ryuk | 23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

Analysis

max time kernel
300s
max time network
103s
platform
windows7_x64
resource
win7v20210410
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unequal-impact.exe
Size

121KB
MD5

7364f6222ac58896e8920f32e4d30aac
SHA1

915fd6fb4e20909025f876f3bb453ec52e21b7be
SHA256

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
SHA512

f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

FMmGpAvYHrep.exeezdJSzoSSlan.exexDlhaHqqllan.exe

pid process

1452 FMmGpAvYHrep.exe
1644 ezdJSzoSSlan.exe
268 xDlhaHqqllan.exe

pid	process
1452	FMmGpAvYHrep.exe
1644	ezdJSzoSSlan.exe
268	xDlhaHqqllan.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

unequal-impact.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\HideEdit.tif.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\SetSearch.tif.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\PublishWrite.tif.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockWrite.crw.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\DismountDebug.raw.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\RepairStep.crw.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\SendRedo.tiff.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\SearchInitialize.crw.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\StepPush.tiff.RYK	unequal-impact.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishUnregister.tiff.RYK	unequal-impact.exe

Loads dropped DLL 6 IoCs

Processes:

unequal-impact.exe

pid process

452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2688 icacls.exe
2700 icacls.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

unequal-impact.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI unequal-impact.exe

pid	process
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe

pid	process
2688	icacls.exe
2700	icacls.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	unequal-impact.exe

Drops file in Program Files directory 64 IoCs

Processes:

unequal-impact.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14692_.GIF	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105600.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusOnline.ico.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar	unequal-impact.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01634_.WMF	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.XML.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00046_.WMF	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.XML	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00274_.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222019.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.INF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\RyukReadMe.html	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar	unequal-impact.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\RyukReadMe.html	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00261_.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2XML.XSL.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\APPLAUSE.WAV	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02450_.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01356_.WMF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF.RYK	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF	unequal-impact.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties.RYK	unequal-impact.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.RYK	unequal-impact.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

7996 SCHTASKS.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

unequal-impact.exe

pid process

452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe
452 unequal-impact.exe

pid	process
7996	SCHTASKS.exe

pid	process
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe
452	unequal-impact.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

unequal-impact.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 452 wrote to memory of 1452	452	unequal-impact.exe	FMmGpAvYHrep.exe
PID 452 wrote to memory of 1452	452	unequal-impact.exe	FMmGpAvYHrep.exe
PID 452 wrote to memory of 1452	452	unequal-impact.exe	FMmGpAvYHrep.exe
PID 452 wrote to memory of 1452	452	unequal-impact.exe	FMmGpAvYHrep.exe
PID 452 wrote to memory of 1644	452	unequal-impact.exe	ezdJSzoSSlan.exe
PID 452 wrote to memory of 1644	452	unequal-impact.exe	ezdJSzoSSlan.exe
PID 452 wrote to memory of 1644	452	unequal-impact.exe	ezdJSzoSSlan.exe
PID 452 wrote to memory of 1644	452	unequal-impact.exe	ezdJSzoSSlan.exe
PID 452 wrote to memory of 268	452	unequal-impact.exe	xDlhaHqqllan.exe
PID 452 wrote to memory of 268	452	unequal-impact.exe	xDlhaHqqllan.exe
PID 452 wrote to memory of 268	452	unequal-impact.exe	xDlhaHqqllan.exe
PID 452 wrote to memory of 268	452	unequal-impact.exe	xDlhaHqqllan.exe
PID 452 wrote to memory of 2688	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 2688	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 2688	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 2688	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 2700	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 2700	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 2700	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 2700	452	unequal-impact.exe	icacls.exe
PID 452 wrote to memory of 3488	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3488	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3488	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3488	452	unequal-impact.exe	net.exe
PID 3488 wrote to memory of 3536	3488	net.exe	net1.exe
PID 3488 wrote to memory of 3536	3488	net.exe	net1.exe
PID 3488 wrote to memory of 3536	3488	net.exe	net1.exe
PID 3488 wrote to memory of 3536	3488	net.exe	net1.exe
PID 452 wrote to memory of 3556	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3556	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3556	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3556	452	unequal-impact.exe	net.exe
PID 3556 wrote to memory of 3680	3556	net.exe	net1.exe
PID 3556 wrote to memory of 3680	3556	net.exe	net1.exe
PID 3556 wrote to memory of 3680	3556	net.exe	net1.exe
PID 3556 wrote to memory of 3680	3556	net.exe	net1.exe
PID 452 wrote to memory of 3736	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3736	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3736	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3736	452	unequal-impact.exe	net.exe
PID 3736 wrote to memory of 3764	3736	net.exe	net1.exe
PID 3736 wrote to memory of 3764	3736	net.exe	net1.exe
PID 3736 wrote to memory of 3764	3736	net.exe	net1.exe
PID 3736 wrote to memory of 3764	3736	net.exe	net1.exe
PID 452 wrote to memory of 3796	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3796	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3796	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 3796	452	unequal-impact.exe	net.exe
PID 3796 wrote to memory of 3984	3796	net.exe	net1.exe
PID 3796 wrote to memory of 3984	3796	net.exe	net1.exe
PID 3796 wrote to memory of 3984	3796	net.exe	net1.exe
PID 3796 wrote to memory of 3984	3796	net.exe	net1.exe
PID 452 wrote to memory of 8168	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 8168	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 8168	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 8168	452	unequal-impact.exe	net.exe
PID 8168 wrote to memory of 7292	8168	net.exe	net1.exe
PID 8168 wrote to memory of 7292	8168	net.exe	net1.exe
PID 8168 wrote to memory of 7292	8168	net.exe	net1.exe
PID 8168 wrote to memory of 7292	8168	net.exe	net1.exe
PID 452 wrote to memory of 6352	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 6352	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 6352	452	unequal-impact.exe	net.exe
PID 452 wrote to memory of 6352	452	unequal-impact.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\unequal-impact.exe
"C:\Users\Admin\AppData\Local\Temp\unequal-impact.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\FMmGpAvYHrep.exe
"C:\Users\Admin\AppData\Local\Temp\FMmGpAvYHrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1452

