ryuk | 2b23e704cfd8d62a359ef0325bfd4aaef5249cf6567ab8eceb88395978e3291a

Analysis

max time kernel
150s
max time network
86s
platform
windows7_x64
resource
win7v20201028
submitted
30-03-2021 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
Size

836KB
MD5

c5cd1f0fe551a0ce5678a7c9d86e6450
SHA1

f584c89c1539520f280efd9bcd4cb3da37588979
SHA256

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894
SHA512

40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'DQlMnNo'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

Processes:

resource	yara_rule
behavioral1/memory/1576-5-0x00000000002D0000-0x00000000002F1000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

EZHzUZtjrrep.exejktuzTIDXlan.exewhoSOqeoulan.exe

pid process

1344 EZHzUZtjrrep.exe
1584 jktuzTIDXlan.exe
2636 whoSOqeoulan.exe

pid	process
1344	EZHzUZtjrrep.exe
1584	jktuzTIDXlan.exe
2636	whoSOqeoulan.exe

Loads dropped DLL 6 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

pid	process
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2728 icacls.exe
2716 icacls.exe

pid	process
2728	icacls.exe
2716	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Drops file in Program Files directory 64 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVTEL.DIC	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105600.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222015.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLNOTE.FAE	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00544_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.DAT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\jsdbgui.dll.mui	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_OFF.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

pid	process
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exeEZHzUZtjrrep.exejktuzTIDXlan.exewhoSOqeoulan.exe

pid	process
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1344	EZHzUZtjrrep.exe
1344	EZHzUZtjrrep.exe
1584	jktuzTIDXlan.exe
1584	jktuzTIDXlan.exe
2636	whoSOqeoulan.exe
2636	whoSOqeoulan.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	EZHzUZtjrrep.exe
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	EZHzUZtjrrep.exe
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	EZHzUZtjrrep.exe
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	EZHzUZtjrrep.exe
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	jktuzTIDXlan.exe
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	jktuzTIDXlan.exe
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	jktuzTIDXlan.exe
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	jktuzTIDXlan.exe
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	whoSOqeoulan.exe
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	whoSOqeoulan.exe
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	whoSOqeoulan.exe
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	whoSOqeoulan.exe
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	icacls.exe
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 3364 wrote to memory of 3400	3364	net.exe	net1.exe
PID 3364 wrote to memory of 3400	3364	net.exe	net1.exe
PID 3364 wrote to memory of 3400	3364	net.exe	net1.exe
PID 3364 wrote to memory of 3400	3364	net.exe	net1.exe
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	net.exe
PID 3424 wrote to memory of 3508	3424	net.exe	net1.exe
PID 3424 wrote to memory of 3508	3424	net.exe	net1.exe
PID 3424 wrote to memory of 3508	3424	net.exe	net1.exe
PID 3424 wrote to memory of 3508	3424	net.exe	net1.exe
PID 3412 wrote to memory of 3528	3412	net.exe	net1.exe
PID 3412 wrote to memory of 3528	3412	net.exe	net1.exe
PID 3412 wrote to memory of 3528	3412	net.exe	net1.exe
PID 3412 wrote to memory of 3528	3412	net.exe	net1.exe
PID 3496 wrote to memory of 3564	3496	net.exe	net1.exe
PID 3496 wrote to memory of 3564	3496	net.exe	net1.exe
PID 3496 wrote to memory of 3564	3496	net.exe	net1.exe
PID 3496 wrote to memory of 3564	3496	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
"C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\EZHzUZtjrrep.exe
"C:\Users\Admin\AppData\Local\Temp\EZHzUZtjrrep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Users\Admin\AppData\Local\Temp\jktuzTIDXlan.exe
"C:\Users\Admin\AppData\Local\Temp\jktuzTIDXlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Local\Temp\whoSOqeoulan.exe
"C:\Users\Admin\AppData\Local\Temp\whoSOqeoulan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2716

