ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
151s
max time network
96s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

Processes:

resource	yara_rule
behavioral9/memory/1904-5-0x0000000000250000-0x0000000000272000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

YfPyUQywUrep.exeJrbVkusBHlan.exerTpxGXQoclan.exe

pid process

1648 YfPyUQywUrep.exe
1472 JrbVkusBHlan.exe
1480 rTpxGXQoclan.exe

pid	process
1648	YfPyUQywUrep.exe
1472	JrbVkusBHlan.exe
1480	rTpxGXQoclan.exe

Loads dropped DLL 3 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

pid	process
1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2664 icacls.exe
2676 icacls.exe

pid	process
2664	icacls.exe
2676	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00623_.WMF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLIP.WMF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099197.GIF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00444_.WMF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ActionsPane3.xsd	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.ITS	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

pid	process
1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exeYfPyUQywUrep.exeJrbVkusBHlan.exerTpxGXQoclan.exe

pid	process
1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1648	YfPyUQywUrep.exe
1648	YfPyUQywUrep.exe
1472	JrbVkusBHlan.exe
1472	JrbVkusBHlan.exe
1480	rTpxGXQoclan.exe
1480	rTpxGXQoclan.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1904 wrote to memory of 1648	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	YfPyUQywUrep.exe
PID 1904 wrote to memory of 1648	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	YfPyUQywUrep.exe
PID 1904 wrote to memory of 1648	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	YfPyUQywUrep.exe
PID 1904 wrote to memory of 1648	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	YfPyUQywUrep.exe
PID 1904 wrote to memory of 1472	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	JrbVkusBHlan.exe
PID 1904 wrote to memory of 1472	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	JrbVkusBHlan.exe
PID 1904 wrote to memory of 1472	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	JrbVkusBHlan.exe
PID 1904 wrote to memory of 1472	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	JrbVkusBHlan.exe
PID 1904 wrote to memory of 1480	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	rTpxGXQoclan.exe
PID 1904 wrote to memory of 1480	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	rTpxGXQoclan.exe
PID 1904 wrote to memory of 1480	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	rTpxGXQoclan.exe
PID 1904 wrote to memory of 1480	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	rTpxGXQoclan.exe
PID 1904 wrote to memory of 2664	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2664	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2664	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2664	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2676	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2676	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2676	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2676	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1904 wrote to memory of 2984	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 2984	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 2984	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 2984	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 2984 wrote to memory of 3400	2984	net.exe	net1.exe
PID 2984 wrote to memory of 3400	2984	net.exe	net1.exe
PID 2984 wrote to memory of 3400	2984	net.exe	net1.exe
PID 2984 wrote to memory of 3400	2984	net.exe	net1.exe
PID 1904 wrote to memory of 3260	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 3260	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 3260	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 3260	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 3260 wrote to memory of 3444	3260	net.exe	net1.exe
PID 3260 wrote to memory of 3444	3260	net.exe	net1.exe
PID 3260 wrote to memory of 3444	3260	net.exe	net1.exe
PID 3260 wrote to memory of 3444	3260	net.exe	net1.exe
PID 1904 wrote to memory of 3720	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 3720	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 3720	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 3720	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 3720 wrote to memory of 2832	3720	net.exe	net1.exe
PID 3720 wrote to memory of 2832	3720	net.exe	net1.exe
PID 3720 wrote to memory of 2832	3720	net.exe	net1.exe
PID 3720 wrote to memory of 2832	3720	net.exe	net1.exe
PID 1904 wrote to memory of 1064	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 1064	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 1064	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1904 wrote to memory of 1064	1904	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1064 wrote to memory of 3700	1064	net.exe	net1.exe
PID 1064 wrote to memory of 3700	1064	net.exe	net1.exe
PID 1064 wrote to memory of 3700	1064	net.exe	net1.exe
PID 1064 wrote to memory of 3700	1064	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
"C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\YfPyUQywUrep.exe
"C:\Users\Admin\AppData\Local\Temp\YfPyUQywUrep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Users\Admin\AppData\Local\Temp\JrbVkusBHlan.exe
"C:\Users\Admin\AppData\Local\Temp\JrbVkusBHlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Users\Admin\AppData\Local\Temp\rTpxGXQoclan.exe
"C:\Users\Admin\AppData\Local\Temp\rTpxGXQoclan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2664

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3444

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2832

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
614721ff5212b98216b4e65b9c5530d1