C:\Users\Admin\AppData\Local\Temp\ezdJSzoSSlan.exe
"C:\Users\Admin\AppData\Local\Temp\ezdJSzoSSlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\Temp\xDlhaHqqllan.exe
"C:\Users\Admin\AppData\Local\Temp\xDlhaHqqllan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:268

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2688

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3680

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3984

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:7292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:7640

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintkC" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\jjIVP.dll" /ST 10:25 /SD 04/28/2021 /ED 05/05/2021
2⤵
- Creates scheduled task(s)
PID:7996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:8848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8876

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:8896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
7c83b0fc9ccc3b76acff662f82cea092

SHA1
01ffdc143a602dacf56637394bd50dabd67d8da5

SHA256
39693a5fe40f504563c5db80f1e7769e7297e79c076852c0714a3b8aa0779e93

SHA512
02bed905df13c8a3702e8bf16f022a6942b5021bd09b4f47b2f723565b49424f52f0541e1482b3c52a5eb5f1800bdd2032de2abb25ff269e8cefdec41b702c1d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
5c3b0cde68396d385706d59680f8e385

SHA1
ad6e8ddb172a5cf02eff2503c5442912d23f6f72

SHA256
419783a5a751c1faf364be0a77f52497be3f35a3882c5d04f9cda0fa3c207f41

SHA512
1e4d8e215f92611fc71f6cfca6c9860ba6359deff01624650e9e9ee7ccaddaa7a1cc4e6edd895278e14053f4c447c8e8af34ed9fc2f36f8a4a5317100ee7d57f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
e0e40cc1880b67ee06ccc2d10f33b978

SHA1
8a947f10a9410c2fa77e8c09200c7ab24ebed78b

SHA256
64351371d6bf4c519b754bcf713fb311a916a9c070293e08646050a901340615

SHA512
8dcb2a39e7dcf9f7e97fcdbce237a4d20a37b22f5eb889cdcbe691efe54b0c2d46d250cefaa5b4348f8b2ec782de389f0c6d71fb64e9df773f5d78994ae3d9e7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
2d8312af95338468156875decd2bd010

