ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
152s
max time network
96s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Size

124KB
MD5

b16db2ad22dfe39c289f9ebd9ef4c493
SHA1

23ccb60927905eb9be2a9ee4230ebac0836b611c
SHA256

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892
SHA512

5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'CRAny5Nq'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

ezKOrmiEirep.exeFNtSvwiqNlan.exeNmIiZIXsAlan.exe

pid process

1724 ezKOrmiEirep.exe
1676 FNtSvwiqNlan.exe
2580 NmIiZIXsAlan.exe

pid	process
1724	ezKOrmiEirep.exe
1676	FNtSvwiqNlan.exe
2580	NmIiZIXsAlan.exe

Loads dropped DLL 6 IoCs

Processes:

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

pid	process
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2656 icacls.exe
2668 icacls.exe

pid	process
2656	icacls.exe
2668	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00853_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105530.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00459_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.ELM	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152876.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\ResumeRequest.tif	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00105_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Martinique	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\resources.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

pid	process
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	ezKOrmiEirep.exe
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	ezKOrmiEirep.exe
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	ezKOrmiEirep.exe
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	ezKOrmiEirep.exe
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	FNtSvwiqNlan.exe
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	FNtSvwiqNlan.exe
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	FNtSvwiqNlan.exe
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	FNtSvwiqNlan.exe
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	NmIiZIXsAlan.exe
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	NmIiZIXsAlan.exe
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	NmIiZIXsAlan.exe
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	NmIiZIXsAlan.exe
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	icacls.exe
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1108 wrote to memory of 3044	1108	net.exe	net1.exe
PID 1108 wrote to memory of 3044	1108	net.exe	net1.exe
PID 1108 wrote to memory of 3044	1108	net.exe	net1.exe
PID 1108 wrote to memory of 3044	1108	net.exe	net1.exe
PID 1928 wrote to memory of 2984	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2984	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2984	1928	net.exe	net1.exe
PID 1928 wrote to memory of 2984	1928	net.exe	net1.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	net.exe
PID 2668 wrote to memory of 2804	2668	net.exe	net1.exe
PID 2668 wrote to memory of 2804	2668	net.exe	net1.exe
PID 2668 wrote to memory of 2804	2668	net.exe	net1.exe
PID 2668 wrote to memory of 2804	2668	net.exe	net1.exe
PID 2764 wrote to memory of 2968	2764	net.exe	net1.exe
PID 2764 wrote to memory of 2968	2764	net.exe	net1.exe
PID 2764 wrote to memory of 2968	2764	net.exe	net1.exe
PID 2764 wrote to memory of 2968	2764	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
"C:\Users\Admin\AppData\Local\Temp\0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\ezKOrmiEirep.exe
"C:\Users\Admin\AppData\Local\Temp\ezKOrmiEirep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\Temp\FNtSvwiqNlan.exe
"C:\Users\Admin\AppData\Local\Temp\FNtSvwiqNlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\NmIiZIXsAlan.exe
"C:\Users\Admin\AppData\Local\Temp\NmIiZIXsAlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2656

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2984

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
7b6eb696fc26c6973847974e2e57d74a

SHA1
5c787351556c1311b94cd124ed2122c3ba77df93

SHA256
2bb00375bd33aa1f9b475e699e28c324bfe0010022c04a582ae35ec85e1c2d23

SHA512
29338bae4f70105456c04d3b0541fbaccd7a3d38ff0f81d374a25b4ec21cb442b6d1031277de58073f72fb23620249721d4bcd456a33c76e586b3e81725d5a4d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
8b168982710e7ba51a7c302b9622b334

SHA1
1a68792677e577bf024dde36462db4c5a80d763f

SHA256
0e70c8a2a29c3e62755e403345cb98bbfb9ed19fe47384d10c60b7553580cae5

SHA512
071ee0cf99d025556ecbe3ffb034d251fa8992a96e62724573af2675b2301d6d8de2a32efa71f553ea6d360c85c917892489f95c436282de6df6d1e2a594e2aa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
6f0e957d4c52d14a3fa43609abf63029

SHA1
5dfe209219b3257de0e708c43d9d74c79f4f2c40

SHA256
07e2279d29f27173f740a85b37c3ecedda205a9466f0fb84e63100058ef88105

SHA512
ee53e3082259c789d46066b8d350b137657dfa5bb1797f5d2fef6f6e154a25926191602c3f2c774d542f9466722bf061ffdc108efb8a61e01979dc52782b8c71

