ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
145s
max time network
105s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Size

544KB
MD5

526fa2ecb5f8fee6aec4b5d7713d909a
SHA1

51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a
SHA256

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
SHA512

f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

KxeyqHoQsrep.exesfIBponbalan.exexdcuKVrqrlan.exe

pid process

1240 KxeyqHoQsrep.exe
1356 sfIBponbalan.exe
1596 xdcuKVrqrlan.exe

pid	process
1240	KxeyqHoQsrep.exe
1356	sfIBponbalan.exe
1596	xdcuKVrqrlan.exe

Loads dropped DLL 3 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

pid	process
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2676 icacls.exe
2664 icacls.exe

pid	process
2676	icacls.exe
2664	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\THMBNAIL.PNG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.ELM	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.ELM	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105240.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee100.tlb	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

pid	process
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	KxeyqHoQsrep.exe
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	KxeyqHoQsrep.exe
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	KxeyqHoQsrep.exe
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	KxeyqHoQsrep.exe
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	sfIBponbalan.exe
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	sfIBponbalan.exe
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	sfIBponbalan.exe
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	sfIBponbalan.exe
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	xdcuKVrqrlan.exe
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	xdcuKVrqrlan.exe
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	xdcuKVrqrlan.exe
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	xdcuKVrqrlan.exe
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	icacls.exe
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 3960 wrote to memory of 2984	3960	net.exe	net1.exe
PID 3960 wrote to memory of 2984	3960	net.exe	net1.exe
PID 3960 wrote to memory of 2984	3960	net.exe	net1.exe
PID 3960 wrote to memory of 2984	3960	net.exe	net1.exe
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 2852 wrote to memory of 1692	2852	net.exe	net1.exe
PID 2852 wrote to memory of 1692	2852	net.exe	net1.exe
PID 2852 wrote to memory of 1692	2852	net.exe	net1.exe
PID 2852 wrote to memory of 1692	2852	net.exe	net1.exe
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 2708 wrote to memory of 3848	2708	net.exe	net1.exe
PID 2708 wrote to memory of 3848	2708	net.exe	net1.exe
PID 2708 wrote to memory of 3848	2708	net.exe	net1.exe
PID 2708 wrote to memory of 3848	2708	net.exe	net1.exe
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	net.exe
PID 3764 wrote to memory of 3932	3764	net.exe	net1.exe
PID 3764 wrote to memory of 3932	3764	net.exe	net1.exe
PID 3764 wrote to memory of 3932	3764	net.exe	net1.exe
PID 3764 wrote to memory of 3932	3764	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
"C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\KxeyqHoQsrep.exe
"C:\Users\Admin\AppData\Local\Temp\KxeyqHoQsrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Temp\sfIBponbalan.exe
"C:\Users\Admin\AppData\Local\Temp\sfIBponbalan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1356

C:\Users\Admin\AppData\Local\Temp\xdcuKVrqrlan.exe
"C:\Users\Admin\AppData\Local\Temp\xdcuKVrqrlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2664

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2984

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3848

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
e8bb29e490021a97ef2719c4a34ff263

SHA1
6fe8f19a89fc14d9a44e0f7e91288e77a9e0667a

SHA256
cbe1d73c9fd899b976f6b69fc4aee62d321ce70dd0ffa81035d14ac85bd2fe2e

SHA512
1afe02dccb8453f51041203d951069569bb707c85f1362beb9df95c928271adaa29aedc115fce27426866eea2388b56d4691ad93ffd93f681c88d8d5f12cba69

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
e79f4bf69ca0ffbaa449bda7aaf4de89

SHA1
7db6c8c927ece18358d869a185512575eb463ea0

SHA256
ee9e6dab686fd91bb9e2b0ca2ba504c67f55b80628c90fe8ce4b120f533f86f4

SHA512
11f81ccd9db058e583167508e1ab76df3817baa3ccd9e4944b4951338611ef01765754dac47e224e3df637244619271fd8e1b2082824256a3e4163fc5c6f55ce

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
4dcc9a76981f4f49a6f85e73ac16f5d9