SHA1
1afdc425fce0aa230633321c7b67e443412c7a65

SHA256
0d8794c225afbd9db1024c3daaa9b6407b915b469d241a6cbf4e7c8bae164feb

SHA512
56fb8b7b298c0f80c70c4b055de764390de5444fcb258ef1eced1df603ae37bf51bb6f18020dcd2157127e304aeb9906f04e2c3c336ef1d0f1663fffa074a86d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
2d20e4bb3b799ea00493c94a31d7bc2c

SHA1
3878ab8b2c6ba96f82acb83139d51c6fb48bf572

SHA256
d95dcd7b6db220e739760cb212293f14729652f25fb92f1d34c59be50f2d709a

SHA512
00f09e374bee11ded5fd3b64ffbeff4db83c5cf991f9dd57687b76216b744705298927982c6d0125044693fd403474a6f8e402ab3be124f3d354f92e96af1a40

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5
2323ade02b8bad965366297c999ef0c5

SHA1
35d8edaf1ae23d1b6ef9f381cfc69fa81cbc34e3

SHA256
4bbcd2d64714acfc117ecf8ec7a818740f4aeacf6c44154ed653981082f33214

SHA512
9c293f5cbc0558e35f129700be096c586bcf7b6163263149cac018cd610b0097a3b6cbf128edefa70b2ce6942bc9c13d5a73d4de7d343ff3f1ffcbcfb1205116

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
4534fdc27e4594390fbfa04f16115b4e

SHA1
42cf0615a76efc47255438d7c248b14d9779af22

SHA256
a9e37887351668411bc9ccefafaf3a61935668b5d662ebb94ce2a06c6f2e9673

SHA512
3392cdf318c1981b59206053e13b00d1dca480c3965249e754f0d845b1332ebe5103622f3a93d92c9755a1fe9b13b11a813021bc4c9d98825467312f6e7a051c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
43e4d7d51a7f11a9a343c55a9eba79a1

SHA1
566e20783aa1c153f3ee9ace4e3b036874f89d32

SHA256
976262892375a18c07190c6b360b11198de918b26f27e0ec4a3a77b32fe7cd1a

SHA512
df7728d21db85bf46bb0f55c288ae1b79c71c64ad810669fdd2869ba9841644edc0f3df786884f02aff477bd96a0ac8ccb7680a0c6abc0bdf9c4636ac5fd3729

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
4c4e4fe8141265219eb3f0749c9e910f

SHA1
d78c05701453b4250a8cd0bde5e8d44b805da243

SHA256
52ea1ac3c4efef37a6f8701bc081e0854165a52504790685ba7ccec47f457fee

SHA512
7d68735b2f35132adf3bde0df4379473f67f34cfadb59e76e2944f2451d46f6ba1b220abbe36839e0723900acc53459b716432392c31486cde7c20f7c58fca22

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
5939027fb9d270d7f55e3d437ddf3e21

SHA1
324501f36fb079caccbebafa3664f1e87fd26957

SHA256
cae8a2e0a0fd8a1af110b86c4a2b71a62e371766f9eb93db3a36cedf61ab181a

SHA512
9c5e045c738762488a9805267c7bd0109fe30bf4dac94c39fa895a65dcf151d63211845102527074bc4442a50594040492c4c84a19eb43facb0f5812622aaa3e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
55c6f16f63c302ff62827180e66af5fd

SHA1
e53ff4a2a48305f30b9191be3c6d101c0cd9654d

SHA256
dca8027f362ff9e3b4b6d6f8902d9b1a9ff578780e4af70e736f9aa7a56a02df

SHA512
c7a2edea0332997068fbe01c4a97aea9267388fedf93d14c31d9553c39f278de9bc4f18cabf235fd900333e736d3059dfe0f0751ee0250b12a4f7d38fb244ec2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
251f54cb2bfa5fd1ea2dd449dba3ca2a

SHA1
345b07648f4ae19c329d92d97bd226de67a135b2

SHA256
75bea59a04d9495c0909b922a7e7951b06296d8198547decdf744933a24d2679

SHA512
d18ad20a10e858ec6634edebeff9f8837e10620d90c21f6064a44268df593b7a78c964dc01185384b35d8b208f7072e65b2ac878f36c56de1172f1e9daf82c2b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
15338ecf7f5f84c78097441716f8c712