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
3ae5413d67ca640dcfec412fd65dcf35

SHA1
ce9b0b9b4d7dee9c6ae3c1c60ece9b469a47e5ca

SHA256
03b7f4bf56a899e3483097ec24a9ca42cba463e8fce0d042417984370deeed97

SHA512
e04a91ce2bcecc2e91842b4b6dba1b6acb7955d648037c3e11a9df135282571b858af8c1bdc4db18729c89d0244144803616980fab8daae3f3a0ec3dc993b2e6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
3b9101bec1da024a942f8deb0c4490a9

SHA1
af3999bd92423e296d8a0ce9be38cb3817b15f34

SHA256
669455324121480a3625b01c912def760cf31abf03ff6fac6f81da7b8d08aa25

SHA512
26116cf6bef7c00259375a7a5ed64906fec1cdcd60d9154aa3c57beae69b3186bd5b5c20627644dce1cf52ee3c2319eb7ceeeb016f79313e1cc17fd5cdcdaabb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
575f46221b7d7b4c046261ea1804363e

SHA1
2dc88b594176c20662c3b391771c05763e596903

SHA256
35dc7bf25b8b7382eba800f623c35e5059630e166844241f59de0c857492d609

SHA512
7fd10f1ba8b2f5d3b25302342453c368b0b3bd5f4159d1741a89eebe05f48795d157de5ef7435859d1323838f2b31df17d00fc3c723b651d6183e64f496ee69e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
969ab100c02737dc94410718b099c8b3

SHA1
65f8f9ba7243395f1912d2d4588ae8e48a90eed1

SHA256
9b1a01a1ee9fe06fad1abdae6c71e18b6c3d12b2380c3170eaf94e5430ef654b

SHA512
116d2ace93c96afbe9451d16e91b13be2dae5bfc0f01bf9de3b20f40d526f2e14d550ba51c6c57aa5f35d395010a3320cea1bc27a753cec4b9009baee185a2f5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
eb607c4ab5786b7233f43dcabcf4c7db

SHA1
056084be02bb81b805c206961cf7f22dcd7232ff

SHA256
ad9935a70d5cd803b53b3ed355fab5b6313c34627bea9c0fff506b6acbdb05f4

SHA512
fa4869dde2d6de9232cb5ea22b24355695e5694d5c7de6d521bc2f38dc0348d477e6b06b6ee662004a2a74b702eef8d204d65277625088fec352ecb59a7260c6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
042cff7a999a59b9d16d90e6173ae2ae

SHA1
6579650a4bd19a5f11be9b742460b043fee4cf09

SHA256
5e72971776c066a1d8f587eca61ad2e9b91b8d7b7d5560a8e07ba2a5bb677262

SHA512
ae4d47427723335bc85cac5b8da8108b2c50fbb608e0c633da20b1289e45ffc415ae8278c0cb5e12b4b4766b8ae7e5a713c488a8b2d43e2c2c0cb7ddafb7b902

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
b65c63099ec54e5e1319ce5971bd5f1c

SHA1
4c1a9f586e7020e0f8a949c7d4aaab003f100c15

SHA256
d29593ec2e09ae6969a3e89c8258d9c532d3c0625df7fae6aa084b3a0afe982d

SHA512
6da897ba4e117b8c585350676221dccdb0786332548d76ddac3013c2762436d2df865703d83fd93f63cc6e250fdd6f36d56c2f92efce9fc3409343a8b424e6b7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
8f387b0c4ae329e0a812c25797ea3362

SHA1
40524e5457dd64d386ac5a15dedb19a3d0663a44

SHA256
074b348102e52bb772244cbefe1a282a450f10de010707c0af737faa25b93727

SHA512
555f215cbfed088f1ec546f74e38170609aead7a529c118ff4957fc3c29812558b27c13bb668af48926b7ac775901c59784f6a8560a47b4d770911ed986f0c50

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
038c540324548ccffee5c19a7ad0c1ea

