ryuk | 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8

Analysis

max time kernel
149s
max time network
47s
platform
windows7_x64
resource
win7v20210408
submitted
10-07-2021 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
Size

116KB
MD5

5c6273b024c93c5bdf557813868f9337
SHA1

eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
SHA512

4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nyMTcbyxt'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exemsiexec.exeMsiExec.exe

pid	process
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1972	msiexec.exe
1972	msiexec.exe
2144	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1780 icacls.exe
1704 icacls.exe

pid	process
1780	icacls.exe
1704	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00445_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115855.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL026.XML	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPISHELLR.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00127_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01013_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPAPERS.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.INF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI288.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID93F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC17.tmp	msiexec.exe
File created	C:\Windows\Installer\f75d4fd.ipi	msiexec.exe
File created	C:\Windows\Installer\f75d4fb.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f75d4fb.mst	msiexec.exe

Modifies registry class 7 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1972 msiexec.exe
1972 msiexec.exe

pid	process
1972	msiexec.exe
1972	msiexec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

msiexec.exe

description	pid	process
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeSecurityPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exemsiexec.exe

description	pid	process	target process
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	icacls.exe
PID 1972 wrote to memory of 1560	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 1560	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 1560	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 1560	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 1560	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 1560	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 1560	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 2144	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 2144	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 2144	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 2144	1972	msiexec.exe	MsiExec.exe
PID 1972 wrote to memory of 2144	1972	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
"C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1780

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B1F85638DC96AA29E1A74D125F0332B2
2⤵
- Loads dropped DLL
PID:1560

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 85E90F771554D0D0435E7881BB03FCF1
2⤵
- Loads dropped DLL
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
09e5210989c64c4edc68fae1cacfae15

SHA1
d7cce2e2d6ec920202f9583ff11484409cd3ba69

SHA256
2e2deb7c5f53a49b6133e115d89e3090c0e8fa7bd60e2c7b3668a05f1f6766bf

SHA512
70980a0cad0a496456b801297d50ae754641db72466f6780c352f27640d3d042fff6de5235da37216a6a251da67dca9c04565438708d2838fab6eed2aca5561b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
a4d4509208399969545d1bdab2fa5866

SHA1
9c759b5c7ae23f07366a9dfba1aba24f5bde2abe

SHA256
057db198035d74de30e668b1c0da096be9f10e5ddecc860fc7aae5208a8103a1

SHA512
4c5d025bc628db15203ae14e10ea19b981e24bc0df455c7ed279d2d64a822241204f901a188b15dd2a07bc1c8578c6b5fdbc88e5b30d9407262bb91253721f85

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
d1725504a31b4e383e93f67a35f520c7

SHA1
4a274193e172c508e97cffc7cc9b7eb4d692fa23

SHA256
720129b726448025c03a31ca84d4f4a9c78edd50823f631ad17f11665fa10efc

SHA512
8a8f9d573742ad81b28c7691af9045927928f93ff743cc2e8fbcb41114614613e4ec11ad50366ed67ce8cf46710f9ecc2450cc2591306f43c6157665f8d44cad

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
7c4c536f8275c1effaa2b1856f7515e8

SHA1
b6b64f2a847ebaac947996d6ebfca74addca47a1

SHA256
05846bbf64e598e4bfb3d5bdc6675dbc3e6f5d4b31cb60a471986d94fe35da36

SHA512
307693325a360a7b7de86584382331b8e0e572bdb5bff32612191f90dcc3c2ac9d27feb31bfa47a3b0521fd2ff0a589940ed80ebfb8f91b3a1b6e3d9041746f7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
b36dfeea490a9f47d1a722b6509da23c

SHA1
4f7f5da9a92f4b7a7258b13edb31dbc4149550bc

SHA256
d2d7886058b2822842e077069c674ec9f2256a6f5ea918bdefe6754bd4793fca

SHA512
cdf9d281902e371b96299d64e8ddf6185ce98a2010d0a12241568902232789f8b57de73c5fbb77fe908a8cfa9caa9e70aca9f194dbab753ac3d8f0ef5cccc801

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
21e9e78b73b272683350b9870af47d36

SHA1
55e13b7e3c7b66816373ffa801e7a76f269b2d98

SHA256
e10f6240abf022b4142a5782785c58914cfdf1a1dab7e042707dd1d3eb9c7acb

SHA512
09904a483a315765409c4e7024c11741ffea3eb5933ef24e1afedbee36bd6378fd1b3746d715f97546f98fc005d9cf5c8b4be701d95662a6272d3137283e34e2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
9af28a7260151e9d338c79b984e10ca7

