ryuk | 703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
10-07-2021 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
Size

117KB
MD5

31db87c5d3b970b42cb577611f851c7a
SHA1

8cc6a1f94514033ad8b15c3c4c720fb0eac249f1
SHA256

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f
SHA512

d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'PrWUilDMFi'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

bwUAskFLyrep.exeXCBkacnNxlan.exerdpbIeHjQlan.exe

pid process

2016 bwUAskFLyrep.exe
1248 XCBkacnNxlan.exe
2624 rdpbIeHjQlan.exe

pid	process
2016	bwUAskFLyrep.exe
1248	XCBkacnNxlan.exe
2624	rdpbIeHjQlan.exe

Loads dropped DLL 6 IoCs

Processes:

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

pid	process
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2672 icacls.exe
2684 icacls.exe

pid	process
2672	icacls.exe
2684	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187895.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099170.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107496.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107158.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099179.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297757.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03466_.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00172_.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05930_.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.INF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\St_Johns	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099200.GIF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

pid	process
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1688 wrote to memory of 2016	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	bwUAskFLyrep.exe
PID 1688 wrote to memory of 2016	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	bwUAskFLyrep.exe
PID 1688 wrote to memory of 2016	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	bwUAskFLyrep.exe
PID 1688 wrote to memory of 2016	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	bwUAskFLyrep.exe
PID 1688 wrote to memory of 1248	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	XCBkacnNxlan.exe
PID 1688 wrote to memory of 1248	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	XCBkacnNxlan.exe
PID 1688 wrote to memory of 1248	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	XCBkacnNxlan.exe
PID 1688 wrote to memory of 1248	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	XCBkacnNxlan.exe
PID 1688 wrote to memory of 2624	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	rdpbIeHjQlan.exe
PID 1688 wrote to memory of 2624	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	rdpbIeHjQlan.exe
PID 1688 wrote to memory of 2624	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	rdpbIeHjQlan.exe
PID 1688 wrote to memory of 2624	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	rdpbIeHjQlan.exe
PID 1688 wrote to memory of 2672	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2672	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2672	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2672	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2684	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2684	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2684	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2684	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	icacls.exe
PID 1688 wrote to memory of 2716	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 2716	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 2716	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 2716	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 2776	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 2776	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 2776	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 2776	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 2776 wrote to memory of 3552	2776	net.exe	net1.exe
PID 2776 wrote to memory of 3552	2776	net.exe	net1.exe
PID 2776 wrote to memory of 3552	2776	net.exe	net1.exe
PID 2776 wrote to memory of 3552	2776	net.exe	net1.exe
PID 2716 wrote to memory of 3536	2716	net.exe	net1.exe
PID 2716 wrote to memory of 3536	2716	net.exe	net1.exe
PID 2716 wrote to memory of 3536	2716	net.exe	net1.exe
PID 2716 wrote to memory of 3536	2716	net.exe	net1.exe
PID 1688 wrote to memory of 3476	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 3476	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 3476	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 3476	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 3304	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 3304	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 3304	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 1688 wrote to memory of 3304	1688	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	net.exe
PID 3476 wrote to memory of 3224	3476	net.exe	net1.exe
PID 3476 wrote to memory of 3224	3476	net.exe	net1.exe
PID 3476 wrote to memory of 3224	3476	net.exe	net1.exe
PID 3476 wrote to memory of 3224	3476	net.exe	net1.exe
PID 3304 wrote to memory of 2864	3304	net.exe	net1.exe
PID 3304 wrote to memory of 2864	3304	net.exe	net1.exe
PID 3304 wrote to memory of 2864	3304	net.exe	net1.exe
PID 3304 wrote to memory of 2864	3304	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
"C:\Users\Admin\AppData\Local\Temp\703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\bwUAskFLyrep.exe
"C:\Users\Admin\AppData\Local\Temp\bwUAskFLyrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\XCBkacnNxlan.exe
"C:\Users\Admin\AppData\Local\Temp\XCBkacnNxlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Local\Temp\rdpbIeHjQlan.exe
"C:\Users\Admin\AppData\Local\Temp\rdpbIeHjQlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2672

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
b4ed63d1853e401ce6dbc011b146babf

SHA1
2ecc386bc23be87bf507a56aaea6c26f7e6456f4

SHA256
ff2f7bc25b4a3a87c01eec79bb843678f724b75a79fbf4ac3dab0c53da2b4f4c

SHA512
aeeee3f14f4ac0580ff42e4d2cfd62cd97dfa7d4d0816b80769cbb03bd23d17e2deef49af88298f7983a21d435608c8a3603e9a0f7937e7697d0c622842ec219

