ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
152s
max time network
154s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Size

468KB
MD5

9296a9b81bfe119bd786a6f5a8ad43ad
SHA1

581cf7c453358cd94ceed70088470c32a7307c8e
SHA256

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591
SHA512

64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

PvxqYAathrep.exeCAIwTZxaUlan.exeSrPcFVipElan.exe

pid process

752 PvxqYAathrep.exe
516 CAIwTZxaUlan.exe
2596 SrPcFVipElan.exe

pid	process
752	PvxqYAathrep.exe
516	CAIwTZxaUlan.exe
2596	SrPcFVipElan.exe

Loads dropped DLL 3 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

pid	process
1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2676 icacls.exe
2688 icacls.exe

pid	process
2676	icacls.exe
2688	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateHelper.msi	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239967.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.INF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105238.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105912.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00116_.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188679.WMF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\THMBNAIL.PNG	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

pid	process
1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1872 wrote to memory of 752	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	PvxqYAathrep.exe
PID 1872 wrote to memory of 752	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	PvxqYAathrep.exe
PID 1872 wrote to memory of 752	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	PvxqYAathrep.exe
PID 1872 wrote to memory of 752	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	PvxqYAathrep.exe
PID 1872 wrote to memory of 516	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	CAIwTZxaUlan.exe
PID 1872 wrote to memory of 516	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	CAIwTZxaUlan.exe
PID 1872 wrote to memory of 516	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	CAIwTZxaUlan.exe
PID 1872 wrote to memory of 516	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	CAIwTZxaUlan.exe
PID 1872 wrote to memory of 2596	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	SrPcFVipElan.exe
PID 1872 wrote to memory of 2596	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	SrPcFVipElan.exe
PID 1872 wrote to memory of 2596	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	SrPcFVipElan.exe
PID 1872 wrote to memory of 2596	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	SrPcFVipElan.exe
PID 1872 wrote to memory of 2676	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 2676	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 2676	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 2676	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 2688	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 2688	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 2688	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 2688	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	icacls.exe
PID 1872 wrote to memory of 3404	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3404	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3404	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3404	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3440	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3440	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3440	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3440	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3448	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3448	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3448	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3448	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3508	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3508	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3508	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 1872 wrote to memory of 3508	1872	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	net.exe
PID 3448 wrote to memory of 3552	3448	net.exe	net1.exe
PID 3448 wrote to memory of 3552	3448	net.exe	net1.exe
PID 3448 wrote to memory of 3552	3448	net.exe	net1.exe
PID 3448 wrote to memory of 3552	3448	net.exe	net1.exe
PID 3404 wrote to memory of 3544	3404	net.exe	net1.exe
PID 3404 wrote to memory of 3544	3404	net.exe	net1.exe
PID 3404 wrote to memory of 3544	3404	net.exe	net1.exe
PID 3404 wrote to memory of 3544	3404	net.exe	net1.exe
PID 3508 wrote to memory of 3568	3508	net.exe	net1.exe
PID 3508 wrote to memory of 3568	3508	net.exe	net1.exe
PID 3508 wrote to memory of 3568	3508	net.exe	net1.exe
PID 3508 wrote to memory of 3568	3508	net.exe	net1.exe
PID 3440 wrote to memory of 3560	3440	net.exe	net1.exe
PID 3440 wrote to memory of 3560	3440	net.exe	net1.exe
PID 3440 wrote to memory of 3560	3440	net.exe	net1.exe
PID 3440 wrote to memory of 3560	3440	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
"C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\PvxqYAathrep.exe
"C:\Users\Admin\AppData\Local\Temp\PvxqYAathrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:752

C:\Users\Admin\AppData\Local\Temp\CAIwTZxaUlan.exe
"C:\Users\Admin\AppData\Local\Temp\CAIwTZxaUlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:516

C:\Users\Admin\AppData\Local\Temp\SrPcFVipElan.exe
"C:\Users\Admin\AppData\Local\Temp\SrPcFVipElan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2676

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3544

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3560

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
041f4abd920792f5fd5fbc49b5f22168

SHA1
8c1e1ba9a2482eb68cb96091d2c09f8638f644c2

SHA256
aca0ac1a612558c65d5da48fc1d272c799cf45c77148bf35cb7057d9ffcc23f0

SHA512
26660f66685f5a927ae92ad67912b131fe359892e1f9d980508208b0f67d5ae4409db8b6c3c9c0699e9bc42f1f90561d0349597d451613c041de422ebfc73a74