SHA1
d0d8a875bc78f3a7aeef6bb65c3c2641121ef295

SHA256
f2bbdea33c6ef1d9c27a54ed1a1f780c5040abe9330d124322623d29e8d4adc7

SHA512
d1f7e10e9532d1bbd5cbbf92a2ae9328efca37d59f8b29ace125be1d6d65213eabe63ee4abe166bebd5e1a2059dce63f24e113667682a1a156488351b18799a1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
5bcfe256e2fe837bc31028f8d4c7b85f

SHA1
830655fbf477f953ddcc5fa412cee3220cf9dbe0

SHA256
55e0f89bc5d79bf11d29fdeceb8a1f6c4182c1a4f504723068cb2a0478c5a1fe

SHA512
2cea3d5714af931b7df860f7c1e926edee00d0c017e230f57f77ab47d7807c46e60a3848b9ee7d2596cd26e8ae4384bddcc9310fbbe6450722c2cbc58244b59a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
acb75e105420333b9668705792aa0dd8

SHA1
8700e031e250c15b7706ac0d85c1ef728aa6f70f

SHA256
dfc94a863874be52daee00c185cc7249bff36c529d3f27eb22d0127df4884c00

SHA512
247786dbcfabc61b497dbb890341887c8f43a7d5d85f962fa0a9196568c4e28aa143d397264aaf8e8763643ae225125c5a0876a128f97802c6f022597b181582

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
2717da4f6687d69b9d1c74abbf9b1a35

SHA1
0ba569c212d87323dfc17d22e8e8153cdf03e306

SHA256
7dbf1b0bc045e3a81f5e61ea58e2d5577c67eaef3c9607cf02bfa4d7e258c942

SHA512
8a42dbba1c5222c361c9815adc184bd521ef078a74f5c50e070209f2828b7fe3f47331de3901035f0bc2cf9c4d8c42c9b44069fc41170e14756f06389313d55f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
e56c2c6b92d1978adc80eab0a54c3e36

SHA1
3421f2d835fa177f3721b6ea23844cb78f0dd43d

SHA256
487d0104fd15bb4dc700f4b040092fb08845ddea9102067878d47817d6ab6eb4

SHA512
d6626a0d53ee0c1925094439fb32e0e0d283581e09cb316379c958b97e9cf0baceb8a8562dd8a1eefd7409f6595ab5f68d56d0c64ee2296569e4a20a5cda043d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
fd8bf25a744d4e7f7f331531526e1eab

SHA1
0f1067131fbd68b3b8e45b9d28bea6a145942fbd

SHA256
4f7759d870a09abf45e83c7f686d9bf8b0071ae87122db67f89595a8e0ad5e9b

SHA512
a870ef53983ea2f3da3bfb06575b3ca2cc1688246e40190cd2043d7d2577ae5c2485a08a57797bf68a14974889c6c4730dfdc835b7345c8e929f8be60e05f035

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
c9810a60561a254258ec3b12b0c9e648

SHA1
70be0ad6027c0ad5322bfe461963aab2f9f89a32

SHA256
8f2dbf3098bbdd33cbc1a30d2f59e0a462afaec0e28858ee1970bb37ed9fa4b2

SHA512
8cbacb5081002832c3ca9322d867f237008fd659b64eb9833e2cabc8a5cc24ecd9ea10bc6bce3a75a7010baf97ee8798390ad9ed2e407430cb20e17488b162ab

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
07db43b81c861604bc8330de0c651d33

SHA1
9a013234f1165f262cab87be92526b403dd568bc

SHA256
b415e8c3fc827b949f359c25857adc35d99c1790f895a922502b752c2db1b344

SHA512
a436ba14a050d9ade28c5f9afc9d8e673826da8c43612af8c253b888556321abbb14a68ad769dacca57080998246136c8172787c81d5caf3108bee8dbd2ddfb3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
ce74f2bbccf64b88a75bd741f39d4763

SHA1
41dea7e3544920b7ff3b60481d8a1c409c24433b

SHA256
f6886d6108eb7035448bd49dcab04ff26258cadfefc691848d73266710e1d0a5

SHA512
d19f8dd03304cbcd521d46ddce4421512cae6d71c92786b5afd3dc1f2f03830a01cf33ecae72858104aadd4dc32cecad63f760a36f5820aa318ad079c1125e8f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
31729dbb886dd727697a21b0e706d7a4