SHA1
4f1a42755e4c39f10868d430f274944126ef6938

SHA256
cf28e07a2a0d52e1868b335b6eee461083bd7502f7386531863fe08fad3ddeff

SHA512
c158e63fc5ad9e3eb16636450ae12aed92b4d56fa4dc3f004341ac8907c7dc0975804563e20b4f55f9b26fd4a3b7f94c73649822d49c98bbba2d3364f083a1c8

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
a95dfa2c9040c5b61a6c7a27836060fb

SHA1
f61f5c73526adb576de48477b77529261c3844cd

SHA256
a479485f616247d8b11700f066ada752f8c4c5aebcd0e75045171800da4c235f

SHA512
8e8b8a09d1eb88943d06fdc08a006cdd9591b6d7d8536eb4d90b4e6d6767557debcefa9be2afe8b0375aba04a6862cf1af2dd7d9868b67599f1aee08f32d0c0d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
93de9b0e1abb4787852eff417d3e03e0

SHA1
2393d7120f36eacca4f89473fa8ee0386d8a8300

SHA256
f799f7fd49d6a209101be95b485b412b1e06d66a37d883f5490e249824aed16d

SHA512
2afd08670a626939900fa09a841c15055d0ca13645ac28dd6e881b3ee63f6857262b550a9046a03f8ce0ccac8f65b9fa967f9297d4864b48ce2a9607392e0076

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
d4fe7f6bcf2defca8ba4cb237b1dd1e3

SHA1
9ba4d14fa8fe21a9be25076994850bc927c1824b

SHA256
0c43254b77be10d5b2e5244c76dbe9ad4155421ec8bbaf21ff49fe57bd227430

SHA512
76300b49d9208ca103d9297cb87796c58acd125fbbce83f4bdcce067251c6a98f67af419b87cb931f980b419567261a84c8c362f6765e8e86da33ef68a14df30

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0c3741e9a78b6481fb95aa55b0701e93

SHA1
39b590ba6c27609171fd5283717556231bb3b4b0

SHA256
c9881c07eb27c5ce0467612eea48a1c65d17f9805297bc2db9d5e433d2ac5286

SHA512
48c2f3a1aa82ee3096e93a82a52a19b14120646f7a7b4c2215e8a56b3a188662d814aac853626ecffae517d43d819af228721d18eb5be1f9c7c40e1ad4e38a7d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
ccc686129dc23b29a43c5062ad771992

SHA1
cc324569ce832e881db4618d7a75a5fdc5bf4f43

SHA256
20795edad76a24311df678df978103a94a3351136ff9b1a3b75b498977999847

SHA512
79cdf8092373f154161110aa1aeef943c3bd55f3403055ab8acb3b36a7663ac1bbb670c41cd51ab30484e6ff159079072f4b2812db45f39944e37ffe173b7fc5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
f9e86863fd24fd00bdc07fee5e8a5bc5

SHA1
d87370b3eeb5b339e3ad632f3a55f6721ec62341

SHA256
5394e6c4c73a4e76e607eb5f76fdfa4b16d5585c992b25ae1f2d794f51f6eaa5

SHA512
919468a590ec86fc5f76a0b43de31697afcadf0a4a62e189c724dc8ffbb643555983ee44f10c20567310036de50f625ef07ee94439b2f1283204a62808d68768

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
059c1f5518a892df684f6265883ac4f6

SHA1
4fd3166733ca32b3c3dd028a6956e8d7786d17ba

SHA256
e593ee758d10c9d2035851dddb451dcd5a532ab86a0c807ca284e9e3b5570a3a

SHA512
a8bab79826afc75a9685ba78abd15dc8ee610355a5bc817ee76b0a57ea2fff28d130934d260913cf1b2c0b591097c2d70a6319a137d9e4d4304a53d30105a3bb

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
5935af5cb8cc0cda64b8d61ce62b5264

SHA1
26ff1957129f3d5196e9b72549866cdee029ea5d

SHA256
4ed0ac96c3abb7881dd934a46d9b675a679a18785652b28537eb2ffcaeb86c4b

SHA512
a1450eab6b8e3674966c1e9772ad6d8e6d9406808359159cecb9bad91e221f521b45bb3221e586271f5caadef28601cb9f18ea8e13deca0bc1bfe1f8b5e67bf8

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
dbad4d7eff19dcabf44e0d17f4b86f40