SHA1
a07bc19358efa16e0dc0624d953f2b23cc8db8be

SHA256
364f015c1e5fb85995bf1571099a6ae86879df83b7dac6151ebfa7cd4b1d4d43

SHA512
83cf62aec8732b0ec06b59f90249a9dbbc895deb68840b3ec5425d6da8f12f7af2669c181ee7bdcb52e81716ad08636ef74c1f95571c2b5ab0f26235072e42af

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
fae27df71d3d12264be6233919de27bd

SHA1
b30f7ee673cd5345310c603fb2fa234e661bdfed

SHA256
5bbd1089ef41a70f86431375674a0a3b532dab881c10b2662b2a0c57a0d7a55b

SHA512
2387de85d719f1fa39c35e2f81e52adf3b8116cb3f0525e83a86b99dba68682141e6debc753487c3d3351f7d983bf3b9db5f90a5f871aa3096fd575ec1a817cc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
8841d1fe62cd539a265ed76729dfeebd

SHA1
8501351c8538fe3f998781624a8ad19f7ba5301a

SHA256
fa28b7678f915aef0084cbe5eb58e47a03b1bf5c7f6c35268a88d3e9be0c6747

SHA512
ccec68693dd9ed33fb6c860e88a76ccf2c431928b13b574ecc3c17e62986c80515cfbc4ed8bdaca3c478aa5a961d588f9c3032343f0ef27478d1af1bd5f1826a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
51404648c9c3bce0124d88e36afae6ad

SHA1
4f78a4fb8dd5e5f811c3e20a661a16c5ee508145

SHA256
90ac4b6beb1a3b6701fc14c54de343e5a3e47386367f468c5ade067c9b82c129

SHA512
0e66d2466c5ae371c593214e808c8f4163243db62b6f50be937b40cc40f8e0934ce215c492ccc7ba46896e5da73c1a54d1c58562445ea8313a163365861db93b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
71175d68e09ff32212622e1baa544612

SHA1
6e0a98a87fb118215adb94cbc0e237e2664447f5

SHA256
312d24e409ab904c6db59bff645f6936ec05d7f034cb0793c6ca908309589ea4

SHA512
c22503e5e4f2fa2cae7a992f915ba9af52f757fff6e8c578ac1ab2b2dc2f370cd20595ab304f987711c90ad54b1470c412c4b320e26b5c5ad85cae8ae0a8f7ea

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5
493a2b3f204adfcdc42ffd47da9e7c3d

SHA1
e138577b8166e71aa93008bba04755860fb03c22

SHA256
4030dab9063336ed0b7a238535925e02caf84d38749c1f5cde442c1e9650bfd3

SHA512
057a116126bfb08c3ea8155c5fd307d3c8ef693fdd2fa07a00ff9ddf2f4c0d0e4a0c3384cf8b3031e3886a3c88a8121bc3d9f044864cd382816d8b03965ac13a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK

MD5
744a19fe2353a41c540a2b44d8f328fa

SHA1
1d7c514aa42f742cec8658370c70900b173e9180

SHA256
92e261f96cca9c22679c919aa76087bc2f1600db2a51675d9316b418d97fd3e0

SHA512
508a76f2c0cdeed3b656beaa6ebbc84b2b1b502a95e3539138bef36f9578cbaaeaee137c4410578822c69bbc27dd013ba9ae451de4d416dd6e634157e0a77fb5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
ac6336d80409ddb583342227af7c53d5

SHA1
07fe27d37bfe355aa45706d91f62b7214d0055c6

SHA256
d776b2c921c9615c9882ee968a7bd579f6cdc0fb9675e6cd3352696ab3dfbf83

SHA512
07dbc98f56ef78dea3755b050a88fb7380bb4743c0280fb94c070de807550c40daf4f3067103a67136c3b3d7ff41d71bdbdf9ea1a8e7b254ee2ce09e964703f3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
7aef99b5b5d90045796fbb4dce674439

SHA1
eb2237ae9085a2bbecd219a5d4f812a7704207c0

SHA256
aa7cea9a318f0cdb388d229b4119d23af845b5884e79a84a04ff3917bb1b4991

SHA512
9c51a6b4cece99327c52320aa6ad0c1fa365f76801283245a42fd83799cfa630048f634f0a740cfa07786ac72a3b02e42626514b466094ec6349da97e68d9df1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
f6d4a392cdd8ca2334afae905915dea7

