ryuk | 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

Analysis

max time kernel
542s
max time network
597s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
Size

139KB
MD5

8555b213260ba5eda4bf37652cecb431
SHA1

80bd92b996fce311b52aa791a8ace4b20f8fb7ab
SHA256

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a
SHA512

0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

beqHZOlOnrep.exehfLFTsssnlan.exeizMsYIWmVlan.exe

pid process

708 beqHZOlOnrep.exe
876 hfLFTsssnlan.exe
896 izMsYIWmVlan.exe

pid	process
708	beqHZOlOnrep.exe
876	hfLFTsssnlan.exe
896	izMsYIWmVlan.exe

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DisconnectUnregister.png => C:\Users\Admin\Pictures\DisconnectUnregister.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ImportUse.raw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MoveRegister.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchFormat.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MoveRegister.tiff	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\NewRevoke.tif => C:\Users\Admin\Pictures\NewRevoke.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SwitchFormat.png => C:\Users\Admin\Pictures\SwitchFormat.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectUnregister.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ReceiveSkip.tiff => C:\Users\Admin\Pictures\ReceiveSkip.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveSkip.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ImportUse.raw => C:\Users\Admin\Pictures\ImportUse.raw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveSkip.tiff	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\NewRevoke.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchNew.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MoveRegister.tiff => C:\Users\Admin\Pictures\MoveRegister.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WatchNew.png => C:\Users\Admin\Pictures\WatchNew.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Drops startup file 1 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3184 icacls.exe
3220 icacls.exe

pid	process
3184	icacls.exe
3220	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-2x.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNI.TTF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\ui-strings.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected.svg	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-left.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\nub.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

4892 SCHTASKS.exe
Runs net.exe

pid	process
4892	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3332 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3332	taskmgr.exe
Token: SeSystemProfilePrivilege	3332	taskmgr.exe
Token: SeCreateGlobalPrivilege	3332	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe
3332	taskmgr.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1836 wrote to memory of 708	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	beqHZOlOnrep.exe
PID 1836 wrote to memory of 708	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	beqHZOlOnrep.exe
PID 1836 wrote to memory of 708	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	beqHZOlOnrep.exe
PID 1836 wrote to memory of 876	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	hfLFTsssnlan.exe
PID 1836 wrote to memory of 876	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	hfLFTsssnlan.exe
PID 1836 wrote to memory of 876	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	hfLFTsssnlan.exe
PID 1836 wrote to memory of 896	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	izMsYIWmVlan.exe
PID 1836 wrote to memory of 896	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	izMsYIWmVlan.exe
PID 1836 wrote to memory of 896	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	izMsYIWmVlan.exe
PID 1836 wrote to memory of 3184	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1836 wrote to memory of 3184	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1836 wrote to memory of 3184	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1836 wrote to memory of 3220	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1836 wrote to memory of 3220	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1836 wrote to memory of 3220	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1836 wrote to memory of 2156	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 2156	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 2156	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3560	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3560	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3560	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3540	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3540	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3540	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3748	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3748	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 3748	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 2156 wrote to memory of 1740	2156	net.exe	net1.exe
PID 2156 wrote to memory of 1740	2156	net.exe	net1.exe
PID 2156 wrote to memory of 1740	2156	net.exe	net1.exe
PID 3540 wrote to memory of 1324	3540	net.exe	net1.exe
PID 3540 wrote to memory of 1324	3540	net.exe	net1.exe
PID 3540 wrote to memory of 1324	3540	net.exe	net1.exe
PID 3560 wrote to memory of 704	3560	net.exe	net1.exe
PID 3560 wrote to memory of 704	3560	net.exe	net1.exe
PID 3560 wrote to memory of 704	3560	net.exe	net1.exe
PID 3748 wrote to memory of 3012	3748	net.exe	net1.exe
PID 3748 wrote to memory of 3012	3748	net.exe	net1.exe
PID 3748 wrote to memory of 3012	3748	net.exe	net1.exe
PID 1836 wrote to memory of 4892	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	SCHTASKS.exe
PID 1836 wrote to memory of 4892	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	SCHTASKS.exe
PID 1836 wrote to memory of 4892	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	SCHTASKS.exe
PID 1836 wrote to memory of 233292	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 233292	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 233292	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 233292 wrote to memory of 233348	233292	net.exe	net1.exe
PID 233292 wrote to memory of 233348	233292	net.exe	net1.exe
PID 233292 wrote to memory of 233348	233292	net.exe	net1.exe
PID 1836 wrote to memory of 235488	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 235488	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1836 wrote to memory of 235488	1836	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 235488 wrote to memory of 235396	235488	net.exe	net1.exe
PID 235488 wrote to memory of 235396	235488	net.exe	net1.exe
PID 235488 wrote to memory of 235396	235488	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\beqHZOlOnrep.exe
"C:\Users\Admin\AppData\Local\Temp\beqHZOlOnrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:708