SHA1
4554d689503aa8ec9a9327f1a85ff1b740602e2d

SHA256
567463b27970895f78faaffda57a63813e192c10d8fb69f968edc6553b6dd6cb

SHA512
738970e87bcce5d042d6a67025362ce56b73602d8c69307c7501e0d820f21d7cdb011eb4aa0e42f1aface11db78ff37f5358b29c640aa4ee2d9b4e74733611a6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
e8ff3b772a2d547545df26a0d0e6c6c3

SHA1
549df0460df3d0e815d4745e78c554d811d12055

SHA256
070de63b63f029cb4dbe4e6b7d53bd53f79e70f4fa49b98e93cfeacb5783af3b

SHA512
19a5a90102b848dc6c8b6f01327b65aa02d1507e4e00f1b058e387ee6296790b4939164624221223fd62e2f3a1e0ca5f5936a78dd6c6ef76eddc3e8fc0035661

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
8d07b8353cd92b65e11eaeb056231832

SHA1
94c7e9fecf06e7460e03ca81befe0e064c07cb27

SHA256
e842b84f3da3dfc6fe4593ada04938dcccf4e62a175bfff8b7ad7b185e2823b0

SHA512
ef4cb32f0a65ce6789a6c00e6a5d62e4dde0201c4b621728d2c3444a881063fe436097e1a8149125cf0cca9a8736b48847595376771c56b0624dab013840650d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
a96747fb6fd740a606e4c3ea5188911c

SHA1
7ea3208b0a9ef56e470b523096d7f4bca56b4f24

SHA256
2ce0a199f020e1933994e79134d2ab372bc04c655d4e9ba589a5433672149fb4

SHA512
8b1d43b9c8aa775b05ac8756a5f46eb5b5fbbb5ca17a086c619396bd11b19c72e22be969e881c0a1243330996551a038ba23192790e8d982a198a4cb68b5c94c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
57bf2d3eeaf5234e510a40a011c7344e

SHA1
0c836aab934c66a2bb19bb282912d19c7b0ee4a2

SHA256
45823d0b87537d1ab4d46321d317c2e77207810abb4c6b47059ba2c2d1f78faa

SHA512
4290844eddd8b6a9029bcdf2ae2c5bb4fe868ae953780952de26246333fe6dc0a26e28e260f07a527b7823d2c2df461ac42787e6a820b6937c143460844b129f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
ea28e77d6a9a56571e84e6c6757c71d5

SHA1
428cc60932fe511b3a4782a88ba53f8c673eabde

SHA256
756efc861cf33e2114fc06f54e5f3c9f65c5fdb337c30ec8eea96ddf7ec8fcfb

SHA512
0c773d35eb7095d4ce3ee2e4d90aed9196203078f3e44c689bf877a0caeb1fd5896acf2c28157ae2744b51a5d386bc34746a1e74cd742660700812ff2e1d14c4

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
2bc1bcf3763435a5129bc1b746326bcd

SHA1
c65eabf9dee2c6477d1788d78c7233a1dfe91aa3

SHA256
911f681a174074fbdfcd44ab9939f267e2b67be28c3d9e9c96a1b82269a4e634

SHA512
ae76d05fb1fefaa99c25d85d742654e858e609899613281da6479673cf73fd6a758eb7a58084da792748520354d1a23dd60d787050d92a7b0efaa8646db3e528

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
45517de9e51ebb4009d1bc80aae09aa5

SHA1
966530c560b99fc9113c8c72694535be9966eb2c

SHA256
1e2948fa03a47bfc5411376dea116a9d4cb2dbdb91334d73047f7d5d3414ba0e

SHA512
3df678659334460e5090c8ce8697b36b673e355bd283d02a87f46ee5ee3d7fac945d89ee1e29dd621e6d2692eb1f201595344cb2a279697d9f31ed37e67d5c2a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
0ac36ab202619bb04c6b75c93a9ed41b

SHA1
a5bb3ad3d3b0a88f8f25db21fee35e7b24c8b256

SHA256
5d81e1eb15fa96e72c12b6e43ece3b80a14b8de5641ddbb03d61e9935a08c7d1

SHA512
cdfd9d76f74dc44ed1edde15c6bf92a0c2bbe0bd5956c84fbb28dbfc911fa2c5c1e092be1eecefd48758becb1777bec1cbcdff9873c7540dd852e1da7bedca0a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
a272c18d15971f6492a13ca1b262aaf4