SHA1
42c75c47dafb4d3cdc6f71aa16ea5d2dba6d60e1

SHA256
365cc1642b682f140d3107144512f45bb19fd491df74fc732a21b79f04f0ec1b

SHA512
5fa0290a11631d4310e584aae8ff2a1d32556936e9fdd6b68d58b572f20b2b81d0d960069cdc018b795cc060698532bb96361e15fd50eded091d14b4252731f2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
e0c8777bd0d7711461fd5a3a243626cc

SHA1
b783b68e3e0acd6f6fcf6494624678618b16100d

SHA256
e82a936e7b954c1674fa6ee741f722638b26a30a59dc485d235fa27e6fe9873b

SHA512
7d60a66668bb77f1dd59f3cb96b07a0d394bf443ee87885428034807758bc7ed18a342bd9e9ba8e679e0fb507f865936e9e1229d6a81e604da6749303db4e908

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
914123f57c13354ddb4bb3081e34d0a1

SHA1
33e049affb938818ce48916be0221d3e87d93499

SHA256
8860acc84dd041d85c4f47c86c1d9fab57f5fe25f9470decb9f73c191739d6d7

SHA512
85926fc15667d7c8cf468d2f9626799139aaaa221b5c31bc83a8f70ff0530b79f259e55951f9ec601dab976f1ea828065ad15473a53e13a02abe5a67e4068f6c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0e45796b23223a11e206b66ae2de8431

SHA1
86ebad7c57a923be2edef28ecf161b49dfc784e1

SHA256
67a5edcd6f4bf1a88b73f073508cb5b7f6ce4383edbfadcf33f9fc5705578ded

SHA512
31b3c3316db8d574a0540ad15cb6c710c8a08da5a4f429b65a739dbcf6aa0ce11e271db9ce267bcc928ccddce54d7939aecd0eb49bb746e3296648504b683259

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
8feb61263fb82e1d3ab22ffffc882c10

SHA1
0a6b03b26d251f98e2a4d844e9b96252d991f329

SHA256
e0fc7f13475706904ae7d19c8100649b47c579e734e0e64d5894369aed06dfe3

SHA512
aa5aee4a7d6b91d71d7c7445c777d4a47ce0e2f99dc4099e33556123046acbe34bac16436a25ddb72e2c78799b799d21f42813d283ffbb83a646fb4cf70d14ed

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
99e89688d41ed453d7b8fe0cc0360cbd

SHA1
b7eb5222c27860b9085887ac6a1e980924d5d0a8

SHA256
c653adef1ef9672236fa4136f81a1c50dfde12ed74f1529a40f12c08958381c6

SHA512
79b4ad0d99172d657ab762db60c62c027bffebea65f64ea91a57825032c834e01f465822b2948e54041c9a73e83c1f56ecd514f637ba7ac66d690d596fdbc054

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
ac69284428f8061077fe021e0a1f0c95

SHA1
0724cc91068dceb54a9aa5390dd0b031925ac98f

SHA256
613c75b00f65cd5d3fa166d6dae16ca74ed84b24225962e83cae3e9da1a22e08

SHA512
c6fe8125fe73f07984525acbd0fe264da27dfde7907a3357949d62641c03563b07721fb0a7ff4d3cfffc59ee2ad9359edf1bd9223d49941089bd9999f810ef29

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
8dcf5528029dddfe219b1fb4d3c6fa76

SHA1
e0f0c499dd0ea9f1483cc84fb0f27115a9bfc82e

SHA256
e5a9222e6a37d25e73df2e4caa17b7037eef241c513b1409eedf3896ef13fc56

SHA512
17365647372bc2811d0e0d160c6f0013b54ead29ad0bc6720b1682221b714efe7accdc0291def7ce8edb9099a2210cc7d27b3f02e960ae634f74d50eba0664de

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
cad5fa52652c4bdb778d1cc2316a027c

SHA1
2e2d9ef380d8a4b1339e6a2752b94d7e5df52dbf

SHA256
f063027be367e6e0d3002df2175ab0bca55a44a32aa9b442f967e4caec654c73

SHA512
68042c4334e7ff5e045e0f225e6236b992f28b54d108b690fea1d652e15cb65e8a153137e40a287d0a928841b1fd52141b1906657c70a0858ed0f67dd66411a0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
a62a6d494fcf3f3b6207d1eb404c0640