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
627e1c88bff2c278080de12727004641

SHA1
3716928cd4600d033e8b4c85363549f12f2fa4a7

SHA256
fe46d36a7f95d30ef9fbc923ead5d88138e5e28150c1368017951119a1a0f211

SHA512
5b8e44d338632ad6e4af0e05e7bfbf3e9841d760cd936e5e98e20c151f7c1baeead942a2932be322b7aa7053f3d85c249af9ecf60462966d0a81236256e4c66e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
b18a480ebc539adb42a8f2c07dbca070

SHA1
f505e161d19a3f882c92cc1cf4b473d9a48cabca

SHA256
fe8bff2be543df297c94144e729ba7312a586876607df6ec748d8d7517e15b4c

SHA512
d8978769ef1ff43127574c2cda46d795cc4a48458d137f430fa8aaae9aba617384e2693e675cac571febadd721e8b6791be2be031fa888e8baf98fbff8a6a622

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
b7bac9a6c86894b217edc710ae00d1a0

SHA1
1d9b03348c3a330c6f52cf0d22ead5c0045f31cd

SHA256
9ae294fddaf4b76efdac8a5580d12018f749fcc80055d0c9f3c81de55696f30d

SHA512
62914c3da3964b328ee7eba41b61e7e0489369e0691fb56d7d1ce5fb231f26c0a336a19148b9758d69824325f5ca24e2669db9d081196d496761e3f98a78018f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
aeaa9c64a4346d793495b3067bcab28e

SHA1
5c2e0c7eb0e325a87baed92ad1da96a4199258a9

SHA256
f6e23700ec6a2732d9a88263baff345dc322f15d4d04c910e691317b472c9e42

SHA512
2de9f5d75887f0222744656bb0919a7392e43fe2ca8a17e52f144415dd7f6e165443ac1762a10cf936dde4e52166aafe6a6cae588e41d797e7079d54074ccb73

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5
c72262cbb3e66159a006b195d65b2289

SHA1
6c2aefe39239b3ef0a5582cb9354e69287d062a7

SHA256
2d7d5ebc724fa09449271f72ad0699cb2248023e0fb8673e4fa46bb68e1ad3da

SHA512
92ad6adfca7f3a12603aaabcd64f5049f61d995808afd4ebb83b525a591c3c70f46e9232880511f6147a533fcaabe56ab15443edaaac58be95d9a7020ed8172c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK

MD5
182989ccdb0ff0dae7a5f7845baf6547

SHA1
a81ea92daf8bce4c6cf0ab8d9aa70938f5e7da11

SHA256
6be2d5afab898c0e3b1ec3a1b600bc76b7866c14847ca29c145970bc809e9af8

SHA512
d1654dc32a2c7b0b33ed040c9cf80cf495c3aaa95b59abc7b8653278119270a1359a37968173f91fc0121c4c10997c428c9003101ddb1a7dced2f3e17b8572f6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0db18314351471d7ef2c290fd89c0898

SHA1
56852e30b334fe8997ade8f50c174aad0098f810

SHA256
4aadb87b0a659691629fb95a8fab0c0f129c1af44ed687a958e166bcee61bf11

SHA512
f8aaf2c881cc9f5feb832550144ba067c17d1880bf45c4a00e5ba8c5b216b21d3bbc294b6ac548b37bb9e6521dd6c2a5e0e68d28076f968b5172c1a15f304bb5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
1617eeb0448e06f0a5607a9d9e23348e

SHA1
618f17446265a05595bec4d47419700b70696a12

SHA256
0c9f959ff52d65fb284931c13f6aa92aa74c749adaaa15ad2d8b9e4bf7b9bf60

SHA512
f3139ec2f98494f6bf73c10247aa6a87d7e64f28a908558cb85d0bc242dcb92f34d56b9ae860dd2833f09f8af7f01d7dc07846de65017d7b901f022d2e0f3904

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
cfc980ae401d8765fd49ea68ddfb76b1

SHA1
e49296b5c058dc99751f59dccf69850467ddb9f6

SHA256
527e09aacd0a72fb6a5aae25937f45feca766f4a1ccf072797e6f645ff5e62f8

SHA512
2686b1fc94c08e836287d1b259ae091c0568cb680e6c72168d3776efb4125c6033a6104ae9258920196421df8bb5aaabe6e960f1525eb7e301286c5c53929e83

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
3c3a2e3cf6cb70201f1d7673d0e5165a