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2728

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3400

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3528

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
2aec45e68f34691dacb665f0bae19dad

SHA1
349143c9036eed0008eb58043c6c5949bc4b0804

SHA256
b6726d2f797c530dfb2f4e9cd6b1284926a265534faafba6ad4a29dcc4f6a954

SHA512
49dcbe6711631f263626d3db8017ad8ce4a7855a92ce84dfa88cf4e846a3aaa13e70188137c7a8070cff3b9b30033709be26f53f324dbe8479520f518049874f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
1167ccfe6d9738567f2996d167ad8004

SHA1
3888c86fcaff9da23c854e696c4364b9f0b69aba

SHA256
85a1d84662f34ad968fa9e5a3b3fd48685599d258109b635b31198c75b467a8f

SHA512
6bf85b4c111410ece556ae7fbae115e066c02651fe3442d762260a15ccf03b7b23a656d0c20b818a324292db98ecced2c15bb7e11538089cdff0d292eb9bb515

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
4061600eb07104ad775795a3cef18a73

SHA1
d61fb310a378a9ad2b2f1c90a6dfe39d6663cda7

SHA256
714ae41e9f399d33797aed3a30eccb8e9d9efd75f14724f37a010df348cc54fc

SHA512
f07b3e3919a422f2c057d1de765654e63636c5d8d2af1b8649327edb5be17308680865524383f6836a1fcd70b1cd3188bacf99948f501378accbd3fcb9db5d58

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
cd5017c13468b02fb6ce4f4ddc71e707

SHA1
4d866f35f56b9e8fd2e45a8399aa4119ba2997d3

SHA256
3f2b945ff71e6b3970eedcdc6635d9077b7e3fc8a15c4e7bcf61286cd07b1d3b

SHA512
b7c3099bf5a6a7b80144987d98cd7542d40f06245935ad66b4ed8ee91b5be975f9a6a270dfad4b19e7a26d106622081c23355924b0d3c14872b8392ec66582c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
4022af0d0d94b14a8681e8bedf82e3d1

SHA1
975b73249ebde1f1406102085c437d1e9ea532f6

SHA256
cac178356280044575f1f5a513a4c96dd269e422f5e7d024e864e104a7cfeceb

SHA512
9ed76350aabf2e4f8ce9877242213a7ec06afeb5d06e81072d9ac6d1d493cacafcbe18e538b651eea2bdd2b1007e9d3179d82710125384c31172f4fa35ef3b84

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5
5f470be1094aafc5d30acfcc9012d7b2

SHA1
87a4219587766b339201884a690526f6a99c53fb

SHA256
1f2676473a9fa29a3b010f2fd5fe35e9d76f01d14e60931998e401728159fc57

SHA512
68445cfd16308cd5d33cba1891fc981abd4a4853135fecb8894578aec5c1ecb22b3ef9e244fd6eba2d3329f1cbd8402f14be872f751dc50761ab9050abdbc72e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
2e5d946babc1172cfd2707b488cca1a9

SHA1
f20a3de0eb7625e3099b60f6943cbe604b1190aa

SHA256
37df6e8f15522cc6419496b738effe2f2ffc87e0d47841cdc5b69e92688dce14

SHA512
d95f9b395985bb089b781e8626f0fb1e53ddc0d8e9e6b278b99229547a8695cc62a5df394869597e6c9e10ef1a55603733e6bb6741a992e6e2248bbcec0fb665

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
213e525d6ed1214528cd3e86bb14932c

SHA1
05be6b65c64138a7b134f3ed1fe1b433c9238b03

SHA256
9a0d5c0fc18e57575044ccd646f27dcec8b753641ffa6682d1b4ed27e9321354

SHA512
fe7d3eb690ec93a6e656bb31f0b3c837a9f1a6e869ddb88d0e99b50a8703b95d1a5a4a19bfec6ec3867225faa534b744b5e5f6629d7449d0dc1cb5542684e9a0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
d58a2ac9dc9665e73963ebc16b95ff1c

