ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
150s
max time network
106s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Size

121KB
MD5

7364f6222ac58896e8920f32e4d30aac
SHA1

915fd6fb4e20909025f876f3bb453ec52e21b7be
SHA256

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
SHA512

f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

GmrJSbwEyrep.exerCOwRUKMflan.exeuvNCLEXMelan.exe

pid process

896 GmrJSbwEyrep.exe
1592 rCOwRUKMflan.exe
752 uvNCLEXMelan.exe

pid	process
896	GmrJSbwEyrep.exe
1592	rCOwRUKMflan.exe
752	uvNCLEXMelan.exe

Loads dropped DLL 6 IoCs

Processes:

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

pid	process
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2640 icacls.exe
2628 icacls.exe

pid	process
2640	icacls.exe
2628	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\adovbs.inc	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dnsns.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSSOAP30.DLL	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02298_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfontj2d.properties	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

pid	process
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	GmrJSbwEyrep.exe
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	GmrJSbwEyrep.exe
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	GmrJSbwEyrep.exe
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	GmrJSbwEyrep.exe
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	rCOwRUKMflan.exe
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	rCOwRUKMflan.exe
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	rCOwRUKMflan.exe
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	rCOwRUKMflan.exe
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	uvNCLEXMelan.exe
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	uvNCLEXMelan.exe
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	uvNCLEXMelan.exe
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	uvNCLEXMelan.exe
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	icacls.exe
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 3144 wrote to memory of 2872	3144	net.exe	net1.exe
PID 3144 wrote to memory of 2872	3144	net.exe	net1.exe
PID 3144 wrote to memory of 2872	3144	net.exe	net1.exe
PID 3144 wrote to memory of 2872	3144	net.exe	net1.exe
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 2816 wrote to memory of 3452	2816	net.exe	net1.exe
PID 2816 wrote to memory of 3452	2816	net.exe	net1.exe
PID 2816 wrote to memory of 3452	2816	net.exe	net1.exe
PID 2816 wrote to memory of 3452	2816	net.exe	net1.exe
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 3956 wrote to memory of 3896	3956	net.exe	net1.exe
PID 3956 wrote to memory of 3896	3956	net.exe	net1.exe
PID 3956 wrote to memory of 3896	3956	net.exe	net1.exe
PID 3956 wrote to memory of 3896	3956	net.exe	net1.exe
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	net.exe
PID 3972 wrote to memory of 3704	3972	net.exe	net1.exe
PID 3972 wrote to memory of 3704	3972	net.exe	net1.exe
PID 3972 wrote to memory of 3704	3972	net.exe	net1.exe
PID 3972 wrote to memory of 3704	3972	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
"C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\GmrJSbwEyrep.exe
"C:\Users\Admin\AppData\Local\Temp\GmrJSbwEyrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:896

C:\Users\Admin\AppData\Local\Temp\rCOwRUKMflan.exe
"C:\Users\Admin\AppData\Local\Temp\rCOwRUKMflan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Local\Temp\uvNCLEXMelan.exe
"C:\Users\Admin\AppData\Local\Temp\uvNCLEXMelan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2628

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3896

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
a14d89102967fe59ae71047c89f64c95

SHA1
7d1b09c6e7be4c4c80c72aa800c8ee983382012f

SHA256
a116604df32785e2540eb49366899dd302a6f95af857202b3dbb1b34fa128d27

SHA512
a7692fe68f25bfb140afe3cb3985c8f1a967197424e9594d1c36873e7e452a6baab8b49efda6baa763db095f000a9b71f647b105f4a88d8692bf7a39cd4dbc66

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
afbdc95d179057b9cb124fc0daa4c405

SHA1
66414e98ff82760a4a66b972a6b2180d7b7f9618

SHA256
22acc69fb7108625d7df1109022d415c72d68b16f934770ed8c964218d86f0a2

SHA512
679cb79b5d0f1d91a8d89471438769caa5ef62793b1c315d2b88d0bc3b09df5da7937aa9c7fa6e31aa39074e67e8e460603bb28aaa743a13df647ff2c06d01c1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
556fed2f8ce9029e32c3124121c066c5