SHA1
5833202bcf8802cc22b2c2b4c0f2972d621dd07a

SHA256
6a8e3962ec2bda81bbddfeb8deeb3ae469ea1842ac3fc9b087ae390e08234140

SHA512
c0282876f23999c88294a18893d7e8d585b0e222deece598acabde895f4de94a3c248daed5a00b43c9dfa71b46d66e6fb7ac405fce5d0d2a0724af154e4fda14

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
ca8b9b0bc22b2e47ae9077f73954572e

SHA1
40b7ff2fa58e20212ef52ae476afb8bd234f5c73

SHA256
c01cd7945a0646f086eb7817870106194b19110e8603de164d5c0a7b61885d07

SHA512
d5aae013e727ca6b3c688457b3e471650ac2793065b2447cb2eaeca346947da517c43500b389df8fee7c89ad91d6ca93dc9571ba4881654db76a4659be254fc2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5
a46ca40d8a68504fe427650388b054c1

SHA1
06140c0dab81c45933f38d6f574abb7db5236de8

SHA256
2075a58cf69701d18c0693f10cdfc417400b017cef49a272bb91a78a39ed2c43

SHA512
f2e1a62ecde1bcc47d9258f094bb8168137d42cd573cac3427320295397efb5a82e0fbd06f156ac58809d2f3c274676dac0ef84e20f38df87e42b309f25780e3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
d6e7c308637bd4810352feec46ad13b0

SHA1
0c77445f9fb01c15c73382da8663f906c089d92a

SHA256
f619c64b1008c25c263484dd2714d06da2cec7fe1cba45c2da2b5dd8ec8d2b73

SHA512
cc46721af9de3f00bedc890c7a4e121cb197deb208cc615e6f34abd1fe3dc755c6340ebb40cdb1c220b36f6f81ddd58862ceed20fade4ff707506a6a764fc799

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
942ad8a45b316492680796133e441e47

SHA1
a64f604eaaa19fb512eb91eb59a4c5beff375561

SHA256
d1b20a305a152fb0b1c7a6f78615d6ad5d4a45da4b251a920b14f31d8b29c812

SHA512
f28306b0959112e3cf51a11d04801790f90b2e8884caacc0be129f96635b2c96e758aaa75c0c7319f8a26ee7f8613c85187596da83da37bcde9657c3dfeda858

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
1a5343e7be8bcdf26f68d4eb831ae30f

SHA1
79de78c2f2f40c213a9786c0e69c0f1d0fe0a317

SHA256
9fbb869bf1daae8dc79a54098fe6410e0425c2b9729665ff2ae88544bcf94230

SHA512
b54c4b3a65620fdfa57b17928f9954d60d5f99cd86172da413a08f41ce9533546123783fa4c91344bb4319da65c3c2851b58cc0253d1a1a315a57c6250a3f23a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
b7b63ac2387b3c82a3b7c85a1e503144

SHA1
bb6336cf5923677979265a03b3f448a453011b01

SHA256
d3653dd42cb885159952680121578f07adf0a0b885346ffa1003bc4f5d0c0a50

SHA512
c02c4f50d15ab1313d61411b96bacf8024ff1022bb7d5fac53f50fcc5e25539a37e9ffc1126084311996b1c23bf61bf924757e682c1c297d2751176832e1ad24

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
49bb2916f47af63567a606936a6d9914

SHA1
1bdf7c43d9cf0850a4d9b461a79c488504dee2ac

SHA256
cdc708fa4b2209d6f72680452b3ca04466dc38360352f7633f6f613094b5c76d

SHA512
dc7cacf6dd0a05790f79a5be0a04da709ecdbcb505e5f1e65c4f38c809767bfd4dcaf6002b83aaa229261123a81c460001208ec08ed3827b680787e73fef4be4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
31a4103788261b25e8772c440f172092

SHA1
edd8f928843fbf3f853bc7e996f0e3b4c47aaa94

SHA256
acc743d102046b5728ec4637ee5e2560c87acc190efd36d02c5430f6937a16a9

SHA512
1e92bc75339a5d0cdd251334aa7e1085ef2513ca8b494633ce22ff2b8adc466b4a94800e0c68712de1f1273579caafdc16eb6c72418a7aa8d8703e470afee2d9

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
89beee60c3bd73482bb640bcccc3c0c6