SHA1
253f825d48d18bb9e2e829085a947756b6df2e20

SHA256
a65de141b9da3e5a17b47656430df0797e61c1344009167b996e4049391be02d

SHA512
c9690730dda0f4abf2d5549bbb6c30a58b84fe39ad2c731f667435fd9826cab6dcf21a3722fd965785fa5fb16fbc9a7991f7b8f65bd851a8d6c58b303bb0c2ff

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
94418083993f9c9fa87c1d4032dadd67

SHA1
f9cbf6ad0107b7c0bb375b5d3679887962849757

SHA256
9421944722733c047b98dd006325f84b4c5f8c07d88a3ba78ca671195e31bd64

SHA512
9b272044c33b317d7340845f279ea33ed4e8b90c2c9c7b5579db01b56d331220c23fd1847f3fd394c9b9cc3f361be50d734060e19e547ee9c0a3261d9a252aa0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
9c6864e30abfcc84a9b27c96f3d32a6d

SHA1
6887135109e9d9ac767f1ccaaf37a7657cedffa4

SHA256
fc3c3d75200e90a7e876ff7917359215424ec19026e1acb10b2f403bb946c332

SHA512
4c7500ae8c5b8ab1d0b708df7feb67eb109ce37161a9389c732ea03579ce4feb91042d501843be18c6d504cabbc9cee871c3503a8d2670b2a91bcba1419ccec4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
0f306a27bb4fcb35d21948bf0f95621a

SHA1
6d04512558cd2c39f24430915317ea107b546fa8

SHA256
b866a75ec4d1e464269ca51a6197d33eb38631fd215fd0e7c8c33497deb0717f

SHA512
01d88de2ef885531f10bdac7d520d538a941f6eca2fc9f20da7378d16f732a194a5869f99f2f77971815030f2b0cc76487bf9d4b242a78e3c06888142e610d02

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
ce2e023375d3be47aa89ae52b41c343c

SHA1
16b19d0f631487d73f1467eccbe7dd2efb907a62

SHA256
6f389af76ee45c32632dfaa344fcc40daa5133f1f1efa0a72c4529c38dd3f307

SHA512
60a01efba8945d831b52d9004dac242ceec29b1770e828224f711f54791b4e7712040002ceee33c7a6bf24b44b6f5e11bd417ab218a59fbc6bcac6eb41f8d6f9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
9c8b455eea8c40474ec9c23e6c98dd89

SHA1
328b88285cf961a6ab6c5fabac61d5bdc931bba4

SHA256
fc2e79e92c93c356d06de519c84938fcf428f232150bc925c1511cb253528e02

SHA512
91bb9b1d8b923fe3e1c200f954d0c2d210b37dfd8a0063574e6ace6be90dc0ed40a308ffe2bb57ff283baf036a067a34ca29d2305e893144047231d542a1e259

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
63c4fb3eb1bbd2d3d9bb69f377e7b122

SHA1
8aefd771cdb20976ef65bb665426d7d646844971

SHA256
bfb8db688d90f94533935f6de1ffba8bc491c2342e51a8475b7aa85124e3d71f

SHA512
09b8af291d3dfc0c8a1e765f17662c90c2ae859e491d9a4921f2e041580cd0874df3bf0d77718d65ffa1876656ffcdbcdd83e12d89f07240b9cb39d6712851c4

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
b4565f8c29bf83829850802e905d9e89

SHA1
4b0cf304cdef4a21a6a091026563363b91becb9e

SHA256
1752441d958bdfacfac4e4a3c3fae304d382f689f0d34cf1d34cb00d95e7bc13

SHA512
f151b9223d694c53000b76a31962f33d05b84d43ed87439ef1aa88dcc24baaaa24419cb2688ca632f51e70769ef45925bb725a208cadbfbe16470f884180655b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
3064a92f7ed3f9b871a8ea4f3ba0890a