SHA1
4166d59cf8113074753f4e7734fdbea0cfba436b

SHA256
35452664d9f068470a05fd52c31906c83fd2741eb50815408914dce9753d4d3b

SHA512
0cb19d36004ff4fc3bc4fa09962e1b72875848b4177f1d45921618e8ecd6de57d2dd2816c73eb00d5d8ba796b7e6261f3a8ae3554645277954eff0092e2b9526

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
58fc2c61691100d008bced14af2617b4

SHA1
a53346d23e30a2e0fc1e1a8a4230d558700cd401

SHA256
766d26d798f52465871003c47a353c4ccbc7b14dc483bf0b29617dabeafc55ee

SHA512
493530c45244db87e04499f30849797f26a3df52ea0b01312614d857c5f6f7217e07b55ad322b7c5fea355c846f7e86f7dab0ecc0672e4a51be60f0ef8a857fd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
b3b3e8dc541e3177b2a0560737b175b9

SHA1
40b05ef3be2d29467abc2e03334db3a096c85bca

SHA256
f5df61300d4683a18f3141bfbfe289277f42f0dde090579eb61efbeb25e93445

SHA512
f9aeea0f45cdff7ac7160e2dda3e719c59aab37c988723b07afa92f4cd125755a5a296fe75689b9e47aa632be50d085a5a223992a0d058f65a7f1bb3e77427b8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
7da32a0d7e8f3f6e7420af4bf476c5b8

SHA1
7efc24fa7675c98934c5a5b4699e9375867b0e45

SHA256
19a0668d9351e25c7e85da5736653cb608dacf5e429a8f8a447964309e6d9ffb

SHA512
659b3010827807ece2a5f0ea79404d3314cc8931fc9153236ae0fc221e930eec223e3449bfe9dd06a13d5117ee442970a959a5081cbbaea1d90c0033fc8128b2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
466ce6af55ade1cea6b74e0ad581ffed

SHA1
61ab399ded1514854311502d7a740ffbf6c9ccd3

SHA256
adffc614157ccfb7d46b3437c4d0ca4d48800ca08142d7644c36f06c3ad6e916

SHA512
d995b14d6b4d5d00121b3999f7eadcd9ab258e0ce2497630d96fb8a0b5b512757c4a893e551db1afc35da6ca6ccacf7607e4417e8f514ac5636df4652dfd55d4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
144855f3f0e166dd3ad181978329f4c1

SHA1
7cfcd543570dcc4ae691deaf2b4c972afa3923cc

SHA256
85eab25310e0822f8234078754ee9738e439a8ee2630cc0a9ef0a6195e72dfe6

SHA512
2b9c11ea8ed3afc2bccb8e94422467197142e6cabcefb51dfaddf494bc6d7c30231e275a5210b489cfb1facf516d621efe15b4bd0c99e7134d4c2546ed21b4e8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
7635229e90c705fb35ceb2719d20a0c5

SHA1
f687e1bae3e43dccbf2ce9f777be158340114f52

SHA256
d7b851b245b38bca542c6ecd3adb3075b9d5d1fe430ce1fe68df2130267fc6e6

SHA512
c3065275a808b158cd0a30134173971768e07ca20c7bbe2abc73eb5c8653464e0e681ed01d34c28997596242c8af92c787e702bd058ca5573a207faf79cb6445

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
55d6ede87c9aceef540241668de94869

SHA1
bebb731a537310318fd954760a17dcd7fdd5267b

SHA256
377270d354431853c7939309795aa1a4c12d5f783efb3f597ee5f55393a149eb

SHA512
a66d32d5c25fadd017551742209fcc4ac9971f9ae3bae0b92096e006555a4d3583d97571969141bfabac7d3e2f60f9e6e2a0dfac066bb879ad708fa9ff56b512

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
054ebaf298a486f711c0179a14562106

SHA1
ecda7194aacdce462be5274de161d250cce34d90

SHA256
45d1b09543cf85c37ee5bf290cc0ae7d5c0a557e82c6876df8d5e239f03e88b5

SHA512
713dd1968d5a32a6c8edec025d6eb1c0245fbce2257339b287f5f78dcc5455dd4d2f522c787a39bf5b808379eef0ec7b3d5943acdfc6ee496bc59772fff23a85