SHA1
09285c5065be379722a3b810a3721c156d9b09b4

SHA256
1e3ce5543963779f8e1281006f55c61d412e868f647ca580d3883cc7c7cd15ee

SHA512
f0b79dbcc03168166d6a7911087e4d0371f649dbde8858ad43523ccdb38e90a6c06f898c7d6a7898bb71fbd57b61aab69b19f5195d52a17d1c00d02d45eb8e11

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
f234fe2f13c4d70bdd58babb1fcbdfcd

SHA1
0bf466c53964c97ae7302c51edbd432133db1972

SHA256
ea63271caec73a4f045098cd08affc053fd200af36ba909d59435552d5175528

SHA512
f7dc77cb8fb67c0472558fc6efdf910f7784547b2c6e78804a345de5570b44c38ad7950e19b009cddcf2cc0dc54cf68fd526f034511190ebb950c69fc6b5fed4

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
8068633c1b750c3c798fbdfc52d86d1e

SHA1
36835257f19bab30161c577f475d190d5597da35

SHA256
c84812348e53cb64161496a3433cf1fa349f1a5990f13c8dad84e24650d1f014

SHA512
0872b5f6f879cc24f3586b2fd2e388eb895a7933f7f1c14edd6fa809ae11b85020d4a3ece41028d17fb22112ce9f95822f08969489aaf0ea7282109941eb89b8

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
4029ca169a997086756b162b288e55e5

SHA1
aa784117e75d3cba9ae522fdaa23bab83e90c89b

SHA256
b1c187ff119ec4130b99981d9a3923420427aa896ca921ad06550c34226fc1cc

SHA512
5f8845d611e67374d847a72e28662343a5f68df55413be08b2e48e4b77db0586b7fe022eb1a88d5d18167b7137b7243c6793c3ed927043ac950d2f960e51d720

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
5e2a984959eafa6e5d471c3d966be011

SHA1
229627a28a019f580e09f94a3b2672d639d8c88d

SHA256
5311b82a133f41c5623732fca2097fe04877cf5f1821c8251fb98e85b8d10ed1

SHA512
b99c5c0379e10981bc3609971690d51c958abff79841abf743db8722670c52abf4a5701b689cf4cfa9cd3193089bd275ecd49366097fca23ac2e28e9fa410342

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
ab4b49b68ab26761e9c918c3590bd30a

SHA1
ee4589ab334039b9a1f4e3395ac0fdf201c23922

SHA256
e37ad89d17e2ac0ed907cc81f7c134c768025a28dd5972dd0483cea55930a44a

SHA512
6d4991de9b090f8c27427036a9f9654e67a0d2aee51d36a761f82b620865c27f6475b7b1d354afe496c8f2a2b0d49f86eb86f506637b3ff7eb5fb69ce9ca7d58

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
041f067edd7efefd50b29f4d35d70985

SHA1
784d50b5cbbd9cd496a43ef6cafae239cd247d13

SHA256
431d39b24588e8315b257b3a33d1587a3b635949032d615dd3b5a15a3a97f527

SHA512
f9d2ef9666174f1b6e075535a29c4d1c584e1526991b48f598d702c86b499ccbe73feec8c8717635b329f6399482574ebfe73486693360b471a2558758524147

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
f7b2a94080394a7d262fa6723618acda

SHA1
c413754b0e7c3a513518c27a3ae16ff2246fe73b

SHA256
e056e397cd9e155d99d65cdf6d048085b7789020e31dc16e2dbe15602a413559

SHA512
1f8cc54dfb5cfad685bc4f98bbeaa4f09f1f40a13ac216db69c2b9dbdf8ab0c092de4aa936668f97292014c187c237116b24896ee6ca587ec10db9703fd76e73

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
dcc20cec8ecee5d58f5979e2660142f1

SHA1
b7704dc1a2745a26a7099b13760b188f1db9a4b7

SHA256
5aa247dce659cf61b00d71d33d1c950bc3301cc8b1902e132496394774b512ee

SHA512
9de2d661146c4257494e084f1a292ed7869294dc35d46e2ce99dc8b035e03babebdf27860636b18e18b622fff71dd96c82fa1a39a417d0f12735f94614a956b4

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
35e5dd355faadb50ebeaa5002b7e972c

SHA1
e63914ff5bf4543116b53850346940732b1b97b4

SHA256
c9294b5c2387082767b54e8d3e8b33f345f9109698b9bbaae1fadedc13d75ea2

SHA512
cff30ff76c6b1f9716234a007f122c3c54c24db7e09c3c3c7f908e783cd677220dc0bbea209798d74397f8015f072158d300bd0776cacecb5816bcfbca94d49d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
8973e4a6b6b8c323f5f1e3f043499b3e