SHA1
8ceefa5ecbdd7e2f9bf4c718179639922aa88698

SHA256
9a170ca7417895be5e72118b193d4b3396c99a64fb9aacc7dc92bf743b730d03

SHA512
ff7be808c8dfcd9370a09ddc5f3e22507f88d651aa37b24792f76f0ea87a535e1d5142616c4f05a3b641ee3c306611029cd76684edca3113e20c08d3f4d69cac

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
5deb2568acc1b8de78bf0f6e25d0bba5

SHA1
0d87e435f795be579b2d4f53849294b46a01b49c

SHA256
8f198c089c737caabe1818c35962a50de47cced11b9f9d5549dd3a1b54c0a4b8

SHA512
3984540e47920c69efd984781e6a61658d506ae326096a5181e840c0782a32fb3bcd22020ba4e75a9b68f788c59a84859d831ae697f2204498d3f7d1b1d5ae0a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
10e84b3a3a4a6f6fef25f3a756fe5879

SHA1
48ea5daba016313593249fb41ab78443c0e3116a

SHA256
49d15de2991958db286121f9327f56999095097341d0b75394bf7bd241defd9e

SHA512
b1251bf99ab99ed20ce928e55170ebb159f5352a6bc744f6a2f2174cd4c841ea4e5545fdaf675af320e21b454bff7aa1877b214251a82787580481ca6798672d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
42d24646167cf85c11fd2620bf465d2f

SHA1
fb49dc1525a5b8a3f1feb7ec81c2c28edca2f685

SHA256
28bf8b80c452a8d45175a016d2d9d29af80bbc344f624e1e6bf8f2258ad87d7c

SHA512
33f4b5b2c85a614bb844cdf08a0baab99d2f96720b5e1ac41e0978d10e4f08cb493c298075a324f2336df774d0aca68faf3b59329943948f4877a34178e958e5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
4ae67859627c8db83c7692bce9f8fdb1

SHA1
b483e1c1700b1422d749106a47e8f3229a1154ad

SHA256
c25e93dfd0ab0e7e0bead62957e9059a956e32bc2df4e3eabbdb32d46a68571e

SHA512
4e55c3142592dc37ab6d105d1023965fb8d8979ac87450d3b8d04cd94b80ded107825bbd34c335ded89f8a7ac3304ac3e66e305b1526f16a40ce539c83337a33

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
def69b8d170b0e5f4468b3130424e74b

SHA1
ddf5d5b603fb7352091d5211dcf51ecea3c94ea2

SHA256
688a4200b36d9f47b8c94ae689dba676686f74e0648ec14fc40eacbd7f84c46a

SHA512
745663cc8dc65d45dc3686d1b5f1bdea7dddda7d32bf03fb95b7918e76c654e7690b6a066b3789098724df567268b534a8bc112dbc6ac2a16ef18208060fb272

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
d8ef1730d55e0adc6b08bd689bd3a9b9

SHA1
221871965ba9e713520fda113438c2dbf06964db

SHA256
c0bcfc5a4d5bcc5dfcb80cc076fa0151d5cd2eba3dc7050919be8c37dfa7a060

SHA512
ba27781bdda725b2413560a14f6c112e6bc9e34cb4052d7334b0806dc01a5401c8d1e9ca0e60ec8a288c3392dc564dc5a31a678f63c5d4d24bc4f3d1ef0fb599

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
e498931e8970becb40b40c100599e74e

SHA1
4e07ada27e67dbd6008eeb799a58fc2ba2dfc13d

SHA256
de1f418bf6abb0be511e4e8af1448c1fdfe1346a2bbbf9f0bbb97afb632e4f39

SHA512
b3eb84a704bca9b22d56f32741a01b3caaf841e7ff55616c429cbcc2e9e0a02322ab5ddd9bfbeece7944a8f62f8ee74f0415eb46adb1a63f4579972d59ea2136

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
50f2474cd3279f6985a5c5d98c4dc50b

SHA1
04099aeaa34f6872eb7fc66b6b89ebb7bea762bc

SHA256
53531896efb229d9d4c526c4c7b437d6d9b0d5b6691d31c45846eb093a548165

SHA512
1e56a4091676e62544569ae3a5180437492ceace5f6a9001ba1311c6683069a04a241f29685205ea124e0d7222bda6c38748e248aa2b60e79d33470fc6334638