SHA1
2fcc54c9909e9d4cdf05a5291f92a62acab719b8

SHA256
82adccbd39a03da38ae8c2920a86c8ea9f21c32ef7b54eaa55cc7818d405117a

SHA512
11983da2482f4b80df1bf9474944fd966130f644fab43a6afbeecda4de5254bbcb8e49474bb1f1987930e3d9d1401b839554fa0400bbf0e3ac92ac6e8e54212b

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
de8199b7fe2e40ca8aebd6c078757690

SHA1
b44b387c3aa0a30ea67d49c384d523d56ebfb9f9

SHA256
cb9084b3a285097755fa347ff3cfc7097d3e5b51659e3be9981280f8f08befea

SHA512
98ba53892534214b212e36e494d424c1f87d1d753390194684643a709a0a283670fdedb39b3b48752e2fa4e29aecf642b0696448ed0d809512c4db28042366ad

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
7b15c32f9dd0677a1e06131227b123c8

SHA1
32ecae29549950b2e173bbdebc396ce95e7fbb2e

SHA256
fe92b8b1fe06a20f74aa3c8e72eb6a803eb6f096df144b974e103c26cd493621

SHA512
cdc5e13a1e2e77458b0a215b460aafe7b9253fa776b45fc1b822e506226077788a639802f7b5a62ac84c72358f4286eda0a4829ee73d7b08d627d63689c4f972

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
7c1565a0d32515e5bf00fdb4577eb55b

SHA1
d45dc9fcadd41a8d117ecd1c9406d5e5a7b46b27

SHA256
7b86a46c3ecfc02705c70263920f93cedef8620e980d987fe700662e29def805

SHA512
440fb9f213ccb62344348f0d5dddb728e86b5fcb34bf9860f9b171a52f14b50eb6e15e31a2d6aaa6eae1abcbbff214ecaf84e8e4c879be9074e5e93ad8ec0535

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
c95ffbd5a860ec679d4291bf40f1d2cb

SHA1
755c40468971d2c50f6426d5ad2cc40cc05fa373

SHA256
5cc199c8b1338644b863c9f7ca9a4300ba420eab80776dea46ad6fad51d959dc

SHA512
12b40c93829fdf2035a7d55a918db339af16773009387ce8179ac5cc9b3a6e6d8b06ffd0a0ec805caae009eedc7a45596968886eff2909c5b29e5ec3f9dc8d76

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
fa66a96fad61784c866c8e506c472f19

SHA1
f0fbdee2ef77a54e7a4e03d060b59f8c5dc6d57f

SHA256
d037b52e37513aaa795b0441c70d53194e572b84b73445d2c94957c41a46cee0

SHA512
2376a86a695c169aa4dd1e179802d739aec7dec6ccf5925f9549cd59cdb3046df11b25af765af000da5de2138af6a75be3c41396d1c270450dd090afe307862c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
4931c477bc056ad55b3f93d115eed9c4

SHA1
a82c7fbca071729395013a748bc668e41c2f36c9

SHA256
8c0741618ca1771e17c881fad00756666aefdbac17efe3bf7347e2f999072155

SHA512
7430d1cd33a60d63d3491b12555d7de68a9315daa5d5ae2e8c0b8de4d887425f7aefd45591f538580e4b25cb14c9cc84de8ac0a5aad0a82e9a5d1412322255b6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
64b1901d1b81a905738a14b6820718b6

SHA1
4e1cafa5dd7b68489861b6931ceafb8ccef24783

SHA256
122c6fb04bdd9bed71e67ae7038044d72e6cbd89e12971c00dbd4a98b1c62521

SHA512
333bb2e98519187064b92ddb5f01872bd5cfb379796127de2e3d1d8dae77518115a4833c3f986626b2375dda6036c489ce969a7f570ec4154de000a6f7c9c41e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
294318ed25aab146685307abe8b3ed7a