SHA1
540df42b1de6f0f3bb378628804194632e68a1bb

SHA256
2ae0372aad73c43597383e3391ff5c08d9d9aa1d89e389787cf7a2e712bc74c5

SHA512
a159b6e0ac9ade5abc9b84dac5dbcd79782b417d9bfaab5b9b28a67bed22ce6f9451b7b9471e61b59efd711812d397ad5de13c17dc5da3da8aadddaad7894cfd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
4d58998cb376e910d01536591116ca99

SHA1
9c579caaa401614ecfe8de3463250a2a50f46116

SHA256
f52968bd9c0096040549df7b62d340a03e4122cf4d4ffd1614f28e656e6c107f

SHA512
f54731ed777ac16f2d28915bcc97c84c4b7ae9ec0db508f61c557ff951c3bc3a5a06e7dc53f48dd26f8cabdd446ca84b6a42a0919c0c6cf43691b577a179c1d5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
b2ec4199f81fa32ac04b7b69220ef9e5

SHA1
34778b01f82a2e328e3168fbdf3ad87323f2ac4e

SHA256
cdbaad3ab978589a3e82aa24977b8cb57bcde55ec005c13bbba4aba9f7a14f65

SHA512
ccfb0fcf6eab06c96972a727e3795a8e02bb774c4e25fb59dbe49a50f4ca8e077220500f1a732c8644bf247c2e4545f3efc1d7007c1af2082fd997fd0b711193

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK

MD5
c130c12236fdde278a356a35e003d542

SHA1
d15acf955fb2a7cc0f784cb58e4e02ad3e83d5aa

SHA256
a4f39b7ccebd214f66e7024cfb24202503d6d656a14729490eceda11122aebf0

SHA512
2983bf66dbef7352dff74e15da6f65f6da7e16e1edef20f8a934fa24acd30475ae8eaf487050c1db8db1a4eaee158aae32236a7497bf1c5a0009213d85091acd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
90ee87001f7fc4a91e562ccc64846ee6

SHA1
01030e4bc8bf82209a30b77a46343f31753d9d1b

SHA256
0dd2c2ba468f22df9a2ae6dcbbbe1cc48041ed0a4e673193888782653c4eb19e

SHA512
23732a17ba521ed7e95e4ff15b3ae09f7a6a9f52e9df9d6bec2c94e9688ce046d4213e90b0c439ed90af78a2115a1cb89df0e7f2e74d19aa78721937aabdf8d0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
abef70d755888a1c3547cb4c23982375

SHA1
15cea64da8b68f118ab2c5722f2ded500255b50a

SHA256
2d3227a443db09860a27f3639e16149783e452f74b52fbcf281f42a1beedf16a

SHA512
673893f480f11b77310cc18de0bfd9d1ea8b204eddfa9753145f52dc086c04c8ec9e0b29929b25bdca1164928a681a551be9bd91b8b5efaf4ac43d3c41894dc0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
5683a8fd45237a52c2886bf1c7976633

SHA1
ac9cbdd46a07411ed9afa595322ac1b6dfbce406

SHA256
5dd2c7441a635805db6bc1cd53c3f0e25c36ee89d378c427f4b894be30f7eda7

SHA512
6ee07f191bc4efb4bd8782ac3bf5c6173031b381a937dd83d484d21e61532fbbf23ad35e34b00c5d561378b8b0103b05fa4bfbf25feac559cddfe039a720cad1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
0396cce0f94bc50afedd796f8860ea75

SHA1
264e0c842dde1e08bdafead15129dda19b415f68

SHA256
d0dbc54227f077787389df520bc37dd76be658d775b3cb1e1e581dec16fdc7f8

SHA512
809ff3b7d2d13bf918810513f7fa2f8b9f8eecf6f57ba6372384cbc1be1dbc6edbdf09c502780b08273671fd28fdda6e0af4b57494ec4f73048ec102247aefa4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
f01ba801a227085b0d04242b334c37ed