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
e7d5c4ebfe224a85230e2b9f8100b3d9

SHA1
d1b806c904082d78a7139e4dcf06fb0026210fda

SHA256
442165c7bde47894f0d4e22a67a533785572a41848e422343fe0cbb34b04c5aa

SHA512
d109bccfc454f08355585b624cde50e0c02fbc895e9119153f3e88e32fe3e66a17012a9eb4aaaa1a04bc204d59fc060e74754326ccf2f47aa0b6ce493dc2b5df

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
d1b78f70538ff04d8e8f450ca66b4d00

SHA1
29343bb1c918d5d104a9760d7c1468881d298952

SHA256
4fa11320cf29d642935648cd28c4b16ad0b8d1589f7a8c5340b9dcef70258be8

SHA512
614117af74deebb81670764f63e4eca1e3bdca9dbf62af6449be4dd9ebdfc8b6de9dffcb9773e5e0a66347499bebb258fdd262b20735d9b5ea399ef03c1b2f85

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
cac6e95b3941f37a7b1aeabd08046b07

SHA1
a1fe0a1c626c49cb8516c613a244be1f14a9ca8f

SHA256
826a9046f63af076b113c8a188373f836d7b645c3a7f4980efbf37c20c145890

SHA512
527b12522fda4056a9dee68cc7cada9baf5180251ed0bb08db7c45ea77d3ae07915f10f408ed3b9284524e7101f5b465662a3e4bf3e926df4cb1fade169bdc4c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
1ae0329887331d6957db25ae51debada

SHA1
75993c041ed75d6b6b12911deacf8ab796920444

SHA256
17f36dea26a37ab7cc8ca371ce99e31069bc614a9eb0de3153afbe3dbfae318e

SHA512
0d716bdadd600c577348118a9ad3797890dcb309c5538e9773c178b1359fbb86f6682e9fe7afcde558c830e5cfe510e181ac16f4cf497ff9596f3fcd608a8148

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
956f0e21795c0a614ac98a737e432a75

SHA1
8d049f29879267442a66e1f7c5ba093c43a0a598

SHA256
8810f377e1e596ada4e42ba872e70ea6bde756de17a2f46a158e346def14169b

SHA512
190a0665a0917d76f6e28140c4ea04c9e7176af27680ceb282c01460f4c0af79d7f82df6aee970212b04ae63d153e4c7c9a974ba268ddd9fe6edeca594bace7b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
1620661b2707f994098e285303ac8f15

SHA1
84cd43aa70cb86718e3e62cb2bc67fb0dd5d88a0

SHA256
53e35789a234ecb8fcd598d7d6f31e67f6a6511c667b5cb07c0cae51e9397ed2

SHA512
5a2fccd1625124fe373041c1a66b53e6999189797d372e02cb70f4b76cce2b5e106ec360c5c03a2a3e7c5a8cb5ea7e259f2d46f39a8434b1a86ac4fea784a419

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
0e497efbeabb5472c760f40217111150

SHA1
9f5379ffbb372c86725d46afbeb39353b9a14099

SHA256
a0b5f3da645c66829e0204a782a60b3b8e9083fadff3f58ad7aec1e8105807da

SHA512
b4fe0d31e9aad1dbafb83a42feef42d868d884e478040d32856cc9900a6daaa53a7405420ca41f5c4b40246ff6294a309e15b30dd11a5c6715060412978683f2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
68851c4482150cb572926d2bf56192e9

SHA1
f54212181169fc3751512064e9aecc2577b40c63

SHA256
09e3ed20a82d2c594a7c81f4cdac413a1e9adc2315f5f7b651676d9bb57ac41c

SHA512
6de0ddc1a4fc538aaee57a89b6ecb1f7543d67953cf6a9722e450a1d7ab1cdd5f71243a6eedc36866e8e1d8c4aed5727da0aaa2eb2ea1c514bc82aca0519724f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
4af536522ea8c30507918fef69c036fd

SHA1
c3cca88654dc9c5d9ed775f14f748ff3fdfab283

SHA256
9474efb0e317e799f5651d35c10ea9372d6884708dc841c982273009194c3e4c

SHA512
cf0ab6de5c08b1836bc6b5adece312b17b4637618af490685b9ac939ec682a28d5a396dde22f2b46a1bf4779f7702aa161673e3e1e599d99297588a32af2d26a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
b0b440657f74396f0b19490be32468c6