SHA1
5cabe381195adebeb0780ff21648f69273eed36a

SHA256
94af2808581e5cbd7c0b8a521d7dfb42dbead59b96b30e9bb19c1e3ef561a0a5

SHA512
e35cd4ddf079796978497496c7801e23026169d1673537b2b0434269f736c9c73461f42317c82cd5713455d1fff01519c9858527e309df5614f0861b918ae845

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
27dae7c524586622abe42e9546418b63

SHA1
2f2e880f06f20c0abf70c1c7ba5f6b65d5641a92

SHA256
0e6bc0a97121829caf73904201e0bcf294dab42d6ecc196ea98cc8256a20c033

SHA512
312f8057c4991cdb6f72e7ac73bff7491ee4e4641d68c04fb5292943b1dc6ac10695acc1eac7461b2065706f8f0a1a6a1d269cb90c3688c780973d56e88a5e9b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
1a415c75220693baff16a7e61b69d648

SHA1
7ab7acef15560cbbf3cbd8da53a479e157fe665f

SHA256
7ab626350464a9ad742c6236943eb31b1f3f41ef66208fc5e249769d09ac59e1

SHA512
845f0f49fbbfeeacaf1b9e4d7008e146686c1646059d59954e3fcf65d01e9bd4f97f0393a65176388d5ce83e5e4e820887eda3859b615a51e179166b920bc440

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
60626b69cd91d3377cc5dceb84dc7a6c

SHA1
f7b106a684ab2c409d8217353d8461cb298029da

SHA256
8543d64e5bbe25a7ec63dae174dd6bd7e9193c715a8185d91df05f2b22a3268d

SHA512
798811b04231e13e2905e0fa8c9d23e652333b1275e1faf825c2dedb99d2215894091b386d94bdada66fbd0b9b1caf04e774d16b5e6d7aaa339c0a8d3ca4b32e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
3d4fc137aaf3d1b2fdd582ce7328e986

SHA1
3f2bc2fb0f75d65efb41a1d9e6ef775b8cd2f821

SHA256
032714478bdd15d4122b7b7eef4e4efc63ac75cd162ab818b5414a0e40c4622b

SHA512
735d86ef581103d0b081059e918a0e8e97e7d644a2a9cd999bd8733c024048cf3a3cf6f859729129c67987af167e08a97995b9d355b4221fa8baa8ab02ad02a5

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
bfb76c202568fba741a659c5fac6c1ac

SHA1
a9990e082b15aba0e216f9467358061c001699e7

SHA256
15ca837484c70b3eb92fbe6b97d7da15b0aa4fc8e17585fc63144d923295e707

SHA512
e896ad086f1f329a1b9cad1b97f2b9680c917ac8a068d061ce5d945fc2e7e82da6d49230010d418996ff894c8e0378375423b1ad57fec5a2edf81e7dfa921671

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
d2d51da25c81cfc148aac650df324fb4

SHA1
32dfadfc3a3e84f0f46c916e9428b507f2889942

SHA256
9da473cfcd258054d0dea0e532304a689738f98c32d405bb8e05d5b25f0bebfc

SHA512
1e7ee23951202d3952aca2bc424a60a03ce84c18f04dfc92a3ab896300320ced1f94f92f72d3511c15cd7bf48fde19555d1b6f29c77786d6068473b6a9cb9d35

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
a5c3c7b973ead71860ec41fc2e72a0a7

SHA1
d852a005709058281dda9f17e40ea61917e872f6

SHA256
f040ed44434ef989f4fe67cb66318f7570f9628a9e1779dc913fd5c6178bfa33

SHA512
3f2857177f33520c178d760bb126ed59614981a052ab8450a4d527446d64fa58447570c754a003680b8807e0b5e401b1edbd330f2275ab92006590f3f477e57d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
864c546838112f05ca86348dad3cbceb

SHA1
c878d1fc93c04765033eef8ce6208655e15fee2b

SHA256
53bc631f9cb5cbeb008f145b0374d523d41496b1c70f3308727a972a0bc255ca

SHA512
af7ad3beb918a3fb0dbb20ca2ccd9934bcac3403499f9b7bc2a149fce7105f98e7b2a033d6a2126ae8a7af979475f476dd799dfc1c7bb8d659272ba8d2521efe

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
6e2bbddf0e588fb6b3e821e77a6bb3d7