SHA1
60437ebeaf2cbc29dd704d8f22a05ada421570aa

SHA256
8d8322d6b045bc765d64d80faf43639c8d161b396eb33deb30e37098d325b8c8

SHA512
09eceac640d4ecb9ae490b9ed0344c682c25a34f066c7e337ec3d487c4c7bffdc6694ae7e4f8575152691c243734cb53b0109e4d01c5596f8090b343fd9e8e40

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
67ca64260bf1f0e701269f610ba8f573

SHA1
0fa61f1fef425cc6d857553c0c05f2d34e61e622

SHA256
3b76fd6b8f2d8c6296c0050f9c75a23a04fd30627caaf123d039913c9388fd93

SHA512
0f36eaf0e3b1b0670f97cf1e5dd78eb49a865c5cf9107aeceb8e89fdc664646e21b7aca267cf2432bf4d4a98bf1dc676c7c9ea4feec4c228a3da9c10d3c0f60d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
fd835c5617c74cd0c45689983b56c5be

SHA1
0c99c242526a11e064d65883c8852d1b9f3e546e

SHA256
18db2f2c5dfa033f82f80e5ffd297777a1be8c3ed4f434d70b604669442dd386

SHA512
9d533a4db5703096196fa155e3790d9d89e87724bee77bf696f824170e3d7709c458718a1d3dc672390769e8e924d0a8fa34f5931283e3791c748bf6eacc7192

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
19ff5bedbc59d71b8d7a60d5b9d57ff3

SHA1
1551ac2326d1817464311de20fe3712b4254bbca

SHA256
c51dcb9511e7cd3c53e8e07adba5abe493af3dc902cf116a710307bd2d290cc5

SHA512
5161ac6859a1a6a7367e0ff63dc74d27a783d2f7b010cf2410bf9d2a184467b31a2fe03fa801ec4e888ef43c6ec064c35cf2f9da88a34419eaf8a66100bb2e07

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
093a3b516f2d2076f450c9c81db4dc38

SHA1
9713d039f93da27f8789e71cc0169b3279bd717b

SHA256
e4ea77278f8e4597024eaad8f38468f5e33080c2528f61880d550addfb0338f1

SHA512
39370620d1ff1a087821b219c259e0cfcf8841e2b4787cbd132e02287fd412af4efbc6d3753644fd16b8f9c87cf8c013f2d800b33908b3140e28903b60490dd5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
e6ebdd55468c72a2c8c5e3fe22c13ad7

SHA1
8003dcbbdd517f32a7bb358fac0150b55bc0f821

SHA256
78d2e3fd085a37a28d616a9fee2adde5e3e3ba9acac3b6c17a1a78279e3776d8

SHA512
1444c0279e26f8d74c537b5aa2c03788d7acda59f993f0bd29a2e06eb480bd878b781d50bdbe01a63aa1c07162f5809e014190e494df8063fa657fd6ee71e421

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
716126939b2981f2830fa825e5969ab7

SHA1
1790613afccf4d4a17897328f8eae8019bc78733

SHA256
4d8b99fc556b1a07b74e79580e441956d90e6405753dd3261ad153b3e599d85b

SHA512
5253139a641ec08e709c81f5bf36ebe225d24465abf72ddd72bc833eb57bdf0037213aed07bc2f280d5cfca7ab3cd7a4add41314866dfbea3ac48251de22cfbe

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
35b29e41192bcba1b8cb09f339ac316e

SHA1
6f7926542fbf5ed77f55f75e119cd43bd4d57107

SHA256
e151d9f52db73a40dc3b57bfe45e9091d8e2b1b2c9846218f14e58d65338558c

SHA512
4f5f5eb8e994dfd4ae484a11e59f5c0790bcfafb4c1f676f8a7bdde12c3db8c70bb11688e60f8f7e5b9f7b4f0eee212602ea195a2086cc1bece51e20e92b4efe

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
587ce6de52618083591313bd9d328b33

SHA1
443ec75385980dfff381fdc4c9a83b4bef460600

SHA256
7631cb53e7ed02229b83fe551a6cb8499bf8c7d3f9e27e9b9e413f246210d867

SHA512
e7033584b007f87e9ba2e656863f90c326cf6dad309ec32d3316da451bebff5bbdd5bd7b1725dca16fcb3768a9953e5509067a2cd04f582309f0b8730ed704b9