SHA1
cb7d67c92c7c6ecf37fd888544a918a0ca63ade4

SHA256
cd66087e159e123c7e869b9e8882d664ff466d517ef162ad0b11aea68b46cb08

SHA512
6f1e788c0ebd41ee6f1de35d530c6e5d00241d368a8b35b298287a4c4353e13e54d7a1547873aefe6bb7f4b9972c9ab944665022f5f202df33831347b4db1ed4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
b5d6925d25e047b05869cda5740147ec

SHA1
884219f60579a4f1e7b274a0fa1d7c3b8bed7118

SHA256
93934dccb0986017eed57a55f69353f439336b080280f9dd13fcebff47cb1381

SHA512
91043821b5bc37defecf661a7f61c4a6b77e44850094f1d1bb74b9d3e1dda88a2b0572d5f937e2c32423ec321c8a1d81e6f9614a16799b58f4d7343fdba8638b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
5e452d59ece44788c5988d471c941d53

SHA1
d91d1f74148ff310c5d9a704d55d32f7e31acee7

SHA256
15393c98038a9d9e4a6ce01e5d2cd52f20a1312dabe8ba1b9642e8265ea05b31

SHA512
b825a5490e0747f6f7b614cde66bbe482995741334237c34cd299543a9fff18fcb6ad8e0bf34619033ec98342b3f8af9d60ef4b44abbcba6935316d213b3833d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
36a12d21e069b2f71f42d776789e959d

SHA1
ae806ad963be777466d8e410d424be57c3c0e0b1

SHA256
35cb33806377b19d1e4083e52182369a745e42768ea3399a3fabcd032ebda5bd

SHA512
2bda668f23b0d9f6544b010915ea49ac7301c31f4aaad7b8910e1c98ca17f2c00b57f40830d81ba5ce91981d2b4500b7e1da1a7b5efdbf28a2aef269dcf6c856

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
7bcd678a8cd77a260989f50c59f6c10a

SHA1
3c0383c4021b0d1f0f0731049b634cc31dad2822

SHA256
50eed63021b128c38b9b61f27f2dcde8f56d0981b468b9d748aa49f777510323

SHA512
7c85554cfaeb47f79a3923d518ec955acc77633e749f38c56248b57ec14a674da0cbde897980f04cbe776305ee7bed0d4d465feef00c9e33dce3d6f17533c9db

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
610a6f86994fd4bb32d7b902921de142

SHA1
30cde874ba4a974ca85d6121a44077a9f0184ab7

SHA256
bae77415555d35f1e73df772a02793a16691aaa27a787cd74ef94ee1781159fb

SHA512
b08f97c4be526ee6360783200259efc4dbc8503842318b8f2a98b302b5a4a32019e251320b906e7fadaa26ffbeb608e3c4194abeb3b0d09240d138b441950cdd

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
30a0423dec7a7de75aba2de623923bd7

SHA1
058f38f1c5c30f168def53aeb330f0f0395da693

SHA256
c4442c347ca248f42ff8b37138dd31293369a09073c74b12aba9a75559af949f

SHA512
7da5343e34c8e521ba883a96db13002fa02bf5ac550efb8b8b648327388725ea33ce5781a585e1b24e82df3f33c206e8c93ac3659ccc06eaa5acbc1a6da45d9f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
d80a09936da434b175e608922b927720

SHA1
adc524ad11faccbe42c21d72a2275f8cf18e83aa

SHA256
8114512fa597e4309f861b331b3b2208122e4dffd34f62dac448b725774050ea

SHA512
856068f2b158e5b1a65944ef97cc50179d283c7bfe471b04cfdedbb0756fb6d35480318721d2fa2e1c1504e75e115a8c49f457187518233cb66d93e80e0c2398

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
6606b7983487e33afba10eb2b85c51e0

SHA1
9859ecc3d5fa5b353d3e016c79cb505d65267bb7

SHA256
fbb44fea8c77bbfd2e04ba936c47fd17086aeee8c8b78034944b851a74aaf1c6

SHA512
36c35f2bee572e618fd61631b474d6d20dd146c75a9c9cc8b0b0d83e9f9bf26172cefacdf91b6de3047806ba687cb71039355b91aeb84ecffb1f493b3319874f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
305d09be6a6bc389adc03c3bed0e4ce4