SHA1
5981a253e17745222a20527b5221d86447b1d2bf

SHA256
2dbb22c9aa77999cf2b76fbfd1679576bb23b00f13bc44c0f630481e9843f123

SHA512
6b1f41585c05a6795db33f014879184080977dd78fa4ed5033a0a3fce9aa5a95739e0ffee2fb1135333542f6d298f3809fe5c5aa2e40d29110af4c83e4553cff

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
8e8297ceec754dc9700e67386dcf2ea6

SHA1
bb866289274c1d4444cf579d8331340889d41b35

SHA256
a8a5d7d16946ed34a51dd451bb66d666e88f1b24ca6c968cff6967411d7158ff

SHA512
2510d6aa0bb93818ddab85172ccf7b74ecef43b6a0d9bf79b6768115864c1e48cd5d7364008f3679617330ca4f50142b5625e1c0f2a342768fa15655c80ddd78

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
235b9360cc96180026614f9c4534c663

SHA1
33682dafeb5cdb8fdb3fdbabac3c2910b664f295

SHA256
e9150979a25e2d1426faec3ed648dac5bb97207181cfdb4d17fed77a9a119a70

SHA512
ed72e96ce5fe8b47c96d623f74775aee66a576fad7a12b270c1400989191c18fa25318e470b09626df947515aee27e4bb7e80079b9943c3b85a025d779d58eb9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
1b87b74768dbf18f3e352c405c42746f

SHA1
8b32d218ef0bf2fb8d7da78f51dd3b4df78689e5

SHA256
92a12168953342b35329fb45eb0300cc0d1bf7d8dce9df9361e2b5de27551deb

SHA512
8b96d003183ae927ddba216308a1dd24fd5d2e93b22d970fadab7f2f9b3bc196088b4ffc879dcd8b19dd884f68653ce63fb18bfdb7fbba5866873c083de481d6

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
623a7e27add4974ebb9d364422073a48

SHA1
33b33edf612b63ac463fcf27b9afffc06dbcc99a

SHA256
f2543a2362b0004e36f1a02c7b5e7a4e949bc3afcfebb8f7e1eb029c07078439

SHA512
56239a9f96601343720155ddfdf925e4b47a8893a5ea6a232149fefa819e7fff0d006d20903c2b4ed94a0c60132ebb8fc339f45ad4d59f8e6d937459a598d67d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
5851e6c16196f0818d1d8a52eeb4ca97

SHA1
9d39913e436cad5d716dc4baffaf3f71df22c248

SHA256
f7d5f898bb887f9016abeb2de47379a3c2b26549262b9f58505f5262108b109f

SHA512
4da695436f32c7fc3473a9601feed09db28aa65693944e910e0f119f025a67ea7247d8f2eb339133b4faf912c28f4ce0101e1e1ac8bfab3ce36f777042140d1f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0aada7520363766d758e7a4206218f19

SHA1
27a21d9742f8fb48efb58dc396c4d8f5573e49e5

SHA256
e10586252ea3708d5337f47bab5b72d42c017b962ff0aaa7538802fec9dca4a8

SHA512
24485b7c775eabb4b2e0a1a537f4d5a999b8ea8ca379b51092e59ca3096f9dfef7891f57ffcc1d0462a07f4782f5bdf554e90d81b88bfbabe5de782a5a2c9edb

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
998451410463ba8b12ed7bc1af56a44f

SHA1
00bee0728e433604d77ebc854c5187d546c7c44b

SHA256
3b34f830e0e2107f2bd658bc4fff20500472b9783d7849ee0b0c805cd41903e0

SHA512
3b19ca1def62225ddecc644b8fec55773650d067343f3dc285324364755492f93e7b59ed14f7b0bcf10b85d3fffd1aea075e6df8099c8e20ff52bce1a80289e2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
9d171fc62043097db8c4cca6408c131b

SHA1
68731cc169387f4741fd2d5cedf74d412e86bb46

SHA256
4e17181a221332958173d77a756aeacfc5384a85de210b0b228421cf9987eddc

SHA512
d0affa990503f28eb065c26d74e3d2169bb36304c91be3b95975f8101ab9594361c499d0ce783dc8a8ef2071c0183ff3efec73e3eff08afe458c342168afe71c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
766c4df173e2efad5bcef5ada02f10ce