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
fe969ec2bbe5ddebf36c8f2a69a393ec

SHA1
6f3c8f56d0ce4da6e48a6e221566490c67ce81df

SHA256
187470dd03c8bed72b842d524d5184179ca31eff34e5a4d2bc90f9e654b7bc07

SHA512
0bfbf3643726a95458030afc925614f67a6d6ba0ff5854e85c0f68af214d49a2b6936677eb59f77282526bb3c737d83bf50662dc9931cc02567b535cff7214c3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
37296809103f4903e198be8a07df0970

SHA1
101a963cff56bf35be75c1d3db3effa8b44adea5

SHA256
6cb0bd96d2018be4b7fabac16c285073b13d8fb6b0f21c87e4e6778ec210aa2c

SHA512
402c22981d182aa4e11a3706ba7642a929c01fff048fde9f1fbe6fd78e5290085edad16ef6c88cad0a4156dc83a67f4a3e75ecdcc34f8644077af76f6fec6556

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
edc6022182f048a7a2c9913f99b54851

SHA1
3660210512612ba64066ea7a97ee45f41a8aa433

SHA256
1e59f52859d8f39618899b90f9bbc8a1f5c5c60d989c4a3fa150537611a9c043

SHA512
78f89791d6c54a3ec7604799249daa527159cdc8267ceb929ca94a18a9480f4e564090b5b6bfa3919e3e762023c6f05802bf394fcbc6e9799d5fbb742bc4a8c7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
c5bfdbdd9c02296539343506349b6d95

SHA1
7237f3e093be44d227bb90a7c05b863c6c3ffd59

SHA256
ad1c0a65574e92fe5473bc0cbbdb72fc023038bdfec81d3039419f1bfd292d01

SHA512
60e248b69f94e3a849de04eab23862954ca9eb0a3adddbf7394b13d05211ff1046e505a7563f879015ba0645dd53ba9f0c04ecd8f26f3b4041dceb6d9dacbb17

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
2db7b0a5c2734162dc13861022adadea

SHA1
41fc729ce4474d36def9f3265387525fa668ba8c

SHA256
59984c3a60224531ff40a88e1664482c8e84561deeef3465dd859ea0e72058f8

SHA512
4fec6c77bd79488a1b40bd389100137262a35109752131a4838033268f31bd34175d7bd47ae36277e2c8273bbb0a9c823b4850f8254c9a8f80bfca9d34e2beee

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
c2709a1fb822ff589a16d9fe8fe8f1f3

SHA1
2355c5bb6091db196f8a502e85f483de89db02d1

SHA256
a014a8fa719dc1d73738d794bd0d7c4bce848a95ce0000731890f6c78df2ed64

SHA512
12e6c4dadb52f786520c005ba4e58dfc33268b132a69ed1dc2eaee839247f6a2de1073cd578164c5a9c36dcca49ebe2cf55722d56b032ac3a73580b89fe2d1f7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
e0de401dc1ba674cc168396c2ebc1413

SHA1
03bcf7f513cdb16830c0187f99c4ea07c3424c74

SHA256
d0279495ea9690662aa6c84a3494cb5455be16b339a2ffa42b9f898d28fd8a03

SHA512
f159b45d9bb42b3659a8d813e61131d2a5e4c4dbae579a8c783b3fdac2ee723b9dbc2f84a183e743e70a5efaff9c90d80d7494898c89d09432d9a0f93b4057be

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
75c6287f6cae296153f434d3dfd64901

SHA1
d1c544c7643f6cbbb78cc616eac251bf621fe6e4

SHA256
33a91bb15b57f17d13e52112500669521157294eaeda35d4354545409f1aecd5

SHA512
dced2d9adadfb0ac585c6e9b530e0fee4316de2cbf3df15ec2b357a99d8686587bc72fcbcb2c129679e711797909caf293468a6b64cf727298fb1d95eefc8d3d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
2e09ab0b6aef7360b1644d261fcf52cc

