28dc10af1385e97ff2a0af229c6ccaf06e632524ee4b629e2d68437a1d82af6547d63f13c22a617d7a0c7026df

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
8882ad4c12335cfffc0f94c17066bc30

SHA1
daded33a6e05290a9999ce86ad0534ce88b5af2c

SHA256
c07f2633d646e49fd99a3b2858085859a059d2f47b9307f6c018d11a80a366f6

SHA512
db527a8c45131957ea1456543cdd24b872e66d3fb213c31ce19d85fa0e5dba91227881e6f722c29f0ae9bfde19707107b504ee39c9c4100f19c63e2b84af37a1

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
6b238ddac82be5199c0674f92ccecbd2

SHA1
9131017201bd64c086e0c7b37821f1357f208c08

SHA256
e62c4a260adbb585d3bc1126b36f7ed761c0da653bf4bdea582c705660005fdc

SHA512
1928d7d6902a1b96c4a2511e2a3cc6627561c86a87d04507a5a382864b7939bb2ca83969d425f4edce35b4d329b2543972660d11c4a975ec2f6be60f8dd59f1b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Comms\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp

Filesize
8KB

MD5
cbbe13072d0c68e699b0e1c1052eb2db

SHA1
8cd2bd1e76dbc6dff74893f4e0ee628b5495a19a

SHA256
6e19283ec0ed74a78c64ca271c551cd4328202c3991fdcf992bc59b57d35a7b3

SHA512
3da689911acce8376ead178c014072277190c5bb33a83d6813fd1a5a397a4d8e6a67ddccf773a7bf65034902d93b57dd82bd1d6bee082d5a5356b6c5e6bd822b

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx

Filesize
3.0MB

MD5
491d6f5151dc6043d9b6cf9b20ecac40

SHA1
8f24ceff51444d5986536d9e0feee53df769fcaf

SHA256
dec17104d1ee0b8a63e759884e4b07729deb454092b8a9d6904d2e0d08604f49

SHA512
0bb0d940d7ccc38bfdea3cd15e40d1bdfa640b638bdbf54a3ccd682084cf40f6a796d7de66c39309c7175aeb0f3eb9c84880c37524d9cb7050f2138dc44c74b8

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
84049ac2ce66e7c92b3c89b1229a1bf9

SHA1
78f588da8eac3a7ee5cea54a7f40fbc72d72469e

SHA256
fe385838d5b3c3ab4abac19a22128dbb6f8f1b075aec877f4608c44847285d75

SHA512
47e49b18ae22257613bd271f28d0935acd618639db6808bf124bf5765767ce0ce8f150ba416069c4e969ec1a6f50cb166939aeb483171517eb61838af92aaf57

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol

Filesize
6.0MB

MD5
decfc9e1adc90b338c0f53b6ed1e187a

SHA1
5bca1d8838a639984dabcdfb87e0a8a58a7c157c

SHA256
83d890fcf79435c0435cdbc7158bbb65efe9e0f758cb8eada47673a54f01dbdf

SHA512
0dd0fc93d6764bb0a0866f3d4a6ffca5568103d6e4ba5e9e6599cfae91a63808ef45208e524385218681183d02f8d79188e5b98cf44a57079ee77a1a5300b095

Download Submit
C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\GameDVR\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Packages\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.RYK

Filesize
2KB

MD5
d80b3d31de4328f455e616dfb6b00bde

SHA1
bdb2af2974b6e694aa21d23a3441add40a8745b8

SHA256
083df513a8089fd145bed136f8565d8d02a2e884ad59d82563e06967e9bbb803

SHA512
96e83284b497693f3cbfe5d2fa9fbe59a3b6f6b06a06cda41f789e97dd153bcfeea45bfe2f667845e90a9ceead0198b33a7d1c0022d705e853aa5e1137532901

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\FHXaNYSqFlan.exe

Filesize
273KB

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\FHXaNYSqFlan.exe

Filesize
273KB

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\XPXotRlxbrep.exe

Filesize
273KB

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\XPXotRlxbrep.exe

Filesize
273KB

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\fEeRUdfbElan.exe

Filesize
273KB

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\fEeRUdfbElan.exe

Filesize
273KB

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-1700.log

Filesize
754B

MD5
e3276d4b6d61dd7b9c6a069ee2ab1471

SHA1
a12b8ea8fa5a039d84a3d0a94ff2f87a754912c9

SHA256
711fa6e3ac43a7f55a63df15e4656c1ba3a7dc50f4e9c2e5d029b0edb882052d

SHA512
c4aee020eac4ebc1b44fb11102a4de43d167d03ae25cae647200ab9fd39a4a21ebfdab8b9ee378f5bea427660ee1082ef57796441a1b9fae631bd838f6a5bcf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
3KB

MD5
9f1825c67df849904ed2b5f3872ff1d2

SHA1
82a71c3ead38cc427a7fe7b4e4e9c3234cdddd3e

SHA256
dd235c726b08e6e9ac842fe3c498d1c56416a5847a543b32073a21fcfa9b4923

SHA512
f7f45228b644e5a40f607a219e58a95988bf46ad01015a09ee602ea1899f4ca0efb188b0d9e1df743d1fba2ec9ffe7f5a747b14d2fbd941f64cb879ee49e01a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI50B8.txt