SHA1
4b3ca8b1b9247310d81df6b93a5d3315ca971217

SHA256
cea1a12702b542d402374ad7eeea4cd5557ceb59ce70133f96a404b5a5017cb3

SHA512
e8ac21fcb297066fd3edf051fe30f2f6292835a4ea0d5d252db40f09de3dfc0ccbfd87f537f2e470852f676e6700bf753f5008543347827f99739fae346b786b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
9741f2ec652948b4b18fdca8c4931d13

SHA1
262694428c9457a5431cb52e7f0d473e9b8aba00

SHA256
d0d0236725c25298a1f1183115079148551f1881684548fbda4684468ae0b861

SHA512
c851169c59ff57885576dbc93a891e1c31ff1d41cc0e27874f78e6d839d07cedb469466785e146451cca6280b7d9ebfbe98fa870f596ceeb24ad49843a519933

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
6d1ac6bf9d5417ec3ab37de3bd2664d9

SHA1
6ee3e3c0a84a681594600b58dd042108d9333676

SHA256
b73b0aa6d6d028ee970ff33753634dd14a091ee0774ea7196045fe096bfe332c

SHA512
622818330ecef81869d8230f2371d73f865dc2eae17f34ad6891df114b73e4d8354c520917713bedee8120b397a7203070c442f7ff823b3d854a7489534491f1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
8a58f0a4cde8d545a6c73ad5e3d875e0

SHA1
aa2ed37012bcb6a78c371933c48ddffc5425b4be

SHA256
04643943f18746d8beb18e4f9287f95a9621755a696a2f707164b99f9dd3efde

SHA512
6474ef580c4d792e2a2fd7025661b3a7389e6bb0181595c92d6f475820363aa39242fd110576b782a930b6d5e14a1eff47255c509bafa232ea586bfa9579c360

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
bc3ccf05d36b06b1aa341c4e5e5ae465

SHA1
025b7befa1fa5c23c1a7d157c340051722fdfb08

SHA256
946ba16e69566849b7b3f744ed47651071358a14dd359c56dab61804b53095d1

SHA512
6f18267ee9939409f688f10fde8ef433d5c9ece699cb6fc49961c69b95703423445946539b9a56fef391dd341726d7309a21adab143956e3618441001a26081f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
c22321637f7b0b4d835779e9f6d19c5c

SHA1
ee416a44050c302c7d5b9fad0cfb26e8cda84249

SHA256
e7c0b3fe820c796ec7280b67f71ab4d059c42e21336b59c5e91a0c3999c5405d

SHA512
1956da42e3d0c529e5935055f18ec0bfa216bda47545b9aa0e9397a87dadaf9a9fa589d392590a2f4a8a5bf6ea5a7cf8153325ce22ea285a4d5ba9f724146da0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
c0578d514c883aaafb4dd7db248783d4

SHA1
7a3c16f63378944c5932c043c5a5c4d663eb4c78

SHA256
11c36bf303ea01b7d4be81b00dbfe7ef95a43b4929b731102162627e592e8769

SHA512
84f0b6513777b524638403964b68c7239f7cb10e5c26b3455d55a943147a48a022df7246d68a8fd70375642e0cf1c10315889f47ba8017e9f31c254c928899df

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
5914c03305846e82c6ea87bc2bcd4c9f

SHA1
f93886c1d60638dab56cdc47e85329c3d71b99d3

SHA256
7480fcb7f4556a1953871f5b2d345f62896f599c6013bf018908cf6412f4d56a

SHA512
67e0b885e0ba55042ee8c8f0399b3a27b31a1ef9f8073d8dd43bcfb1776c505d40e83d4586665b505a5fc85943ca03cca944521615b21ac36393447a5cdfdedd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
2982306594e747d83031eb63c55de2ff

SHA1
c2cc2531498fc19e0119866e7c603aecf272321f

SHA256
d2a253b81389dd141d2892c525ed5374417faab0d63bd043cb9982be05a92130

SHA512
0786b523ac5799a7c78867410396d92d49c99820e5381f66fe998d87df46d716b378bf70af464ee9bfbab1ee626dcd563741d27e2aec4dcc56cf72b917546769

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
be4486f57c9a88c7e46d85b51a8e72d0