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
d57ef92fadeb40c8d45c698358dea78b

SHA1
1d31ca0f2251dd90dfc57105800d7ca1649e87db

SHA256
211107517bf29ef6558cfb93203050bd4112d999500319c537380614a5c89f23

SHA512
49718d815aeacdc64ce7cfe935599b5f53953ecb7a9357be25ccde5508d44402f4b80f7c8b290040ce957a00164e41d69d544868f6930513f7d88052afdf3318

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
e9160d2fbdf19df034b03e12f22b6638

SHA1
7b2771eb38afd2af457c200dca46702a63991768

SHA256
614e028721f9a61e60d2dc1200862f09dc6ab593fd1c8a3d66fc17ac0b46fb69

SHA512
8b0b355ba7c7c385ed79b4b10ce83382aa780fa0d5f3ae019494089e491becc85f1936ecc1467fd3d2b44e7af957e72abd34e297af3ae374fb683bfe77f7a738

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
36f707956f345e07eba08cf355f4b700

SHA1
6f9123a964d806b88a0e17955ced4969f07dc5a0

SHA256
b35a40682e05fbdf51adc6c90617f1293d8b06bdb3e9a8dc6b2dde249385b16d

SHA512
a484d54820b0322433cc0086047802fe0038e9db08589f357694c2523927c62a608adee1772cb668e50326a9e6752be9ca705a96fa47e6232bbd5e6535293e4b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
e5994ca99ea23c86b8ea08ca3081f141

SHA1
2d4e5a257c1e6b2e5299f51e376bea8b50dd930a

SHA256
a4ae63aa3cc772e627214ed218d7b683038365720a587bc0e08ed8a865e0b456

SHA512
bb4f7af31aead8a2bfc83f4820b07881ea4198189695f1a11cbde1f6ea88f9cc9207b87c3ffa343d463992db676a4870410ed3a5671d570048694b2671ab963b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
6aafe2ea8a301437b555dad21a1aba6c

SHA1
eb4d4993f3cee61717a67408d0636abd5a49b5bf

SHA256
cb61ffd0cb4ee8fb6a845b4786ae672c2f985a0c798fabf93f140c09d1c975b6

SHA512
4c3329d8d6e2029729388e0255e684d7804325842bcf72734aee438eb557f524629c481f96bfe7673f7fbc21da45b1f58dcad673519181ae7d7780c2261b6883

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
481ea32e280dbb726a95f2bac84dc1d2

SHA1
a9a9df225812f1b1f79f37ceb5f93ec57346a13b

SHA256
47b975ee6642e68d78de6ca37e9a375b80338287b9604dbb9ed1478cab98f519

SHA512
d3b8b9899b8f57ca7db68fc1ee6399724ad6791627c51dbcb9d11528c64bee0b32d3619046027211398a0ea65efafb509ee21b2ca2df271e2fcf6fa2e5bf33da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
3d3327e8ba2e2580abfc20ed5ce52953

SHA1
e53b71fd234f76a157e970ccf22edf39aab9473e

SHA256
6559a4bcdc33673fa2c4bfda00e62a605590d8ec2788b15c54118d3528e75cac

SHA512
ec503f2c01a4593105fbde858789b3799b11dca428fb57e1bb9946d869486ff7859c661ebb7539b1925888642f633211ece2fce76311d18cd27679aa9d5b0af9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
aae217fd8b13637a1fe6e1864bc534ff

SHA1
746d1f8f289b2579cc87d7683ea6a652b42a9954

SHA256
3ff5e24ca74a4749c7ba10bce4af08cd40c3832a0f805f522ca0f73b33da42fa

SHA512
9e526156a8137b259685527490c9bed51cda8fc02b435840505d68ffbd17f675c06d97a6be97563ede5a74406016d30291384736e742ad1995f4d03d211a3322

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
5ecb5957deb6563f117cdc8b306e92c9

SHA1
3fe662dfdc1ec08615ec242bed6ba95e0087da10

SHA256
a826d1b72d00b56803f444d2aec345a7cf0def2380d27e936c8f72138c462c24

SHA512
c6302859d5666c814d1076c2cef9a2420f67250035f6a9d9429e712a675a5d370a0a726ece8e92bbb69ce3f189d622aa07ed762c6f5f46afe1e22b360a64178c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
925fbafc83a9d26b57c81d893aca5e6b