SHA1
b8ce0bcfde248cfb9bb4701a58c467fcfc36a645

SHA256
30dfdd1a5bfe90f0ae8311fa8c1981a103791c46a86ef4abee69cc0cf04e0085

SHA512
fa8d6fb76feac503f418db6f221792d05c3c594e8fafa3a92cbb45a493a229cc8417ab163063bfdd7ce1559d131193456c704dc6ed9f499c0964969b3296ea59

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
0605e6d114016c623bcb063227cb0f97

SHA1
b4c3d4cd8d3c68e4c97e50cd9e04228ef656b208

SHA256
c3a99bf2aecfcce72e0b48b77c7f760c3119c5513c177965d7bce944ad013ac3

SHA512
613aa5b9d9bc60ad69bfc53e31ab77fac8dd6c86c9a5f30c39871c78ec0e80931810bc7889d0de65a6ddacec9764fb64132aaf6fb04098d19b8c8735d7e94a1c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
6850ab064052bd2cfde535d3cae3a773

SHA1
492e9f833f4783f25ee260eae3e698f9be7e0f82

SHA256
b50b2f88350ec38af811431a74d445760fcd2507cadd02943f1cb16705e5e0dc

SHA512
0e957642a2dc11723d1814a3c976b2e05fe57341b58c70ca58341200aeacd3a20b44ffd898bdb6a3a8fe4490de9568efb57e3fbe6a4128d6b443516123bd1b6b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
f7b62aec0cee5038712f0954526fe479

SHA1
e21cf00237929ed5da9ac4064b57718d54dbaabd

SHA256
a6d91c448388d4caa5740e8561c93a5fe8650c7d1a70c07a92e9f1293c3d4456

SHA512
394df9acaf5424f66a8d5aedafaa46def55f64f4481152b33093c43fa2529f26c00d2dbe6ac9cb7ca75c4fd49d3038a9480702f141108a884986d9c861ee0565

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
57d37ecf9d613690241a93ad456bf641

SHA1
ba4983733385d9eb610d956857aceda5cd0af83c

SHA256
298879c3ab19fc3fec0c042870a6755452bc89fb08ee255eb549eecb7d2e70b7

SHA512
670d1d28293906e9c82ce30a71c5b74dce12851270cb85085dba07fb7b47700a8bbd91658920604e0af1eb0b479e9fec4dc29a50b9856f8b8b1fccc4afe9d71f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
ccd0c31db93ddcf7b1c94a4fefe41359

SHA1
c6ded5efc6e1d5ea23e7c12a64d51ae0da379cf2

SHA256
dd4d97d9210e3a5e6a2159d6993b07a9fc6ee2e87ffdea84e26f314410177352

SHA512
2ca2ecf1d6b316a99861225f50ef50f5d755d40342e1de33d3001bb2c4271539f2c3757d789388ffa239a87015789b49cb8ac1033025c8caeb36290b1cae5bcc

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
6d3d230ff7e156d9fd2c73ee69be73c0

SHA1
a17ccf94800c05f55239f9f64d81ea69f65a537d

SHA256
c2430d6153ab1bf5555ad720c1d6d0b75d734cde1869c69fd94102d56b474adb

SHA512
43d2692e44399d4ac20bf75832c5117d6a9be9df370acbd530d173fffd78a23445473a809b5ef557cfa4a940b9c58c6bfc5571073d8584bc1273c32d91a6a62d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
9f2ecb49214bb3da880cbaaf5e9cf954

SHA1
64559e376e3cd9d9b6ac7aed43107fa34fb31f42

SHA256
21e0c50f6a0c24029e088a9d5cb82897873a9241d39c8c48001fa91c8601d78f

SHA512
bb09fefd05e092110edf3803a55fb366851ee86472934b84a387a01830d61945e59727c079172babb8ee630e8975ecfef11eec6a9c618afcc6fb2c4e3e3599af

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
07a61fd430fea91a4c40905268eaaf8f

SHA1
f743cd3523c9e621f535c6232e548cc4dacb5f46

SHA256
7e20eecd9a920c2525e88f46092d76ba9e1f84d395090c03d3bfe03d61c94674

SHA512
31e1447d3221251873a73705ac0fe0f63ad224b4d31aa609736043b820b49354aead2d5a40eb921cf92ee928fe517e3c68e1d9ab360d3ef787b1f29b673b2677