C:\Users\Admin\AppData\Local\Temp\hfLFTsssnlan.exe
"C:\Users\Admin\AppData\Local\Temp\hfLFTsssnlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:876

C:\Users\Admin\AppData\Local\Temp\izMsYIWmVlan.exe
"C:\Users\Admin\AppData\Local\Temp\izMsYIWmVlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:896

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3184

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3012

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintCf" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\fUZIi.dll" /ST 10:25 /SD 10/21/2021 /ED 10/28/2021
2⤵
- Creates scheduled task(s)
PID:4892

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:233292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:233348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:235488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:235396

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\$Recycle.Bin\S-1-5-21-941723256-3451054534-3089625102-1000\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\BOOTSECT.BAK.RYK
MD5
8afddece04ba64e74898f778019c146b

SHA1
ac3b78b69f718fb063ae332439970053aa7731ed

SHA256
16f0564ffeda762eafb5d3fc4e7c9967db0723c55d301305612ece1f466e2fe1

SHA512
e10e0b004a57139b0ab3b75c20acdee00bcb6a47d5e2c127a0b725708c7c6d490e674181e490080a36f69dfb5da28666a78a82e2d91bc91a5cb1096ba5c3aa15

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK
MD5
21714ddbdc3243a3aa88840040dfe012

SHA1
41eb91ebce8812663f119e901099d5e55442eb13

SHA256
927eaf228790044fb59e1378b920e66ccc882f91d7d269fb2ea12bb354b1be03

SHA512
01d248b4109cd6bf238279a36b941e7a353c417d8b838ec9dc13bda3084fa42d735eebced4e2f0135f3004c5209dc8d8815606a77e12946141141240998573aa

Download Submit
C:\Boot\Fonts\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\Resources\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\bg-BG\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\da-DK\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\de-DE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\el-GR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\en-GB\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\en-US\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\es-ES\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\es-MX\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\et-EE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fi-FI\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fr-CA\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fr-FR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\hr-HR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\hu-HU\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\it-IT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ja-JP\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ko-KR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\lt-LT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\lv-LV\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\nb-NO\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\nl-NL\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pl-PL\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pt-BR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pt-PT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ro-RO\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ru-RU\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sk-SK\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sl-SI\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sv-SE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\tr-TR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\uk-UA\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\zh-CN\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\zh-TW\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
5e36440590032b92cc1475ca1edce5ec

SHA1
820653478078b0ee72b37f547e1607942639ba81

SHA256
e68a2c041347636fb20bdeb16632a8a29bd52d0cc4c84e2bf94f728021794a05

SHA512
b0fae61d7943fec466f5f8eb17cdd87f69c869d137cfaeafba7490d4821cc0afc4901f951a9c78f586e8ee85d7004c5a26f303c740462c77d2bd9a940cf0bc67

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
MD5
6f482f7e6c0264f68b1d6c71a1f7506c