SHA1
ac4048c6248adbe440fe2ba1e0054028b2a7137c

SHA256
b3e976fbc5a27d0213438dec3648f933dadc44e1ac0e233ee7f93e1e9a4294ec

SHA512
8952df4362d47f8bfc42249cabb06777cdd922553362eba1e9db1530c0bc10aa59c0c129637f1ef88e725bf19dec02c12af4d8b99de5db120171abbe441b1727

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
d0f2a3f794b89689c8fa68a6ee213622

SHA1
6f1fe8494d656998c4e1e6dd849645a8fb74f1fb

SHA256
a0d0861294c21cd2d542d11d47e06d10daab0934898f3e896b48e9faae84de75

SHA512
bc31ffb4ea468a36011144fea0bccf4f09954068bd65bf44630621aadeaa801f75cfc0dedd38fc7ee6a08e08aa86cd5f8d8c96cd6f43e6b8e1ade0743664ebdf

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
1802e0967a984da1f4cf1e594b66a1ed

SHA1
a547dbd6fabc2073bfc1a24c6a64c0ade3bfd7b1

SHA256
9ffdc8c6044462bafac0a322c3603df12d744d689179e8376cadcd7ca385c170

SHA512
7da0f353a8f2cd11c319b0262dae23f5a8503f3837bca6c2b1ab9e4f330a6a95ece9798661db346fdbfa0b475fbd5487f24640c3068181eb0d717f7e9854a117

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
6a93b431945352a8d38afa7bf914578f

SHA1
a9a08cfd10c8d9e141babebaa75103d012a7ee70

SHA256
11e3a97888e98a0d373b50d8a5f7f257ddfbf85b6ea22b618adacd4efdf064f1

SHA512
9905bae107864f929664c001a03d5b9af246696a37dd63a6f7bc687c018b086e134615fcc559e1b92cede34935de4beb2aac767fcdc2865d0482f99eec7924cb

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
593f48ea66f74c56bf9a9811020c77db

SHA1
91779bcfff0ae95bf493c1ca4f67d293e502f68c

SHA256
23c1e3e9626f3a7eee3b770a6b6d93b6ae096f325052c8362e93006440d37c90

SHA512
7c8037f4b5a0ee25ade14bbb4a93ce90d0b6e00cf95f48af5695ccc323a93560b25d16535ad134893dac75e9c2c5c1e83367fe3b6fb5fb572891efb87c0573c5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
7a44bd6607fd189688f592b3e36ba560

SHA1
f959c53d109dc5c8dd1db5f59193eec0052ec9f0

SHA256
e772676e7abbbb4d71743bf87d7fd36b072ad302b15fde1cc29c05d83d005bde

SHA512
df1cbd087ff3ba71b97fbcce2170f1f1ace53140959f759c353f27b4ac6a5354ce0e9f453814d20bda46e542ef4b3f06e01e5d78ad4051c76cd447e6ccf13f33

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
e02bd7333e79618d486b10dc5146895b

SHA1
e564a3699901dc45fa7174a8e52b9df4c1cdc628

SHA256
35589e927055105825b9c0d9e87f3e76625debba98dc439e414d31f831efaa6d

SHA512
2623c74ad0bca2b1c38a70785c4c3ed6e2d066b16b6504aede2e6f40f976415b6ddbd24c81731716c04faea7ae81f5a34f7993a76f68db280f2ecae5947953de

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
0334798f239ff7eef90fd6f10d10046e

SHA1
7fddbcff37d88a3e4fb9335ec165a5fcddd4de2e

SHA256
90589cb06c4e73fc849ea2fba76c694aa77408c9a9648fcdd7b51ddf70866b0f

SHA512
cc93adf7b92a00d127a60266014744ec29f0d859d491fb497bae305113f6dfbaf7e619f4dc862d53825af5da7f3adecedf3266bb959cd66e698fa98225ff7f52

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
1661d85b41f4f9b0c0725a2de4f9d6a8

