ryuk | d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2023 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
Size

131KB
MD5

2cc630e080bb8de5faf9f5ae87f43f8b
SHA1

5a385b8b4b88b6eb93b771b7fbbe190789ef396a
SHA256

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9
SHA512

901939718692e20a969887e64db581d6fed62c99026709c672edb75ebfa35ce02fa68308d70d463afbcc42a46e52ea9f7bc5ed93e5dbf3772d221064d88e11d7
SSDEEP

3072:j06qm9E8obCg2QdgYdrp23suV+eGg21Yg:j06qHnOg3df9eAJ

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '8x0nKKx5'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (916) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4576	icacls.exe
3980	icacls.exe
5092	icacls.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\K:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\U:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\R:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Q:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\O:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\J:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\X:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\V:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\T:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\E:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Z:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Y:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\W:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\P:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\N:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\M:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\L:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\I:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\H:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\G:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\content-types.properties	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\java.policy	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ct.sym	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4576	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	108
PID 456 wrote to memory of 4576	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	108
PID 456 wrote to memory of 4576	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	108
PID 456 wrote to memory of 3980	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	109
PID 456 wrote to memory of 3980	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	109
PID 456 wrote to memory of 3980	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	109
PID 456 wrote to memory of 5092	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	110
PID 456 wrote to memory of 5092	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	110
PID 456 wrote to memory of 5092	456	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	110

C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
"C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4576
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3980
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\$Recycle.Bin\S-1-5-21-3125601242-331447593-1512828465-1000\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
1b8e30f505161630a6fef5a0f8a886f9

SHA1
5f555faf5317dc89ab181039ae6147dbacfe8399

SHA256
4fe8685d0cb08df6d81792171b5a8b592587b61ebc8310a40e179d2592e4e43c

SHA512
68daded01c7ae15d4d5bf608d33374a1cb6d16e7a315f03d1ea8e95f3510396d8028a28d2240c4ffda6ebb64235fb4dd17b355231ae3e58ce02be387ebee1629

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\Users\Public\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\Users\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\odt\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\odt\config.xml.RYK

Filesize
930B

MD5
8beb3fa4b36edcd068fc13bfcdc2f196

SHA1
f7f8845060d8191b4ff81d92f209bd0a773791c0

SHA256
9006bc1632f374eaacc2dfe3abdd14f677a8b8ea2ea8623e2b1630820f994cf2

SHA512
2c67a0d13bf3110ed1a6931b570dba4eba7805a68bf7767611cfd4a23705af65e743436dd7740897491e771b4509dd1570d74fc2f1e72a4fbf7013088479119b

Download Submit
F:\$RECYCLE.BIN\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3125601242-331447593-1512828465-1000\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3125601242-331447593-1512828465-1000\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
F:\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit