ryuk | 0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87

Analysis

max time kernel
150s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
Size

728KB
MD5

b160ba8945e6d1d8612da6f1a7409621
SHA1

5e59d635511f9f3e9abadf2d8040f7383af41716
SHA256

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
SHA512

c144895fb0c4a4b4de0459bf0669ddbfdaf4cd38a66b5aa8653c8daaca90e7ffeac242b417521a023b091fb6f39f4ea128f23a1afefedc5246a465ad09c2898a
SSDEEP

6144:GatRxLfCE2kkkxk69R0hfyGydNoo7ogryWbF3M6oXCHF9+kktHSefL4s:Ga5DCjGk6whfaoo7HyWyCHF9XktSe0s

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'HrP7O1qDZDw'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2212-140-0x00000000022F0000-0x0000000002310000-memory.dmp	dave

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4412 icacls.exe
4396 icacls.exe

pid	process
4412	icacls.exe
4396	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

Drops file in Program Files directory 64 IoCs

Processes:

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.LEX	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\RyukReadMe.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

pid	process
2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

description	pid	process	target process
PID 2212 wrote to memory of 4412	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	icacls.exe
PID 2212 wrote to memory of 4412	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	icacls.exe
PID 2212 wrote to memory of 4412	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	icacls.exe
PID 2212 wrote to memory of 4396	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	icacls.exe
PID 2212 wrote to memory of 4396	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	icacls.exe
PID 2212 wrote to memory of 4396	2212	0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe
"C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4412

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\DumpStack.log.tmp.RYK
Filesize
8KB

MD5
77e4cf0a822b25647033c3c888ac16bf

SHA1
c23f304b73ea2ef8ddab0174e60f03eafd57aafa

SHA256
6d41014051cbe8ef992fd8e49091f5fd025417bc90c1fca66e08d50df18fb04b

SHA512
04740032e3e94276d799cd988b2ee452494c32a3634d37cb8d68c2f4397e485648937158aa2d654f87d010df55756c37e57c863a2ae5942d6ea4a0ab7eb41e44

Download Submit
C:\PerfLogs\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\0f5007522459c86e95ffcc62f32308f1_e32e1c79-b88e-4709-94fb-81034ca3398e
Filesize
1KB

MD5
42ee8ffb094448e578b6dd89c0adb387

SHA1
0249c53aa376de69b96b9e447c59fdf6f7f4809c

SHA256
9042e848423d7e6e02492ec91462a6f6d60e3925315be9d031ca3bd28c6db2bd

SHA512
0f81556531e976931a77b0cc6ff86f9341d4f398460d98d80d2c541f9b6741aef2d2e7cec6db969b4f6270fdcda1bca3917c4dec141a354740c46899f0df8896

Download Submit
C:\Users\Public\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\Users\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\odt\RyukReadMe.html
Filesize
1KB

MD5
11b99d04340f1787b622f2bf871e3f7d

SHA1
ecae22838d8a43f0ec3bc99fc08e42df4301ebfe

SHA256
44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334

SHA512
f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

Download Submit
C:\odt\config.xml.RYK
Filesize
978B

MD5
cfd3315a905529f4912ea49d4c520a83

SHA1
4be01c42f715e3b6af142cd3f030af36d5995061

SHA256
9c457de476a721137adac8d73c8cf419e1e90bf4f9669cd88e3eefa8f3c37c27

SHA512
edfc1b61e5e61e63f1687f2e6396c1efd22cd6810d652c4cc9a9d750e59e26e6a36e4aa1ad03913a2bebad036db41584a15aa7e3e3fb643a1533f3fa0d88e9aa

Download Submit
memory/2212-132-0x0000000002320000-0x0000000002343000-memory.dmp

Filesize
140KB

Download
memory/2212-140-0x00000000022F0000-0x0000000002310000-memory.dmp

Filesize
128KB

Download
memory/2212-136-0x0000000035000000-0x0000000035027000-memory.dmp

Filesize
156KB

Download
memory/4396-142-0x0000000000000000-mapping.dmp

Download
memory/4412-141-0x0000000000000000-mapping.dmp

Download