SHA1
bfac04da06f868b13fba5f8291630407bc983554

SHA256
c3382316083327870dbcef8c51d68e97149ae9d5d262b764e71fcccd9332f307

SHA512
61456c55354fb7ec526a202c9f1991a269ff3c38947fd72a3141ea9efebbd3da77c9f1266868db35677efd3f3a1040fd94a76089b05d2d3837d944dd6132e598

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
5a8f2cc89314c9363484503508d864ac

SHA1
b90bdd0e8b49e334b53be15c594383b95897c466

SHA256
9114ebb90824e79988c90e24a7573e13dc7471bd8be437adee40cc7ed180a6a1

SHA512
9a2f3cb0c0f745a0d66f66640b9488981fcb929106168a33e23b130a1d249c48dd321547b816cbea31c285e062a860a5a6fbcacc147af2ecb2ca513b43e2b0f0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
2965cb646de266ade6201f4afa4b66de

SHA1
92b06badebdd989f051f5067c1c135abe007495a

SHA256
d2be0caa1a933371eb349dcc23fd94543ac64d9daecfd73b0e28190109ddf514

SHA512
d5f7c994088a0fd3337c3014bd038d63460849d7e2d5e19facd57403c713011ad783b048ae637217f39342cbebfdf0ae3f36fe36d99c45a5aaceb41540f6a270

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
f62edff9fbcde6227cc514714c4db155

SHA1
d49c9c05d50a2839aa28e31321676dcb9cece722

SHA256
bdccf124813651148a31f3e6aa0c95782c9863b5b7658fde88f14c5416319eae

SHA512
d3a9d841ee03b84d672ffaa1a168e3d011228c7523a16d70329c95559258519a65408a1f694ebf978b27eab00998a075b074c540f9b333a0e56cc8dc79023a13

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
7c7ac67f8b331acb0f758b7569c107c1

SHA1
f5fc27a2ba576b9a03c6eb4acb8cdd5df3c36593

SHA256
d65746818cbc3787caf4e10680f47381d2cb0930e7c11623e6b53cafe86a69ae

SHA512
c74d5115c5bc46b31b3b762ded01bca375b95e0d5ae3ba83532dfc5352bba592c9a9cb29bc3224470eacbcabb225c638d00c8f34e89d34d60cb44ef2cf2939ab

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
ed2bc2ab020265c878a8959279e11161

SHA1
95bcfa0214326365c77f84c24e11e76f55d35ec2

SHA256
fd89713766542b56285f646d5cf77af9f14bda0e78b8597bc167af95530abe49

SHA512
a16ccfb734ac4f859c538c34e7dfbe093050e5a04229b3ad30a85b254faf1dcb019bb733924e964c9b052aaf8d915b72ecf7f2ea585f41008bab96acfd265ceb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
68ed03998cefc5fa117ab4ef3ac375dc

SHA1
45b58bfdc7858907e10245a11233b7283674c895

SHA256
0606de13b01ae442a6fa485bb14ca0bba964db274c2d2448c81c656feba08a17

SHA512
ee9d5efe470faaa1d854b42d9fd30609db9f80a6b50e415d79cfdcbee030fffd758fb958aa30a7d5ccba97593cee2764eed2b1f52115082d417391f1c031ea80

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
9f946143f4877233f6a8642d70dac05c

SHA1
024e49cb1e840d7d0d6f2d582d7a6e22ed00bd6b

SHA256
5caa0d4cbbdfbbf049d44deb6a4467a270af3f217ef33e765d5f8c46ec5dc2f9

SHA512
eeda6a82def6b8b32e6f04f4426fcadb37be802da0b68aa49233a77a2fb48607b265fc5651289f062ff07ef84dbcca4c3bdee34246e1102bdf8fc3c1f57506f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZHzUZtjrrep.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jktuzTIDXlan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\whoSOqeoulan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
1d1df920391ed71667ec5cdd9817981d