SHA1
9450c0698e6a06263e1fb089312e8d878f0cb732

SHA256
7cb5867190694fffbe4c0f12aac7fc63a90ec22d7487956321839701424d498c

SHA512
9fc1b0360d31b6ebbef40cfd7c397e74cac158700ff63e4c8ea8b378fe0853b3539a08fc38ee4a0e3049689b20c7a66c4287a08c4941dd282771178907978ea2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
MD5
1aa87ea7d71d9d360bb928b8c24dc59b

SHA1
ef739071f9ee9b96562ddf161dfae42a103f2f56

SHA256
45138178636408fbc68ead27cf59bb474c631144f9fbd33478a97822bbf9fb7d

SHA512
04cafb67a323519997219c0916a0fe0366ca54bc99433579442b8bd23ed28d8f99c553398fac7437e0f9adf2eee750d5ab0273869b1c782b3b557b4681c8255e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
MD5
7580d3e3d80dd947cce69708dd7945c4

SHA1
e41f09dcbaa00368da9627c670ba8d2a5a2a2a9a

SHA256
0494ac90c5fd379a1476ff7d3a69203023bbf390d2c465d1243e6eaf856ce092

SHA512
84d97718704e3c444906424c5e70ff3d5dda2467bbdceb923cfc5c34425319a7fef985d19d3d58cfdf3d8657181c02ea4ce1fbd2fa6ca888f6d4c95755c7d7de

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
MD5
dab670abcb38afabde2460d30f11154c

SHA1
6346ce5de664a3bb06ac7093f1ed51630ccbd050

SHA256
a6a6879460d097941308925c0d0d1fc393bb63ea649ba91a8673adbaf60325ee

SHA512
8b46c511b2da5ac5ac5b955ca342337055fd6c4c8027c0af47c1070b07d8943fcae55898e6c8cc4c537959aa397a7d69a1ba703b67df7fba58a54f735ff24023

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\beqHZOlOnrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\beqHZOlOnrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfLFTsssnlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfLFTsssnlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\izMsYIWmVlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\odt\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\odt\config.xml.RYK
MD5
69047c6d8e0b8358774e8f4d9e1597af

SHA1
31ae512ba5392ae03da1447afed192d41b10470d

SHA256
60a5d53bf14995ad50d4192cf2891992a2b0af141a44594a3fa42047ba2666ed

SHA512
5aeb47db54b6b22eff4be4c0de917f3e76700e7bd03ac4a3e1e7322a40ba46e8a1296492059e7e5f2176c0f5d0246cba5653e153aa883622dc1788689a3ab755

Download Submit
C:\users\Public\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
\??\c:\users\admin\appdata\local\temp\izmsyiwmvlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
memory/704-141-0x0000000000000000-mapping.dmp

Download
memory/708-115-0x0000000000000000-mapping.dmp

Download
memory/876-118-0x0000000000000000-mapping.dmp

Download
memory/896-121-0x0000000000000000-mapping.dmp

Download
memory/1324-140-0x0000000000000000-mapping.dmp

Download
memory/1740-139-0x0000000000000000-mapping.dmp

Download
memory/2156-135-0x0000000000000000-mapping.dmp

Download
memory/3012-142-0x0000000000000000-mapping.dmp

Download
memory/3184-124-0x0000000000000000-mapping.dmp

Download
memory/3220-125-0x0000000000000000-mapping.dmp

Download
memory/3540-137-0x0000000000000000-mapping.dmp

Download
memory/3560-136-0x0000000000000000-mapping.dmp

Download
memory/3748-138-0x0000000000000000-mapping.dmp

Download
memory/4892-161-0x0000000000000000-mapping.dmp

Download
memory/233292-193-0x0000000000000000-mapping.dmp

Download
memory/233348-194-0x0000000000000000-mapping.dmp

Download
memory/235396-196-0x0000000000000000-mapping.dmp

Download
memory/235488-195-0x0000000000000000-mapping.dmp

Download