SHA1
1570a03e0bf85289b20e5b1f56ea173f03428242

SHA256
df26f68cd31fbad7e383be2519012673531cfd05c9cbaa3b9fa1d61e72e88337

SHA512
fed6334358c6290ec9b92ec1a3f67586ba1df87f21244209bcae89f1b49a895d7713d8b05cc6d19df4112f3a492043f4ebac263206086e100623fa9d714fe891

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
8d4f03a8f8125099fe6ef7bd5fd8dfa3

SHA1
478c7caf1419d238051ea1fbbce21b2ad65ff06b

SHA256
e2d521fa712f7bcecb3273704e3815bb9dd458d9b36d5c27262d0ea6ef155e39

SHA512
7972581746c1f64e6130d12c4ce6a7d9c9fcf16d7f5ff332d25b23ca1b357d6a01983d40cfbcd180230fc5a3f7de49fdfeb17ad8ab509f306bba2dbe5d2ae46c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
c24f6f13aca149269924c8f5ed5b373a

SHA1
8bf653f189a8e77e07d2784502f1c1d8c234682c

SHA256
d174e0decefe06f18e3b2b06a4fe0bbd5dc559b2bc7b099e8d1532ec036c3136

SHA512
f731d3e3617c4a93fd77154ecc966109ba997d84fc7d8fb6db61e695fbe610d1e907afc2247f636f5f0744f828fdd8fc1f4096be188a3c73af6841952516f7fc

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
fbf1f193fdd5998da0cf499df6c61b1b

SHA1
a0ffa5b6308022ebb59666530edc3f6fc9bb85dc

SHA256
b40136175c88e1351d96bd3b6731d81335c4689d74619b65efe52716e6cdcadc

SHA512
cf094814e09d7d04f5b26680771af50ef55daaea60b0c44502e1a6071fcd4980bc842b1b351c4820985a5f549d5f81fc0291ba5f06561bf0f6666965ba1d76ef

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
b5a83aeb03ee9f58367d2b3869e4acaa

SHA1
29d889e0d9c6f03fdfb7813f13e4100ed769a077

SHA256
088521e314c4198da743ef12543482f8aef0f02203dc0e07824a38692bd05a6f

SHA512
eee99bfb529278fc2b08b9599ee4f89963d38a311a72220641bcd337a2dc0675b7dd2d15346b44a599965db036606ebc86c19823dbba9ffaa43d440bfeb393ea

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
94721ca67db78684127b65e3020e5db3

SHA1
44e0a3c8ae75c8556710e2e5ce94ee925f2e1547

SHA256
588ead969b761e8f03e6230be0e55601620f2a97611f104eb5633c5eca25ec08

SHA512
8bd23c89d85a8580316b24df55ac2ee5b494c01e7b3f1c9812141d52195e614b9965e9ebf067b482b0fb97a5a7ff2e04cea2efee4c5f87556ae4388b59421364

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
3f80798dbc05c8e305a193fb98ec976c

SHA1
bd3645fd0cf3558fd8e49ee8966d70af409af043

SHA256
1a197edd41e4372aba19681d9908710c0eee7cbd331dd70004dd13714019c1e3

SHA512
3b9f4dec512fcd344f6f0d07fbc682cd5a5b0d254771593e0ba5a66cf4a1dedb537d1413a93b35138290e07cef05a8c6ab6b773eb5c090fe3ac0e346d344a471

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
5688cab7afb9e67ba0422109bab65c73

SHA1
c79ea0f5b40b943d8fa11bb28f6f93945d1ba521

SHA256
a8b30e337a28b0c2a8d834413ac10291ae34a74e3ae2ad35bbb2bfe8e6a91388

SHA512
612cf28c190ec81c2c73ba14bd20b860eb97190ad3dbfc559427f47a39e00096aac7480ab7f1ba66f4f876b963c06f8ae39331e257c395cf4164bf03993552fa

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
84ffaedf2613cf5a77ead6a3a52b471f

SHA1
bb4eec961890a6dbfee377f8881f46badcb037d1

SHA256
affc8efa511ae66140c191c850fe3bf870bce70f0503d43770b37aefee1b33d3

SHA512
c9ef94139469460f504408235e563a365eb7cbe55b9519799581e8d4f79202ca28a6e7b20d40d1222ebc0501fbbc4d1be0a740a1c10ed9551df2ca27d932bd44

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
d743b6db97710d530d781887c9299c7c