SHA1
9406ad034690eab6ca7d49457e2a05bfe25296d1

SHA256
4e8c0131b8c96452375c729367270fb16903edee8d26f65d2839e29b020ae9dd

SHA512
c9f8aa48c2e86535087f4965338d330f0223f8ffd417d2e0e6763b0700d006b8f88854aa6d91f597f12b982662c750677321850103666bc7a86eedd1fbf3cc49

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
e0d01a560d67c084824806889d2e36f7

SHA1
a53f1fb365645d2dee7094c77c22d0448b799461

SHA256
a406790f227fe475d2cabfeb1b6712e220bff0900abbd164a6f80c426dccdf1a

SHA512
6dd5f14042525e4a4b5c9db76bf81f644494e5867c7ccb82bffdc635fa2a77070c3248fe84ee0765dc1ae220f0e778d7483a19988f0c2bef168482bbf4c547f5

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
b7c1e2639cc0b298eaebbf7f40cc447e

SHA1
40f37a002c67c084ab111f80d2a6d90244c9c1cf

SHA256
316fd774c44f2f2ee8ba87b54cfed5b9c6e2e96f39f61de0d4f08971c7e54bf4

SHA512
244199e5459d1b3273c592a8aa725f1b351a73f1f416bdc7325cc0d40090ca60f61ce364cb9a6f937ef380af133eeb416b9a621fb9183d45fcdbe86db7b98680

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
e3a08e3651b3ded977260f74cc1eb159

SHA1
3a91789f29c6217230fcf3d9220d65943c2a4c3c

SHA256
3e5fd6680b087cf575b251816fb68c3a2baa8300424f20573f7dce3155dc5c55

SHA512
5c057e8be6615b63decff9285f23a7d7c275c6e46cd57cb18b5fbe684464eba9233ac07aa62f5cb18c8109cb9c2409795cb16869bb8acb582fa144cde7871242

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
c6f842dbd847e1779aef3ca4d4606558

SHA1
b9e6b08e30260f89070e7a4540f517b6c0c9683d

SHA256
7108d64ddf99918a518688b45fba4f6938833f2b271937dab1fca57d1a67e48a

SHA512
7136405c1d7d688fc1556bba15e6ced333b9af4a914f5389196202d31921c11b18ae81a32049875f71eb8fba3202dba3c7f1d128c35efe46e02f01f11e0ad6df

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
2033c6cf8dc93e48921d4e7a1dfe6f2a

SHA1
ba6cda2398bdaa77f983b368d369c4219c7dbec8

SHA256
e93b90c7b187f228102ab2c018412b7ace5fdba471d1d500c254f305632d439a

SHA512
6d808875ea2429aed4a56fed442109b421a18cab414ff9945f5afdda862a5abde58225929a74d6da54ed46bcbc6594725eb6983aa9943c9ae04b264caf30a741

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
d1ba9347d356a13eedd55a6fa3f2a8f3

SHA1
3bfb4eea2802cbd9579f734e3cbdf9349ba3a957

SHA256
63ebb46f16594235f63092105c98dd320a05c3d8218941c35c6300275f8826be

SHA512
f0effe2d520c88b131530cf6b6024d1ffbf142be4baa3d3f3cbe812bf78636e5d2f8c6431cdbfef788d8996079ba5a8ba6a085f1e5e9b5195138590e8c4ce0a3

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
c72a8c3595a1780c159984ba59724020

SHA1
2a417f730c8c595d5f1e5f8b608a8392a9cae315

SHA256
bc63bda52c81e65a95296befac73196ac1dce9709dfd67dce0bde7699fc07054

SHA512
1d1afa5a94abfec8553d5f4972a3815b757d441057d668fcedaa6c2d04340cd389b66408dca6a0a777d2eff325ca77dd7caadcc9d0019febb28e99337d9823fd

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
df27242a2f75d542554ce8d1eeb0e661

SHA1
3f1269f127cbd499385ea2dd9d81be335920a3eb

SHA256
35fb9b082f3a209bb8526388a3601d2ac79781b3920b715b96a1c5b2fc682614

SHA512
f9b5c1240f021298b78c6bb0e5fc34ceea5a3d79b89c938d84b7264d1f479bfe94ef9d9520fba3c2378824c1b06656491513593eafe0b65a263da9499c5989dc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
29fdc88d2b7e6ca8fd3a92b2c14f5af6