SHA1
d29db08de2b36362c93b93f9d5efce4e1f1e3669

SHA256
20ae0752518b66051890f1d8a19727936d04e247a76c65f1fb61bb25d3fc4a76

SHA512
a3f07cb0099558743f2bc95e0971c5e17df5b7b66e620b22c398cb759cc5e3baab7ba6750a13fa9d5f225a6d13c56eed19d4124d0f4d427eaf4995387a88d272

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
c5d061fed2498a42591ad179696ef51c

SHA1
e6018e2f74f39ad0d04d55c95c7e26e0498fb030

SHA256
792b835705486c9111e73bda86adbed33c9b5d6a6a3fc9ec91f7699878f6f840

SHA512
05fa54c2d53d68aad048ba68fe8f2a66f590a7cbb654b12b2344805c5a7d7b0ea5c53fde6b12d3b1f26fa3609ed88e0ad55fc4237f31800de59fc4f274686c34

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
6d26c0cf006c3422fe2460bf4acb8a4d

SHA1
438fd6392eb514eeac76eb200003ab34d9a3fb52

SHA256
8adbacbf89fbed149eb4d23d5e158f1486c103537614970f5f4a934f2d80a552

SHA512
743b8eff26c9b4a93fd8ea4d66032a0a52a47638ea63336a51e4d46951e21aa5002d5287bc07750c24ca874027409704e411618c4d88704a973560b9821347fc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
0f646350d2d91cfac4f6a240d97317fa

SHA1
20f564ab00322be3b881bb62e1ecb515e88be8c5

SHA256
4a1a2cbcb3b80cb6fbb714b786a32ef6a227e5001026fb93e721df342aa8fca4

SHA512
3210ba3209c696020ebd351ec36acd86a51a709732972e80f732b85c9412a556408e08323455f4ab08ab410b8f0628b659561432a2de1f7bd1e2d32e53d30874

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
0f9bdb3991ba48b488bd752a78dc8421

SHA1
9b99329f0595cd1e82c62fbd952c1ae7a3fa08e3

SHA256
7462151098d8946d72fa5499395c4782eebcdac45bbf814cfc2e971fa3784287

SHA512
d4cc4bb8dd35df3703889a878fd5920a93271baacf9e116cdfaf014f0815578148682cb30dfa24aa34d47db4d4c80971481f2ba3915802f91d92cea543bda3e1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
9b6c67a0b5d3c827f771266cc0ef3a35

SHA1
4007a39aead8d60cc2e6d45d5b59b43d2cca30e6

SHA256
6a7231391537c77b423f22902f713d62067620fd02b8dc3ef5c0a65f3e5b97dc

SHA512
c4870fe0cbd0cf6d734b88e2e24afa1a05d8d19aaa515ac5a30949294fb7894b0b86b21aa58c51c9a8a6e31aa62bfb87f1549905b74decc42484c32ab3bbd25d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
9c68da621319ab243b3f8f29a36165ba

SHA1
d6e89c8e4590a31862b359b1b833c26aa25822dc

SHA256
f981767b640ff985503cfc2f81d8feaef02b1e77c890a40027b475117b324ebf

SHA512
1dd6eee076a4c776ba59e5479598ac21b250f5552869a9aacae5af561d718ced366ba7ba91d84f95cfd3772a6225a1798d306bd0d5c1be158ac61d3c6fbf0b93

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
35300007051b0df0af1218e771dcda44

SHA1
70ea7457d46c6586d47a540fbe036bbe46d689c3

SHA256
de3e000d0e501cb56118e4e9a8a3fa64c9be8bed7544682f229b3830e7ac8f41

SHA512
0d3e3d4ef6877adbc27aea4e1467ec720358d644e6db35c422900f5d9060a74a56fba2dbc25b737232832e974fe01ba46eeea072b0e9084f57bbcee3e552b44c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
e5718eb9060a77d83f384cab0b39b0ca

SHA1
76594e1b855b01caabc71740d7ce633eefcf4b36

SHA256
60d34c5c42a1a850d4f5009444657dfa591a5ed73f3df6b40d7e314769c1fa30

SHA512
7aea0024f9067a824a452ecfc0ee2ffd95af2b3f0d1c4e43fe546929ccef8b77dbc70440bf5bca4f3ad25c0509b9bde9b038aa700c80ed32f492a8882dc5031e