SHA1
691f4f5488aef0d5596696c536a1a334f8f2ca3d

SHA256
3968e0a73e097b0bdacb4277c32050a177a148af7311cd0bc3ea002aec9de812

SHA512
5bf79370f2d8817a24e6025180ef470568b8914910f933a794c7d3c0ce5218f442b4ab647d288b247ba9f69582444b7fb6c5e9ec6859848825af0805b17a3dda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
bcbb1f934b5e0ef40486f1fa65ab7603

SHA1
e78b8c9514f076b6e7190c565483c26036a27302

SHA256
44b00860f3d8de8921d83ed9e39663d5ab397774fc510400ff967b1ac4bd184c

SHA512
cf1861bf4112f7383aafa2d56c57f0b07edcd43dd156c52729acf6518c187cdfba6094eb807bd45defed877f0a3213a31caaf23032260f6c88f216232407ad85

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
a01c27acbb849fec562637698d34a1a3

SHA1
831f09c237653cab25ab2ae2ba4ba014aa1f4c89

SHA256
8048d8a52250c6da3850bd9eeefa3aa3dcd6e353f1555f13696c46489de2f6c7

SHA512
6dbe62c2fb7d925299e00b63ce4b604bb6c1f93f638c81e07498f228f11ebac78c9a64728145374c7b0251a31d1d1befcd3eea0adeaa4a1a36475c071a6acebf

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
8478c0e1b4dc993909e6cd10b4656cec

SHA1
8afb1bf4acea7c7c38e3002e428d8c49797d5fbc

SHA256
cb697a094b998aba1806a1acb37e94beaac9293277386b28c1ba77024cf847cf

SHA512
d5eb36a9293f0304e9797c1e062cc864f31024cc6340b41f5db12db4a21681102bc5b36c026dda9968379ea1138de72b7f3955c5560c733542cf034f5b32b4b7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
69960377ffa1da611af27ce9e17dcef0

SHA1
880a0ce4aaacc0efe9169d364d94a7ff979ef8de

SHA256
3f52ed3138b51956f4be6ed2e5d2403cded7e40eac4029ec931f3eb15049f6fc

SHA512
5a314d4bda5b602217989889d0836bf1a5b89c3073bb9ae498811e84ddf8820ca70cee5ad2b60dbc940492655f8dba176109f12e82dbe151371a2f2d13a1c36b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
b3bcaf8478cdec0c7df62ab0c47144b5

SHA1
aebb78a9e4dd1b4b461883cf355f6a8b71ef3fe2

SHA256
2028a281e8e92f45739c8680d796ea4102f735b974e14b8b33a21cb723558300

SHA512
61bbeb08453f85363e500de4618ca998e4f2c25d77b62d41b7928500cb7d5557a78dbc1295de8a3085916b4eaac7eaf62f2f6aabd60ee5892874dab27c3b653d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
b2c113930753133d843ebf864f94105a

SHA1
aa5254c84b5a4e4d6a3f87cd06f22f58dc5f4e51

SHA256
2e29d4f590aafc497ade915a763624696d44f4a969b6a7729fe68cc0848b5bd4

SHA512
f3dd72a7d7bbb4a562a04b0a85c7ba00f70bac2e0e78baefa214be7d64a4adc0a8c808cffa34b88f30d00f5eb4c2afb6cc3162719466a685541b0f17d60e913b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
0e78e5c9c24145c96d1371a0d626e1a4

SHA1
7fb72f9487b1651ed7e18b9de58044ca8468ca48

SHA256
03d7fc9e740aa32eddad78f1261546a39b5cb64c8f797d82b53c58869c8e429f

SHA512
8b4859207c9e9c44baebb21e248f8370b29c25bf703f69a4090ef1e8e88cfa7f05ef158bd57c7c8ff38666b0e31452d70c651cff3fb46e39e1d5a2094d6ded99

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
2d525ecab6ea05a400d7ccbf5f2372d3

SHA1
a72e0dcd5a5c9300a91e62e447989386cf57cfd9

SHA256
e7b58d8e041e30d5e069f97a24017c715d233032001efcbd77c52449ab6b12c6

SHA512
31636aecc9fae2b5007b060327e458b5ea729d7403353d17a6446a90e147cc554d51dc199d582957e38d64021b1177caa7edcd63f4249952f0b72ac034b58b36

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
a8ff26b7ad5e35257fa213eb4fdd5b6d