SHA1
e49e232ffce047fecda6317f25178b8a3804182c

SHA256
e2845b40b7c712816dd43eaa9410cd6d0c48a1edad0e94648b688fd86af6ddc2

SHA512
780e3725c603ddd0940b7f3b990ef34b822fa24d468b038eb5164c9df7cb980753e60fafa6ac53e645d07b1087278cf917f5a9b1d56165b3ff217565d027677f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
53de91e5c524b33f3b1cb3431d338c8f

SHA1
aa32f17c4d6212092c4522088687108e48c6b095

SHA256
27dd3cf4ff827bc444f091abecbee4ff17a351fd560d30d7149a473d1b15bb06

SHA512
9f646fde203586afcf78db2f69a3ba361a3ad224bcedb81138695acb52dc185d57c0753c4ab7a24ebcff23be3f731d3e4032576e3064e724ab7ee5f224c9f515

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
cc9abd0a847b4f8452e945f517814eab

SHA1
76d009c32c0bd83d8cf3461463f64c0eca6f412a

SHA256
8bb93e685eb1cff4b2e74fd056e853ba3de959aa9f470c2481e276106678c96b

SHA512
623720b5cd52d9c681d43e0e0d03bce9a9eb736fb542cf69e34a49fd0fa4bf3afe40698632c1f3e7161a69f6027352a56900717ab8c3c156cc5435f80a22898f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
bb01cb6b55176a962b1ab88b45ee2bab

SHA1
2cbdae34fb2e08c4a58cde0723929d311a66ed91

SHA256
8b3eda7b1de077ed8a2f5d884cfc1add600a8b2e06effeb13b5846d4d9228e18

SHA512
bbcc75f0d8d145144c8ce17093985ff170ca4ba5cce2723d8e3b5f586e7d162bbe5400c4aa3ab06de7a38e771f11c12e54028d5c8e140c319ba11589870cfb11

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
3b3889aa5541a5d6e0fa1891a4313139

SHA1
8bce230f16034ea4e1d16b689ec71fdb7943146a

SHA256
2276d79452d37568b935096854ddc393dc4c35d1529340d3d2f034cc42db33b5

SHA512
5f4c2e3ca78c4ee54ed688ba3bd98e45f4e129e46f0a648fd452642038289abc1a2285f5eca572e808333d1f0eaf6a68bbc122fce2d8e36b04b04ae6fc0f92c8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
cb745ba59007e90f383b015cdb631aa7

SHA1
c30e96d413eb01057850888e3d3da2f11d251aa3

SHA256
66f01c2c6900b3ea60950a3821e31bee15d8a737dd26438f8bfd5cbe70309e93

SHA512
94a49b9bdb2278a684f6ee489e3fdbb4771b6ac4b0e16b8acc5c30e32bc88aac348b29b4d345e68e93b37b4f62c3b4dd0248e128ff3d964e52eaca10f43bcbfb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
f50f1fe638e4cda96c14f10c6fb37d81

SHA1
c4308d2e6f44ab5957be33c31a31be6b92cb129a

SHA256
4d53f3e409dc2f45ef4dc56413a6b9fff4da9bfa1a9cc4c1c003b5067f9a76e4

SHA512
0fade615324d29a4e4de932c4fea2734ea397ad17cd2ce7c3c7c09f9921650aac857364536cf7d94f3f28e9be36bbe66962af38ad5d8628fd43f69e526d277fd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
53521ab52d78f3524a9224fb87de8099

SHA1
93c2a67a1d44e2c0dc2a6f05652dff932f799e57

SHA256
02ab35a010e9e23ebc9ea0b915acfed2ace8f3d3d4a82c1788f33f9ed3037a9d

SHA512
0ebfc843e39de5604361cd7ea175879bd162a84233a89d7f1de045b541014c4fd7f2e0692198e27e8627319bf043ebd5ec87f88304c812db4fa3ba473e679de2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
0ae48f640ac14be99797e1277a8eac83