SHA1
ba8c9f64a62bf7eb8686b2f21e78b0a08647fd6e

SHA256
dab0e110a1eb9305284a7597df6edf7dbbfae021471f67b3c1b7f80ae1199486

SHA512
b1dbc50cc7dad77be86edd0610058413a8415bc67c768e18b6645372b2749fde7733b01333a90d8667b6cbb8102bbd1f401e6ae36dcc81f1f5edf47056eea02c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
9a2380f270d92d99357c86aa8044f2ff

SHA1
f1e58a77c937ad6dc9f7301210ccfae363e65157

SHA256
5bb32f16020c98a1f36c2d17d037e8a7c39cd375a9d6cf82c531c157ea05226a

SHA512
23f4d9ce8b6c0df40f63cacb529420eb1d41785e06c97871541dd177dbe5934dcf8f7f51575c38bc068d9ac47fbd593dc02164f2a9b7f9906f93bca20e5341a5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
00e1e102739a7e0de3bf43176f9a37df

SHA1
21cc06d06fdfdf1137913063ae40b0f12058ebd3

SHA256
40a9f99a965dd13026a27cd9d0329dc44289043249147213c39d5c674bcf55b1

SHA512
4917e0423d0a7fa1e2366bde50ff32d1d039995e68133201a76414ebc54557b43a53f6e1e400fe6a128fcd4383bbe62ce9221d170fb34eee254801faa9f25225

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrbVkusBHlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrbVkusBHlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\YfPyUQywUrep.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\YfPyUQywUrep.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\rTpxGXQoclan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\rTpxGXQoclan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
58e7b7f7ee8044acbf6dddf509874c3d

SHA1
65293f5f87791524d4980acddf5e0cd4cf047dff

SHA256
a36add88a0c78e522e2b1ed2e67eb5f80f20c8b2c4defacbd3bdf45a37328e77

SHA512
5855e3a4dcdcb81974c91051166000b133e3696b277b6a5a9b70e6a7202db99fbc722bbd4d9222ceb44f9b0fd929546fe2fa4970d94d07d18e3dddbec9f01246

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
f455b0a1fb87a693c13d93f9854d9dcd

SHA1
7c4b6f008daca962a9fa53c8424f4eedff7dde3f

SHA256
440e6ca6acca63c5eb8b00aac2fa606e3a060b16880442f90d1dea7b005fcd9e

SHA512
45b3fa7a207071c4cf7c9629a3d49fc0f185cbfa47434b1faa7a1e1b9198529af98ccd9aed18fab604c0cccc5178077f490aa6dfce1c46b969f105054820be7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
f455b0a1fb87a693c13d93f9854d9dcd

SHA1
7c4b6f008daca962a9fa53c8424f4eedff7dde3f

SHA256
440e6ca6acca63c5eb8b00aac2fa606e3a060b16880442f90d1dea7b005fcd9e

SHA512
45b3fa7a207071c4cf7c9629a3d49fc0f185cbfa47434b1faa7a1e1b9198529af98ccd9aed18fab604c0cccc5178077f490aa6dfce1c46b969f105054820be7e

Download Submit
C:\users\Public\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
\Users\Admin\AppData\Local\Temp\JrbVkusBHlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
\Users\Admin\AppData\Local\Temp\YfPyUQywUrep.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
\Users\Admin\AppData\Local\Temp\rTpxGXQoclan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
memory/1064-93-0x0000000000000000-mapping.dmp

Download
memory/1472-21-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1472-16-0x0000000000000000-mapping.dmp

Download
memory/1480-25-0x0000000000000000-mapping.dmp

Download
memory/1480-30-0x0000000001E00000-0x0000000001E24000-memory.dmp

Filesize
144KB

Download
memory/1648-7-0x0000000000000000-mapping.dmp

Download
memory/1648-12-0x00000000005D0000-0x00000000005F4000-memory.dmp

Filesize
144KB

Download
memory/1904-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1904-5-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/1904-4-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1904-3-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/2664-34-0x0000000000000000-mapping.dmp

Download
memory/2676-35-0x0000000000000000-mapping.dmp

Download
memory/2832-92-0x0000000000000000-mapping.dmp

Download
memory/2984-87-0x0000000000000000-mapping.dmp

Download
memory/3260-89-0x0000000000000000-mapping.dmp

Download
memory/3400-88-0x0000000000000000-mapping.dmp

Download
memory/3444-90-0x0000000000000000-mapping.dmp

Download
memory/3700-94-0x0000000000000000-mapping.dmp

Download
memory/3720-91-0x0000000000000000-mapping.dmp

Download