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
e055ee2cda46ae5b2f4446f911038fcd

SHA1
34f64ac74afc688b6ba6894be390f916de537991

SHA256
121ae39fa40cd9b12f95ef96982d90054938597fe6ca1a2b770503f9f9652939

SHA512
d363e2729029fe21b9c58a7921426205e01c9672803f062ba2126676b2b30896b196af8b731b1d33d80ebdf961750c407c7edd4456cc8447dfbae1bad82253e5

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

MD5
6083ab292e3313460c01d36d7f8e4897

SHA1
f43e1cb10b0e4dca721078b0d4e7261f3f3fcd92

SHA256
3fa5f11764a248bbed08ac0097e864be49abc5ce00a4aa8434470a40b4d047f8

SHA512
e7a19e776b673d9eea4c188a0c8c0b2781f4d20eb55b7ac80aea9f35845b9111e65ce3ebe2e8951bfe296eaa7bd65966d2d566eae941a32f41cf3c9e9a000fe8

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0b27280b7c7890ec303b41c29b1ed21b

SHA1
8022564ca2215327a42ee882585fc4dfa695d383

SHA256
8db6723fc22587561277463de6a6a33a0fb961c2a69cec6aa44fccc8ff035070

SHA512
68fe1d96453b435ad490755e3644d186579a8ee00129cde961f8dc0389c513629678f78d6ee439fc180aec2f5c230e76a653bb9d8d956cc52565b0182285b682

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.RYK

MD5
b0c08bdbdaf1dea83ddce562e54bc195

SHA1
9c2cb88c15b4311127d1eddfdde58c19e83bc201

SHA256
dd00373cabe12ea028b11dc1b6b77d16fd1ef003e24060fb12f96a35ccd73de8

SHA512
dabe77afe7447c8f3d21daa400cffcf83bf8faa2b32c1fdcfaa8105a8e39511d00b1c25d45ff4fde884e60b4581c5e12201443307d03c270e8a60c38043feef4

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.RYK

MD5
8e39cbd85ca33dc276b7f47cc49ec5c5

SHA1
e484948d38baaf0cac1310f23c7081f7aa219554

SHA256
53f91bb796d7b495fbbb44df7a3cd74f8bf33e1daaf77851c804b2c36113ae44

SHA512
7e7e3b914e1e25c54ea1ba6c756460112046a2ff9f78b21b6dedeb5831192ca148708e7a0a2cacc3afb556bc9f7603338f1184ae4ed70562ed45c33591c88c25

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.RYK

MD5
e7deec4ced33646a0a358f0834a606a0

SHA1
a5f1d114b73e27b4c2942bc079d0d224baf88aea

SHA256
0cc0a6a319d1dad3b8623bef53b08d5fe04ead90e895359c1f21ae8c222ca2d9

SHA512
208c5b5ad2a34d9649ebd14fd8f50fce0d5819566503696bcb3517754a5121faf9905a91f662da9ef627f768d5e20980c036714193387316112d55c0bdf4c56a

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0c145fc9550772c252167a9f5fc9d2fd

SHA1
172bee5e4ef8255e97f12fc072a0c86e1fdc7257

SHA256
39a0b43fa8924939534a0fa7d4d245c4d8745049d9a39668cc1b8c2eccef69ca

SHA512
4223ac9ac7abde4f708e91fb661c8c1acbfd2c7c1bf16097a845804c1bb7f724df741d8c20822c5ca40e693257de8ec4ff97ae5e767689a989d7c0d3ec20ed78

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.RYK

MD5
8c9936c3c3b806db891432dfa2d1fc02

SHA1
277e2a93d16a5b2d0df067b9e9333e539abdd5b5

SHA256
a76b8dacc8e9708aa95caddae1e199a723ed6ebff01fab335b67695d16422d68

SHA512
c7abe4d74dbd4993c58a6011a870f7c905f92e100a41c4d355f75f15dbb57afe62a4d012b1a842f4098c74eeb3371feece8501203449cdfab88b569a5a8c035d

Download Submit
memory/1240-60-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1560-128-0x0000000000000000-mapping.dmp

Download
memory/1704-62-0x0000000000000000-mapping.dmp

Download
memory/1780-61-0x0000000000000000-mapping.dmp

Download
memory/1972-127-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download
memory/2144-130-0x0000000000000000-mapping.dmp

Download