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
0983774642f025a0f9c511e5a71bf923

SHA1
5ff91ad731a06223473fa6aa1f82fe368f209fc5

SHA256
c49c39e557f77deb0da5ec99a163fba64a5c022354a864273ea8b09d68fc0214

SHA512
6e7fbe979979393771d4eda7942d96dde225ab469a59993ea3f42b31de9a9554b4c7e3abbaebb25384804c42300c55f5b7f94bdcf2dc55d1b5955f9d033c2539

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
6cb9b40e504f45110efeb35c2963bf3b

SHA1
952a1a6470b39126556536b652545de0c3a97701

SHA256
0433051627df3c06862cee4cf519b5f0905fd7b37df24b410936a293b43248ba

SHA512
66ee6fa479adb9d13932e63041e7ba190e9a31409415ed5557fd6b2b4550845d8dbbce3052d6594b0692bb8a5680e437d963e076cb8dd6bede44ff8bd285f45d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
1e789f000c08752fb30e119d5d7b38c9

SHA1
e551427fadc599efcbc452774b1ed4976286481d

SHA256
884eb7426531c647e73faaa681844f2b66c2531ec577b15b03035ab8f60db9fd

SHA512
5a78d170b67c1493f760ba8ba5356bb4e59f2b25542d3580ff1755d7226b820da69b11ab96323cf1c8861e2ec8eee0680f0f40628f7d068ab58476e21f54b46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMmGpAvYHrep.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezdJSzoSSlan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDlhaHqqllan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
C:\users\Public\RyukReadMe.html

MD5
3102c42bec3ed017eb9f7cef4b90fa24

SHA1
dd1ce3e68bdd64891994277ac7cb5f3360c9b6c4

SHA256
2096e6a29e5535ef5be591e3c32f90e1c8ae8f8b0f9f549a24ad0a9d8b708019

SHA512
64f728fd740c0eae33a3c850d8fdca53c7a9239b2d817cc7f0024d1b1267b77295f7cb4fd9554679ec247ba3a242fc1e0f565ceaf5719e420a8782bad8b0a63c

Download Submit
\Users\Admin\AppData\Local\Temp\FMmGpAvYHrep.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\FMmGpAvYHrep.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\ezdJSzoSSlan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\ezdJSzoSSlan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\xDlhaHqqllan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
\Users\Admin\AppData\Local\Temp\xDlhaHqqllan.exe

MD5
7364f6222ac58896e8920f32e4d30aac

SHA1
915fd6fb4e20909025f876f3bb453ec52e21b7be

SHA256
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

SHA512
f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Download Submit
memory/268-71-0x0000000000000000-mapping.dmp

Download
memory/452-59-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1452-62-0x0000000000000000-mapping.dmp

Download
memory/1644-66-0x0000000000000000-mapping.dmp

Download
memory/2688-75-0x0000000000000000-mapping.dmp

Download
memory/2700-76-0x0000000000000000-mapping.dmp

Download
memory/3488-131-0x0000000000000000-mapping.dmp

Download
memory/3536-132-0x0000000000000000-mapping.dmp

Download
memory/3556-133-0x0000000000000000-mapping.dmp

Download
memory/3680-134-0x0000000000000000-mapping.dmp

Download
memory/3736-135-0x0000000000000000-mapping.dmp

Download
memory/3764-136-0x0000000000000000-mapping.dmp

Download
memory/3796-137-0x0000000000000000-mapping.dmp

Download
memory/3984-138-0x0000000000000000-mapping.dmp

Download
memory/6352-142-0x0000000000000000-mapping.dmp

Download
memory/7292-141-0x0000000000000000-mapping.dmp

Download
memory/7640-143-0x0000000000000000-mapping.dmp

Download
memory/7996-144-0x0000000000000000-mapping.dmp

Download
memory/8168-140-0x0000000000000000-mapping.dmp

Download
memory/8848-145-0x0000000000000000-mapping.dmp

Download
memory/8876-146-0x0000000000000000-mapping.dmp

Download
memory/8896-147-0x0000000000000000-mapping.dmp

Download
memory/8924-148-0x0000000000000000-mapping.dmp

Download