SHA1
37fa3a1e56abbd17deefa34413ba4d3b328e8713

SHA256
fd685b47733d28c949eaa41031cf4d4a18bf181291f57bb55f93693492cdd39f

SHA512
9b3764ec5bd4018a06e26a01b93ee782700babe82dda10b75933e5903aba5c9ac266e417c8c4bf4f8fd45f455d2de0147b853aa3c258a2a039479b6e65588fad

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
04d52fcf83496ac979d3fe9eae45daeb

SHA1
aa8a6d639c3062a7c3822d26c88cf409270936c1

SHA256
e5c1d9849dffdbfb108d9b68245942928a703edbfaf92a5a0068c44eeb247d0b

SHA512
c6e5ff18fe6bfb8a6aa29d0865530d4d5e2442ce28788a75d53d2a586f798411ca5702ee1a82e8363761f3b1fd99605e9a38ab6d8a7e9fb812aca9472894f458

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
9116e4e60e3a990d33397cfd92c76d92

SHA1
7520d83cf51d85366907e2fa1818fd1ff5407098

SHA256
1d90e395193b3b8a044244de53bd59fc8fcaeb63474212983926dd44a0042037

SHA512
454063b49ee36b8d53a665be09806fa8a7502596a6c829a92b973a1a2d0f85f0b98781cc20abd479a9db694c5f1aa01f6195e4301f230249e5d67e8859db82d2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
f0154be645d8f94f381b0da91e567592

SHA1
2187b2eb4575b0e6b05d67793bc0e90f48db6e01

SHA256
a67342df0e862310e41faa2d84c344f8bf540864de167c2775fa05ec615fda7c

SHA512
2d4c23dda19ba107473b1278a7420eb587680f4a5e28a6f547dd09dbe0b23a710e25c38df2ea2710ea5957bd5499c5e3d806b114ac57225c62a8cad89325e067

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
caad4802f5e637cd79bdf8cfe1f88f89

SHA1
895b515e234e0d186992f3c1639aec8d45c75d49

SHA256
f643d40f8b5d4334d0506f02193ecaa08fdac08d95fd5e1549c4893d6c302b92

SHA512
8ccda7cafb94d8c08e6112a0d36b437958a4b0120eed13d3cdc9170d843f3469e2e3bed6d77abf435779c99d227fc7ca00a74d1cc8c553ae8d2821a95d33798d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
c4e98b8642928b05136405c396b2847c

SHA1
e4f185746da5a5eab9e12399e9e606c32422d691

SHA256
f358a0706aba2efca309adbdce5bceb6da40055fbce0f73a5f162802fd39c292

SHA512
136c9635ba87abbf33677edda3130cb1e1137439f06e92125184a07a6f5d18e4a3c59f4cdfa2b1f85ce6c66d4c064d91036601f6085ac99dc325794e60921b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmrJSbwEyrep.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCOwRUKMflan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvNCLEXMelan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
C:\users\Public\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
\Users\Admin\AppData\Local\Temp\GmrJSbwEyrep.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\GmrJSbwEyrep.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\rCOwRUKMflan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\rCOwRUKMflan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\uvNCLEXMelan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\uvNCLEXMelan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
memory/752-14-0x0000000000000000-mapping.dmp

Download
memory/896-5-0x0000000000000000-mapping.dmp

Download
memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1592-9-0x0000000000000000-mapping.dmp

Download
memory/2628-18-0x0000000000000000-mapping.dmp

Download
memory/2640-19-0x0000000000000000-mapping.dmp

Download
memory/2816-77-0x0000000000000000-mapping.dmp

Download
memory/2872-76-0x0000000000000000-mapping.dmp

Download
memory/3144-75-0x0000000000000000-mapping.dmp

Download
memory/3452-78-0x0000000000000000-mapping.dmp

Download
memory/3704-82-0x0000000000000000-mapping.dmp

Download
memory/3896-80-0x0000000000000000-mapping.dmp

Download
memory/3956-79-0x0000000000000000-mapping.dmp

Download
memory/3972-81-0x0000000000000000-mapping.dmp

Download