SHA1
78344978ec84f31bd9252a8600c94c2c4f43a2b3

SHA256
c1e5ce1e9423c3a6f4f5f83c1a75da36ea3716e5676198d889ff798c940c4bab

SHA512
4b3e91105bd29b4aa3b821096e8334d0486d07f991d787528d6c34ea72a13225c5cf774306f47b7ef8a16f336106415dae113a26820dbb98ce6c9fdd4b05624d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
cefcc45143a7e15645a25957eff2b002

SHA1
b6f9a8ecb8809c9cda76d8f6902178633f11e212

SHA256
df5fc62860d9e5cf7398806ee61314ed0f7bd57b0d19d80bd2eb630a8a1b8dad

SHA512
7a794ccb260f1e4b84ac26e2df0566d0d3a270d1170a73342d40342747ee3ccf0eb4ef21a0d7c51ac63f2a20ed8bf52fddfac821b2f0fece8730caa1d656ccfd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
1997ee027628dde513d9624854573f05

SHA1
1b3936717f618f66ec788571d194cd895a6c035e

SHA256
78cd39bde48728f7496045b5a317771861e7e46ff0c728ab69eb73b666126dfb

SHA512
e2b0714238c971d9cd571b266bb355ff7d955bab44844cceb3a43fda8942abd21d34c2e19817c89cc79e09a25eb4608a70f5eb325987a6f0ca4daf4dbc0d4548

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
d9725c6de8897fdd111d99ed248e625b

SHA1
9cfc08feffeaba8663fd8f1c5831e3a56f522ad1

SHA256
694f9a918c042e4dcff659e5fb436a1921e14896e2875c0196204f667e896845

SHA512
fc1571b9d94128ad85921d464f20958d8f8d869b10cb1b27264373410273de7ff4ff9c9ba11a13a46966bc822789fa513bd923e8520c77257d99f698cab2f631

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
57d729c99d648443a09312f41953b1fd

SHA1
c6e56b529da5fef84f6fa58a3c050ad49670d718

SHA256
d8ff31c08f529007d8228eed7bfbd56881573beac21f782b188c630efeb0556a

SHA512
e42431c24b28dc8bd2926022a899d84fc1e30d448a3a634caecbe108e886cbe1258a65d45e06ed6a2f9165cbee45cfd2e441400a2dc0bc865a58a3da75dc8b3f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
690b2a77711e74a37b9960267bdc09c5

SHA1
bd77ae1bd207e6ed7387dda7ce8deaea35ff66d5

SHA256
b838383fedb8dbe7dac428cbe28b70e343004e43c9712def5489c0998a113d45

SHA512
0d54e0b2f90ebd4cd3a52ba9d8b4c961280bfd350f3607d1ccea67657395a9fdb68165e89fd7292cf97f2f2157666ccdfc0f2a84612a96789f551b55355c30b8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
e257b68437c00e078b23f0d709260254

SHA1
58a5f9ec4f2c9c2bacf7627262e942d909d306ab

SHA256
373a09fa4d8327255b8a901678a60e14607594e6a2e1ae5830dd227cd90a951a

SHA512
77d344fb18c703c5e30a8e69c86ec1d281582902e23bc21e78151a29e2e34a5423653b991a5941050051aa69290c959c3cf5e6f1b92b49e581d5f23df0f4cd3e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
0a930a51b8805865769e05c49ede76ec

SHA1
25afa5db78f7b42952211ebfb9b544bfe1a84e78

SHA256
c286c488bf2cb6b8cff0d98212666ed73711cdee24fc5e1892ea2d3830228e1e

SHA512
88f90414522d3aed99bee4ddefc1678cb958d637f47b9a416ded99d710e5b61fbef00bf5e583d5f6c33e8cc9bcde259abc5fed988e20b9999c1404ef06f7bba5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
6a5b2799fc43e27cbc0442c7362e5142

SHA1
430b575dd8ad021703566e93004d5f7bbb77ddfb

SHA256
b85198fa5e8fb69a4ac1c0bf1d8b61897928381a01da0adb6fb07441565b73a1

SHA512
e41ad331f807f7667d5f019ec66df4f2acf10058d1999f8f6ad0c7cacc6f49d8b760e86f034a9277fdcd0218a7435a38f18c9890deffffb80ab4f4642ecd7aa3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
ebb2d146779911f0a751d9a456bf51f9

SHA1
4bdec981833c5cb43aab15862e63654663c3abcd

SHA256
20c72c5516532ffc05aa1f132e0f7f0abb04e0515c33e9ce1378fbd4a6d763c5

SHA512
4c42312e88fa0606aae8e6945b115b59e2d6b21c653a6a0c8665ae285d34505fb99626d2bc952966b8a381c7794debf49c75b234d2bef4cf5c151ee127891d03