SHA1
e6e579be4c12d18bba2f1319702e88f8aadcc87a

SHA256
9e4519d6298a3b7d43934623f1362faa9a11e719ba9213ae513d1d9e12b4b8d9

SHA512
e55e8e73fe6b7ab7fb884d8fee62d02d0ccaa96d7abb1202f653c10826001c38b883fc624eb3ae1a9b60f4691920cbf6d282d93220ab7b230c89455a26bc340f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
7d61aa5187ee4f968245386be18dfd75

SHA1
c2a8385f22a1cd4da6a168abd3184d2c88df1b90

SHA256
0fac373d78b50649e657e006b1f445f5587f4255694bf7937b12643900256e20

SHA512
38daef695370f4ecaa6424ae050b1d55cfe307ca2d09216206d53922c3652e7451acd7198ff341636171ee3785933f7bf5a5a06bbd87d41705b359dace16c8a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
7d61aa5187ee4f968245386be18dfd75

SHA1
c2a8385f22a1cd4da6a168abd3184d2c88df1b90

SHA256
0fac373d78b50649e657e006b1f445f5587f4255694bf7937b12643900256e20

SHA512
38daef695370f4ecaa6424ae050b1d55cfe307ca2d09216206d53922c3652e7451acd7198ff341636171ee3785933f7bf5a5a06bbd87d41705b359dace16c8a7

Download Submit
C:\users\Public\RyukReadMe.html

MD5
8e7aa2443e19f97aa13262eeeb14facd

SHA1
6ee3e46fa0d73ee3960d23af7f765aeeb0125dc7

SHA256
52d303f9bde66a9b9181e406e14cf43de38afa74f5a32dc0fd45f5ff6cebc406

SHA512
1662d137a3a460043ef7982f267ad210477eaf03f69f41edea076cf943eba4276af0c0b43bc996517a8a5ab29934182c16430becbe44da17b586eee6f4bd4b80

Download Submit
\Users\Admin\AppData\Local\Temp\EZHzUZtjrrep.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
\Users\Admin\AppData\Local\Temp\EZHzUZtjrrep.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
\Users\Admin\AppData\Local\Temp\jktuzTIDXlan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
\Users\Admin\AppData\Local\Temp\jktuzTIDXlan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
\Users\Admin\AppData\Local\Temp\whoSOqeoulan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
\Users\Admin\AppData\Local\Temp\whoSOqeoulan.exe

MD5
c5cd1f0fe551a0ce5678a7c9d86e6450

SHA1
f584c89c1539520f280efd9bcd4cb3da37588979

SHA256
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894

SHA512
40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Download Submit
memory/1344-8-0x0000000000000000-mapping.dmp

Download
memory/1344-12-0x0000000000680000-0x00000000006A4000-memory.dmp

Filesize
144KB

Download
memory/1576-4-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1576-3-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1576-2-0x0000000075A41000-0x0000000075A43000-memory.dmp

Filesize
8KB

Download
memory/1576-5-0x00000000002D0000-0x00000000002F1000-memory.dmp

Filesize
132KB

Download
memory/1584-21-0x0000000002050000-0x0000000002074000-memory.dmp

Filesize
144KB

Download
memory/1584-17-0x0000000000000000-mapping.dmp

Download
memory/2636-26-0x0000000000000000-mapping.dmp

Download
memory/2636-30-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2716-34-0x0000000000000000-mapping.dmp

Download
memory/2728-35-0x0000000000000000-mapping.dmp

Download
memory/3364-87-0x0000000000000000-mapping.dmp

Download
memory/3400-88-0x0000000000000000-mapping.dmp

Download
memory/3412-89-0x0000000000000000-mapping.dmp

Download
memory/3424-90-0x0000000000000000-mapping.dmp

Download
memory/3496-91-0x0000000000000000-mapping.dmp

Download
memory/3508-92-0x0000000000000000-mapping.dmp

Download
memory/3528-93-0x0000000000000000-mapping.dmp

Download
memory/3564-94-0x0000000000000000-mapping.dmp

Download