Filesize
11KB

MD5
368cf89b5ad248aa962dea3124a82cc3

SHA1
55debde64dbac7745b27213f8851d396cf369cec

SHA256
144cb50330b251f9960f371815ac5de33d55a1a4959b09c4e5823081e0b9e0c2

SHA512
aadec20799fe90f5ca92189008ca4cee4a7513c02d763c31099e20ad1f80b2f6dbf8a3a7ace96cb28e198f2d56798a32c90e9b3472ecd78868b1b4362236dc08

Download Submit
C:\Users\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\odt\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\odt\config.xml.RYK

Filesize
978B

MD5
6eb0dae6aef0a267d3abfb5b6d7a596a

SHA1
711a053f69fddbf98d4fd9888e4835bd010fec38

SHA256
c88607f99810bb8a973a45313bb088ccfa47f3e6099cfe6bfe72009f52c7c496

SHA512
8d52722e02bac2055cfcfc1cfe13a16a92e471206e9d74187c122e35d8db2b045bf07a3afb00f84a0565463916a05271267b3686741e63489feeb981aa11b34c

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
memory/1048-138-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/1048-216-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/1048-137-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/1048-134-0x0000000000000000-mapping.dmp

Download
memory/4416-142-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/4416-139-0x0000000000000000-mapping.dmp

Download
memory/4416-217-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/4860-167-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/4860-133-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/4860-132-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/7708-146-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/7708-218-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/7708-143-0x0000000000000000-mapping.dmp

Download
memory/32268-148-0x0000000000000000-mapping.dmp

Download
memory/32280-149-0x0000000000000000-mapping.dmp

Download
memory/51696-161-0x0000000000000000-mapping.dmp

Download
memory/51764-164-0x0000000000000000-mapping.dmp

Download
memory/53140-162-0x0000000000000000-mapping.dmp

Download
memory/53156-159-0x0000000000000000-mapping.dmp

Download
memory/53164-160-0x0000000000000000-mapping.dmp

Download
memory/53192-163-0x0000000000000000-mapping.dmp

Download
memory/53300-165-0x0000000000000000-mapping.dmp

Download
memory/53312-166-0x0000000000000000-mapping.dmp

Download
memory/206060-219-0x0000000000000000-mapping.dmp

Download
memory/463480-248-0x0000000000000000-mapping.dmp

Download
memory/465320-250-0x0000000000000000-mapping.dmp

Download
memory/494224-222-0x0000000000000000-mapping.dmp

Download
memory/496524-221-0x0000000000000000-mapping.dmp

Download
memory/496708-220-0x0000000000000000-mapping.dmp

Download
memory/496760-251-0x0000000000000000-mapping.dmp

Download
memory/496820-223-0x0000000000000000-mapping.dmp

Download
memory/500276-224-0x0000000000000000-mapping.dmp

Download
memory/500288-226-0x0000000000000000-mapping.dmp

Download
memory/500316-227-0x0000000000000000-mapping.dmp

Download
memory/500340-225-0x0000000000000000-mapping.dmp

Download
memory/669248-229-0x0000000000000000-mapping.dmp

Download
memory/669272-230-0x0000000000000000-mapping.dmp

Download
memory/669400-231-0x0000000000000000-mapping.dmp

Download
memory/669620-228-0x0000000000000000-mapping.dmp

Download
memory/780856-234-0x0000000000000000-mapping.dmp

Download
memory/784252-235-0x0000000000000000-mapping.dmp

Download
memory/784348-233-0x0000000000000000-mapping.dmp

Download
memory/784380-232-0x0000000000000000-mapping.dmp

Download
memory/879560-249-0x0000000000000000-mapping.dmp

Download
memory/885888-240-0x0000000000000000-mapping.dmp

Download
memory/885940-236-0x0000000000000000-mapping.dmp

Download
memory/885948-237-0x0000000000000000-mapping.dmp

Download
memory/885976-241-0x0000000000000000-mapping.dmp

Download
memory/886040-238-0x0000000000000000-mapping.dmp

Download
memory/886060-239-0x0000000000000000-mapping.dmp

Download
memory/886176-243-0x0000000000000000-mapping.dmp

Download
memory/886264-242-0x0000000000000000-mapping.dmp

Download
memory/886524-245-0x0000000000000000-mapping.dmp

Download
memory/886604-246-0x0000000000000000-mapping.dmp

Download
memory/886720-247-0x0000000000000000-mapping.dmp

Download
memory/886736-244-0x0000000000000000-mapping.dmp

Download
memory/986084-252-0x0000000000000000-mapping.dmp

Download
memory/986128-253-0x0000000000000000-mapping.dmp

Download
memory/986168-254-0x0000000000000000-mapping.dmp

Download
memory/986240-255-0x0000000000000000-mapping.dmp

Download
memory/1089828-256-0x0000000000000000-mapping.dmp

Download
memory/1089992-257-0x0000000000000000-mapping.dmp

Download
memory/1092572-259-0x0000000000000000-mapping.dmp

Download
memory/1092600-258-0x0000000000000000-mapping.dmp

Download
memory/1201876-263-0x0000000000000000-mapping.dmp

Download
memory/1202076-260-0x0000000000000000-mapping.dmp

Download
memory/1202140-261-0x0000000000000000-mapping.dmp

Download
memory/1202160-262-0x0000000000000000-mapping.dmp

Download
memory/1219868-267-0x0000000000000000-mapping.dmp

Download
memory/1220216-265-0x0000000000000000-mapping.dmp

Download
memory/1220428-264-0x0000000000000000-mapping.dmp

Download
memory/1220524-266-0x0000000000000000-mapping.dmp

Download