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
31c981cb5a39c6fd1dc04c01ea9bf72e

SHA1
46c00c9cc9b6e28688fcd0ff27d76bbfbf380630

SHA256
ad364f3ec39362dd47e09d6f3732624275d7a57be3da1321edbc475764e9dcbb

SHA512
166aa961b7dc4911860a87f1f842b804af4e8b2dc142d960a6d08fca8051f123b5d7fb80de070de8b7444e29867f5d54804176e3ab551c99059bc4e6053df573

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
99e9302649b1fd5f1bbdd352410010a1

SHA1
9fc8a7194ea222ebfa4e291ad12d9fa3d31cd0ec

SHA256
d8b96d55d407175f0e48ede5d00e3922b84a692e06797b4c63ae4c446bd417b4

SHA512
52e081e54f09427aa85069c7ee376ed2b3620e7e0c59a675b6c1845f72395c9e6c706832606ddda92aa52b84ec6c1e4a46e039ac6e970ed63dd8cc70eedc9495

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
9804ca5fdf731a7e2ec039ef39635342

SHA1
fbe5d72632043e06afaf8474b12ec391beba89a8

SHA256
f4a5457d037360ca635977833cee37c432828abf8679242561ef9e7c2441730f

SHA512
3ce6bc777165d048d99cff2db958fc96609098da936323730fd3e96c7b2b5273ba255d2e55a56ff57a484b45a2e2bda88b1030c4bb79b852f0bf6331c260a276

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
6311c56c99746be3f6c27969fb58edd8

SHA1
4d20515936bdf592b73a02be4f48f240e19e337a

SHA256
1daff5e7423a22aa5bce11d64304f9da92b7cba547d1a07e480e2a81cf8f4a0e

SHA512
7b90c70773440b0b2d7ce45b2d861d4c0e2b08ffc1cb852767b5abc87cbeeebdda586ec0a2d95ee34660907614fd7500919a9d5d98725dc7a5547fdbb4698eeb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
91d38901ed3f92d588333e0ccea37d81

SHA1
57fe3a168aa15e89b68f52e97cc43fc8fbdbe145

SHA256
f1b72a6e6b1f03aa3e3d860c3b7a65658124534e772a1254ff33d9d22419d581

SHA512
fb6283128668f7c415d6f370c80e372560d137b4bd4a262dcb8154751b655dbd007407bf8275d3ccfd0192d13e38926ed0f6b7c47460860ffdb1df3df245b0ea

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
125b9b4dfe79de2fe414cd3e40b1ab33

SHA1
b628887641b3798e530b140715e3290834cbbd7d

SHA256
e271983ba3f93e28f7b94f6f124e036672bfa23a378984f6ea5417b8e481941c

SHA512
c7c6ca3711468645ebb2340dadd4c2181a1b2a713e9758079482cf37a4871301813092ead9b6892a77a4062a67362493b349d03007900231512710c6b97d45d2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

MD5
dfd3a1ba4cb6918eaede6a5de8d22c64

SHA1
86898d2a43fc8ef5bc26501badc6205afc6e747e

SHA256
75efbd0d80cf29b6433080f204407fae9eb6311225be62225083e4be2b51fd7f

SHA512
f1ce5979f3d6b9cd5177392b16a57f2c9897d76e59839bbe402a4e39e71335779fa11797b2eb906cc5c3778bb913dff6cf5177187c1d7cb4dcaee07dc16d65c4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
07ae08079cf30569357926efb7dc41ab

SHA1
aea347b96956de37ff7f13406063db8aa15001f1

SHA256
2f2af04c0a5f62dbb71dd22f6513df7169fbf99918197009efa93c0891aa5d9a

SHA512
4b8f7d07a55aa79edab09e5f9bd9601604c17d591e77b37abbaeebd1e0db25750ea60b9c9182679f319cfdfe9153be04e9a98f79e4ab12c15b6c72a69bce78a2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
b602ee3ba2a00b0b45da269c9945766d

SHA1
02dae402d96fca85b9493508ce18557c218c3176

SHA256
a79c55a04c0618b50e0fba79b633d851ea88c3c2bf148264b1ab7ed52a2de0d5

SHA512
aa6b77343c1ff7b800129d7c0bc2d581c61879b574e445f38535b2b99c7c2fc4fd93f8495a26065e3c3fd8eb76f24634ef06c5f5ed29cdde24d995b993e5adb6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
304d57d28429deec8a1b8081daab8623

