ryuk | 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

Analysis

max time kernel
63s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479
SSDEEP

6144:LA+0uP79QAbIhsU2Hl7A6P+ZT6EnW5TMGRx4S7SM22C4:LACbIhs5He6PtgvS7SM2T4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (68) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral2/memory/776-11-0x00000000006C0000-0x00000000006E2000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Executes dropped EXE 3 IoCs

pid	Process
1612	ijVeYikYLrep.exe
1068	ihHoJUkhWlan.exe
876	kyHfptRhQlan.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6108	icacls.exe
6100	icacls.exe
6092	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1612	ijVeYikYLrep.exe
1612	ijVeYikYLrep.exe
1068	ihHoJUkhWlan.exe
1068	ihHoJUkhWlan.exe
876	kyHfptRhQlan.exe
876	kyHfptRhQlan.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1612	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	93
PID 776 wrote to memory of 1612	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	93
PID 776 wrote to memory of 1612	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	93
PID 776 wrote to memory of 1068	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	96
PID 776 wrote to memory of 1068	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	96
PID 776 wrote to memory of 1068	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	96
PID 776 wrote to memory of 876	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	98
PID 776 wrote to memory of 876	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	98
PID 776 wrote to memory of 876	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	98
PID 776 wrote to memory of 6092	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	99
PID 776 wrote to memory of 6092	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	99
PID 776 wrote to memory of 6092	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	99
PID 776 wrote to memory of 6100	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	100
PID 776 wrote to memory of 6100	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	100
PID 776 wrote to memory of 6100	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	100
PID 776 wrote to memory of 6108	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	101
PID 776 wrote to memory of 6108	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	101
PID 776 wrote to memory of 6108	776	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	101

C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
"C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\ijVeYikYLrep.exe
  "C:\Users\Admin\AppData\Local\Temp\ijVeYikYLrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\ihHoJUkhWlan.exe
  "C:\Users\Admin\AppData\Local\Temp\ihHoJUkhWlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\kyHfptRhQlan.exe
  "C:\Users\Admin\AppData\Local\Temp\kyHfptRhQlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6092
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6100
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:7068
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6472
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6220
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
4371936bbd11f1ebd2e7892053fb5c60

SHA1
f18ddbadb64d6c56c79c34dbbf949e9ae7b7a5b0

SHA256
bfeffd2bb54f679475abcf2cd97bd8c1299f83f4f2f0ef122e056910d1aad17a

SHA512
2e79d5cf03a7b5d1265295fd41ae67c8768e9be98398ee97beb997a0ba6564d63d736afb4ef5be10f844eef17dce57248b62bb4981f2c7482a3e2014e5dbe893

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijVeYikYLrep.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-566096764-1992588923-1249862864-1000\0f5007522459c86e95ffcc62f32308f1_2935d258-24ea-4115-bc36-d204b07adb8d

Filesize
1KB

MD5
a037dd1c01bed5d6eb9a628878c8c07f

SHA1
310e097aa76f582bdb6da0c0aefc50ad18a627af

SHA256
7357ba6264a0b3c23196f2d1f2419ec56c7547a1c0309aeadb66f6cacd98535a

SHA512
7c793d5031fce3635eb07bade7b5d8d57fc492894cb419fb6e7473860844e1ab170595d71e25d7ca912af48a7fd5fde893381405b83e88d4b04b1495eb3b3078

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-566096764-1992588923-1249862864-1000\0f5007522459c86e95ffcc62f32308f1_2935d258-24ea-4115-bc36-d204b07adb8d

Filesize
1KB

MD5
d43d37a9b5dbffcfbb61964adfd3ba97

SHA1
7e242c81260b6056def619869e3827acf4d38ac3

SHA256
b0c87e1ba7b6648c5e7fc123be6c61a2bff9f5d0ec9283101f8b2f9e62e699ec

SHA512
ecdca19741f18b0204e746952c6ff0688256b79bdebf9d707eed596f2b2ac2095c5035946ee6e943abf1ee5034961470ddebef8d371199ca5c3179e2d42601a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-566096764-1992588923-1249862864-1000\0f5007522459c86e95ffcc62f32308f1_2935d258-24ea-4115-bc36-d204b07adb8d

Filesize
1KB

MD5
7e92bffb16ecbb7cb3e167d7a940a4eb

SHA1
15ac81904a1d1cd332e020c4e0db07b635396596

SHA256
34c766191493bbefdb1b92dd7c83baf20c43c7705b1353a2318f82699ff89186

SHA512
ddf33a679b2760e2b8d13e8adf56770eb272ebb5826bd6d164ee1fdddbddc0241a3191622884ee02ce0bf80880ec0c595f9a6beaeca66782241d88f8b56871c7

Download Submit
C:\odt\config.xml.RYK

Filesize
930B

MD5
d19090968bac05ee0adff0ab11365a7f

SHA1
9fa202b42a0dbe1c127078dcb0a96af8ee5f1da6

SHA256
09fdcdfba993a92914220d0fecaabad486f750c38040de99d9bd306e28bbc8ed

SHA512
f2e11e2b865d7a4237a3be12a46a8ef3a0e95970a422ce0656e564031db958fb595444e47ea584f74298082adbcc754f8f61961f0b0bf0f44a56e921be5f829c

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
memory/776-3-0x0000000002380000-0x00000000023A4000-memory.dmp

Filesize
144KB

Download
memory/776-7-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/776-11-0x00000000006C0000-0x00000000006E2000-memory.dmp

Filesize
136KB

Download
memory/1068-52-0x0000000002280000-0x00000000022A4000-memory.dmp

Filesize
144KB

Download
memory/1612-77-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-85-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-68-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-70-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-71-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-72-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-73-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-74-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-76-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-78-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-79-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-64-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-80-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-81-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-82-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-83-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-84-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-66-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-87-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-88-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-89-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-90-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-91-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-92-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-93-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-94-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-95-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-96-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-97-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-98-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-99-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-63-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-61-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-62-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1612-28-0x0000000002240000-0x0000000002264000-memory.dmp

Filesize
144KB

Download