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
aa1cecd42404d13e100e5c1787b75f3d

SHA1
1bd357289611e6285bf7232a007d86d7ef32fc74

SHA256
37a7d90ee74a52f3c3134f609c7ac986f991fb45d26d96ea2059e625cdb2e998

SHA512
13f34d1ce6d09c8545a1aaeb375c62dab972b273dc05edf2eb5e6357d2f14666d2d0cb743d953e74b442f6169074eaa94ca3c4791020088ff60737be8222ff27

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
2016494fd3a4a8d614a872613a991504

SHA1
a5471db3611c15d5a4253bc2182d08baf31a44d0

SHA256
1258343474e15dbab158e0d75a3ea11a5422f5efa5af2d0756833d18b0062148

SHA512
4876bb38fbbaa5c2cd9cac164cd923913f69384be187f85c5f091cacb33a96c5ea19fe63e297ec9ff569ef68afee37f571ea9b24de42495077a4d69dbaa4f92b

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
5f8ba4a737a9f01d6b4ace29c549c075

SHA1
94658ae39bc2d8dbae983c4dd20b58552bfec15e

SHA256
bae1fd3bf967f7bb5099873abb4bea39998e21e8bddf8ded71ec89810e9593c0

SHA512
e5f2c1aa1fb1f028df40b905aade42ab88880d7d05451b06a5c980039ef87e4994845ea658fa6a95e4f2c2650d6f2c077c6c3062ea88272cb8a04a48e8e230bc

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

MD5
16835df0564281c0eaf21f4214075629

SHA1
6ff86c26f9cdc93141010919803416f4c2ed4947

SHA256
7f228cb4153b9bda4bb7044bb3af040ae3d29f1e29cb9b01b25e26c681e9b696

SHA512
e08fafdf0fe84f664af699d1c25e7b4531d0db4c39ffd6ba0d6e53dd57f79144ae7382f9b6eee311a59edc4df90a7cd7ecec2f29ceb4932d75be77119b5937e4

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
4e1facb96107d2914ea4330826bc637b

SHA1
4aeaa04f43e531d835872a8c7788f9a489fad48f

SHA256
c080d86381765f0b35c499479ad170361cf88256b8099031e904580de5a82698

SHA512
d1caba611339c0f79f3bb39243cd04cd15b34d5f8ba14327296c852ef6662eb2cc9bda81ad131ff9581b2871df2a1d73e5cbcf1a1b33c8dcc0eee3104799c0dc

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.RYK

MD5
1157c6ab2b50a866d05bbf79cac301cd

SHA1
6736bb747dc7b1e26a1f236e1f5536f2fa442e17

SHA256
863a8414944e487b02bdfa0ca7ad93ec903de4c3992ef6a7861287a9833f02bd

SHA512
ec75cbac9a217032bdbb10edc676e63a720242234d7eeefc40f5c30bdba45601aa86a23199bbf0213603267c8841216a05aba2f9cfce7c55719d0530d762801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAIwTZxaUlan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvxqYAathrep.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SrPcFVipElan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
C:\users\Public\RyukReadMe.html

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
\Users\Admin\AppData\Local\Temp\CAIwTZxaUlan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
\Users\Admin\AppData\Local\Temp\PvxqYAathrep.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
\Users\Admin\AppData\Local\Temp\SrPcFVipElan.exe

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
memory/516-11-0x0000000000000000-mapping.dmp

Download
memory/752-6-0x0000000000000000-mapping.dmp

Download
memory/1872-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1872-3-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1872-4-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2596-17-0x0000000000000000-mapping.dmp

Download
memory/2676-23-0x0000000000000000-mapping.dmp

Download
memory/2688-24-0x0000000000000000-mapping.dmp

Download
memory/3404-83-0x0000000000000000-mapping.dmp

Download
memory/3440-84-0x0000000000000000-mapping.dmp

Download
memory/3448-85-0x0000000000000000-mapping.dmp

Download
memory/3508-86-0x0000000000000000-mapping.dmp

Download
memory/3544-88-0x0000000000000000-mapping.dmp

Download
memory/3552-87-0x0000000000000000-mapping.dmp

Download
memory/3560-90-0x0000000000000000-mapping.dmp

Download
memory/3568-89-0x0000000000000000-mapping.dmp

Download