SHA1
ff964f9845db7a0dd171fb605667923f16216cff

SHA256
c18ea3f5406ee669353d2405f225b1b4fb32f4ae0245e47d91af15772682a5c1

SHA512
e2a660a02a50a4805b8b767fee68af57781d063cd7f93353f259ba610b1a3d1cb202d65b95a89657cf56792d1958faf757d9770076d9c09e39e2ee42a9abb884

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
3ee7d3840cd9c2c2ba2821a5bd9b7e4d

SHA1
9cb7c62a1eae541dd4896c29fc0f99bd1d7a90b6

SHA256
ba2d20ac5a8153e9457de1cf3847e667391a02b3564c6f148884f9389112e7a3

SHA512
64e56cd69a58636e5cd6803939439bee788d7168a04593c44364dc50ab86067425f0eb813b04e69382e14cbda7b94c78bb52417dd2d4e81bf7cb0060e61b0175

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
cebf0eef68fe849929a1c309b5bb02f8

SHA1
66ba54973a68d65f4cbd7f86b12246ade480fda9

SHA256
ddf62fd9a71bc8389242434bab2e53c49b2a441923af35470855978b2f63d69e

SHA512
7f76c6bf888dc0a1a9f6f4a1ce8c3dc28d7585c31243906f4d96686c0ff06181f2424681b8ec6edd1da97bfd335b66e24a2e23eb0cd97a5beefc4885a59793b4

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
d6ef20f234f7e0bdcbefb15919e261c1

SHA1
46993ed7cba6adb8b3a03fbd82444aa8f5c76751

SHA256
d0caa56fdb3d3bf7314caaa0e6971fbff6ff9e720b6cff2500addd2ac6919078

SHA512
17e7a6438216e37a9f5560d70afc52369a36d83e2ed83ca516f318f08446b4da70a6a3aca40ffa1734fd98213b2b1deba3ebe7e80ae21454e2038e0df1d57667

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

MD5
77b1de86e10b77daff72800b14fdde18

SHA1
532ed541a38df5261828a290c1a07435f6b33c54

SHA256
ba773ad0deec46fa4f64a17768a3e787fe45b9a89d1fb91595b0455c06bae4a4

SHA512
3a1b59ef0c21b0dda3d4fbab38da12b997252845dfed290f781a0be754972ce8fd08ff0e49689628a1cb89eb283184db758eb8edaf0216b8db16e8b21336e008

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
8cef3cb4b112429afe081a02dfec3438

SHA1
6a8879396bdc3cf572aed0433961fab25e1e7919

SHA256
8a8be724a8850ad6c47a09359dbfa08e0c3f31699a0315f570dc2eef30b6730a

SHA512
7e21b342c28d12515045fe1687311ef95858fbecc5fe119da828d9988d550f39bebcb87004d9343b82d156b251a625157141c0d8d39429cadb613b9f79faef3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxeyqHoQsrep.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfIBponbalan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdcuKVrqrlan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
C:\users\Public\RyukReadMe.html

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
\Users\Admin\AppData\Local\Temp\KxeyqHoQsrep.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
\Users\Admin\AppData\Local\Temp\sfIBponbalan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
\Users\Admin\AppData\Local\Temp\xdcuKVrqrlan.exe

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
memory/1240-6-0x0000000000000000-mapping.dmp

Download
memory/1356-11-0x0000000000000000-mapping.dmp

Download
memory/1596-18-0x0000000000000000-mapping.dmp

Download
memory/1684-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1684-3-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/1684-4-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1684-16-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/1692-86-0x0000000000000000-mapping.dmp

Download
memory/2664-24-0x0000000000000000-mapping.dmp

Download
memory/2676-25-0x0000000000000000-mapping.dmp

Download
memory/2708-87-0x0000000000000000-mapping.dmp

Download
memory/2852-85-0x0000000000000000-mapping.dmp

Download
memory/2984-84-0x0000000000000000-mapping.dmp

Download
memory/3764-89-0x0000000000000000-mapping.dmp

Download
memory/3848-88-0x0000000000000000-mapping.dmp

Download
memory/3932-90-0x0000000000000000-mapping.dmp

Download
memory/3960-83-0x0000000000000000-mapping.dmp

Download