SHA1
f1f337da68e43e9aa67648672f2e25dcf7ef7c70

SHA256
3df183f8c278b1719765253dd0e4e2d4532dd30119dbe297e8376ff867f031af

SHA512
1952587c670bc1dc524cc58f4d5f3e861486baaa14ed6a2fcd5ff16229a250f4f05846f13ae42e2934345d4cadd7a2a12992df250b4e77d556e5dbda89db0a09

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
048a2cea944f3df23a95cfd367a11e4b

SHA1
1e1f662f98811ffb0ffdd1a3e02d789ce859b1e0

SHA256
651b372b38661fa043a1163126dacf4b540d4ed942e4dcdf724445df4a1de7e2

SHA512
ea650015fcc6e0576ff2161eb9c28359cdbe79b84c01df29f26983eee240122ab0cb77361527a3b086b5101b35c9e0f94f275de6841daf773def198a03b1615c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
6ddd0feb1e3fd414f731fd913c2d5512

SHA1
1d600a7eef9bf05b4d7266d9fbed690ab9d60ce3

SHA256
edf1585ac33d5926afed82103ffc968477f4851519fd7a3ac9830b85868ef7df

SHA512
9a49586a7d957183b8f0cd23ce9392290988c676550966e521858e426a30a008c4004cff73125da0a8ec92b30dfcd0e633e484cd3a855021d2d9234e38febdaa

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

MD5
83f046ff11010b0d12fed290898a2696

SHA1
e3c014e5926941023df68e2aad02c8eb68c59aa2

SHA256
eff28ee80cc242453755b2edcd1d77a52ef0313d59d75375366f0434547ca85a

SHA512
9ff9acfe230f100d9fe7cf852b64adc7edfa63816baaffa6439109e1394b9e512604cb34343a8a75b80424d8cfc77170c608ef8796efb18e3df76c96f1d1e611

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNtSvwiqNlan.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmIiZIXsAlan.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezKOrmiEirep.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
C:\users\Public\RyukReadMe.html

MD5
671cbfaf34c587539cb75edfa94bf6ba

SHA1
3b14587405d1cb50f2b1e24230d044fe70e11ebd

SHA256
3c34058cc11b1cb997051c2c0aa905634435f3b3bb37f5ce751f11869bdb8d94

SHA512
3a3bdc5d5d70bb2164d954c55a8e04792afe15e9fc2962ba91e7c269a145b26856231c236588a71b888d49f062cf2d948a52c2dcb18e01be30ecb666ca4dd612

Download Submit
\Users\Admin\AppData\Local\Temp\FNtSvwiqNlan.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
\Users\Admin\AppData\Local\Temp\FNtSvwiqNlan.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
\Users\Admin\AppData\Local\Temp\NmIiZIXsAlan.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
\Users\Admin\AppData\Local\Temp\NmIiZIXsAlan.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
\Users\Admin\AppData\Local\Temp\ezKOrmiEirep.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
\Users\Admin\AppData\Local\Temp\ezKOrmiEirep.exe

MD5
b16db2ad22dfe39c289f9ebd9ef4c493

SHA1
23ccb60927905eb9be2a9ee4230ebac0836b611c

SHA256
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

SHA512
5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Download Submit
memory/1108-76-0x0000000000000000-mapping.dmp

Download
memory/1676-9-0x0000000000000000-mapping.dmp

Download
memory/1724-5-0x0000000000000000-mapping.dmp

Download
memory/1852-2-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1928-75-0x0000000000000000-mapping.dmp

Download
memory/2580-14-0x0000000000000000-mapping.dmp

Download
memory/2656-18-0x0000000000000000-mapping.dmp

Download
memory/2668-19-0x0000000000000000-mapping.dmp

Download
memory/2668-79-0x0000000000000000-mapping.dmp

Download
memory/2764-80-0x0000000000000000-mapping.dmp

Download
memory/2804-81-0x0000000000000000-mapping.dmp

Download
memory/2968-82-0x0000000000000000-mapping.dmp

Download
memory/2984-78-0x0000000000000000-mapping.dmp

Download
memory/3044-77-0x0000000000000000-mapping.dmp

Download