ryuk | 0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87

Analysis

max time kernel
150s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
Size

728KB
MD5

b160ba8945e6d1d8612da6f1a7409621
SHA1

5e59d635511f9f3e9abadf2d8040f7383af41716
SHA256

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
SHA512

c144895fb0c4a4b4de0459bf0669ddbfdaf4cd38a66b5aa8653c8daaca90e7ffeac242b417521a023b091fb6f39f4ea128f23a1afefedc5246a465ad09c2898a
SSDEEP

6144:GatRxLfCE2kkkxk69R0hfyGydNoo7ogryWbF3M6oXCHF9+kktHSefL4s:Ga5DCjGk6whfaoo7HyWyCHF9XktSe0s

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'HrP7O1qDZDw'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral2/memory/2212-140-0x00000000022F0000-0x0000000002310000-memory.dmp	dave

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4412	icacls.exe
4396	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.LEX	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4412	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	79
PID 2212 wrote to memory of 4412	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	79
PID 2212 wrote to memory of 4412	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	79
PID 2212 wrote to memory of 4396	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	80
PID 2212 wrote to memory of 4396	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	80
PID 2212 wrote to memory of 4396	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	80

C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
"C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4412
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
77e4cf0a822b25647033c3c888ac16bf

SHA1
c23f304b73ea2ef8ddab0174e60f03eafd57aafa

SHA256
6d41014051cbe8ef992fd8e49091f5fd025417bc90c1fca66e08d50df18fb04b

SHA512
04740032e3e94276d799cd988b2ee452494c32a3634d37cb8d68c2f4397e485648937158aa2d654f87d010df55756c37e57c863a2ae5942d6ea4a0ab7eb41e44

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\0f5007522459c86e95ffcc62f32308f1_e32e1c79-b88e-4709-94fb-81034ca3398e

Filesize
1KB

MD5
42ee8ffb094448e578b6dd89c0adb387

SHA1
0249c53aa376de69b96b9e447c59fdf6f7f4809c

SHA256
9042e848423d7e6e02492ec91462a6f6d60e3925315be9d031ca3bd28c6db2bd

SHA512
0f81556531e976931a77b0cc6ff86f9341d4f398460d98d80d2c541f9b6741aef2d2e7cec6db969b4f6270fdcda1bca3917c4dec141a354740c46899f0df8896

Download Submit
C:\Users\Public\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\Users\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\odt\RyukReadMe.html

Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\odt\config.xml.RYK

Filesize
978B

MD5
cfd3315a905529f4912ea49d4c520a83

SHA1
4be01c42f715e3b6af142cd3f030af36d5995061

SHA256
9c457de476a721137adac8d73c8cf419e1e90bf4f9669cd88e3eefa8f3c37c27

SHA512
edfc1b61e5e61e63f1687f2e6396c1efd22cd6810d652c4cc9a9d750e59e26e6a36e4aa1ad03913a2bebad036db41584a15aa7e3e3fb643a1533f3fa0d88e9aa

Download Submit
memory/2212-132-0x0000000002320000-0x0000000002343000-memory.dmp

Filesize
140KB

Download
memory/2212-140-0x00000000022F0000-0x0000000002310000-memory.dmp

Filesize
128KB

Download
memory/2212-136-0x0000000035000000-0x0000000035027000-memory.dmp

Filesize
156KB

Download