SHA1
8d1e1c07c2473b64d0f3b160be67506a882f5c4d

SHA256
7822c84594de187cd8d1a9a57c27fff30c8510dac625d984f3ec7f464d48f8ba

SHA512
e19993ba53fd8cd89930df343e81cabcbba386bf73337af515b80cf82e6c8d17c2e43adaa012405439d217a5c462cd516fd5f3cc20fc5d8563be7a8ce5f06810

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
c0ef36cb0874a5be62c8bd5b1be99013

SHA1
1eed614344ec4b1a3a65afe7d23d8c01f7fa6a5b

SHA256
7984ced06d62534834e5ca486ecbfc41e71bb4583742a4d844a95460c636cedc

SHA512
60bf0bf5f3bbfd16db3a70898c9f1acbcf6fee9a229cfe7602c2a6956e4a12da78d885bfd9690c8b507cd0277ac1fdaeff37a1af510d8019ec76efda3019053b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0520ea7ea906e4fc73642717298cefcf

SHA1
fde83855ff4da7fc34fd7646de4a8e5ca4f72ecc

SHA256
9d708f1ab4214a7c52b6739610be4dd7e29dd64957be9bd11fceb245a7b35a2d

SHA512
c9459a0770416277ac95de1c606710a3868d515e073143aca77b3931419a64b101e24adf992ddad77d8cfe9ff92dbb5c857da63b68afa2d022b60c6e40213f7e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
cdcd6e29e1f586452a684cefbcddba21

SHA1
75b603304eb65e1d612088e12568d92cddfd712e

SHA256
961e1eb30a25bf0b120c0ed3a796e1661f381e0118dc1fa8fb2e71312a51cbd8

SHA512
fd5f61c4671411f158802254908d23f50438219875553467e5dad712df5693efdfb720a00ef0590a68c66971cceeb4b1e8d15114e0d5dac48655e526aada0fa1

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
0e27b07677dc5dbad3a72c1543ae7070

SHA1
f500502e269f43a26e8ea34ae97ed003ef2b00e1

SHA256
6692ce85da657aadf74588c8808c92fb1ef0b233af0a91a01efbd119e6184888

SHA512
3301f68b37057cfd57b406b60c8861a9163f0f10628b096c14e520214f2b256fd590c521b36d95b771d1b3762bb15a6b520e3a907a5f942b0b8ece0a26962b1a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
39b3caf050de8e1f4c1589c3b2a1b1c8

SHA1
219ddfe422e0f1bd63d88b67744d8f5e79bd3261

SHA256
9aee51bcb39ebe89f208fdaf034baffe630a48e4e4cd538d9b6c6025a933c72d

SHA512
d3dfe96fc9b011050536ce54de8554fcea5470a3d175e084ed1dfaa2c649b93ca33bdc55b1d70467af0d3c9fdcab7d3fc7f4f6ae3dc71cd9d2e35ca53f882fa8

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
ceae75fc38703bccb3b48a230d4f4bc6

SHA1
cebe029a7120893da2595c7a9bf7af1b7b16635b

SHA256
23d502c4ce4df1689fa3beb38810621d015b187f42889d1fa6655df5575e4308

SHA512
153227fa75df0f3909d529aa9f6dd2ef79527be9bc54624d4b02ee024c592254f17bdc081989644be5b8a05ea654ea972382c57fce6d20f0601e6a69e17fc028

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
29ed3bd56e384de8f5d0e05960d15440

SHA1
717ef8b892c5ff4d818c1ac0e193ba2db8b3fffa

SHA256
34f07eb01dc7fe4e454bbf051a3edde996665027770ffab1e79666ce73656865

SHA512
82664173783b193120068a5b5195437623801ee52e2a78d2ae6a4623d4c216f7da37117b1006c47f72614c4346f3f2bbf9c4af39a271f65c1a9785ab3545ccf6

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
c3255fe3266ff2947a60618c9a149aa6

SHA1
d8c8b0d8e1acee4a95ccca10edf8b7d4443f4fd0

SHA256
fd2a7e11e5c831da9c6e53418815da079a32ed3e382f41b8e0875ac1ae58d13c

SHA512
6dcd00a74a971b61be85361977c1f8a3607ed395d285f2cacaf6a546171d5fb3036b1a634832320376d7e7787ddeb9cde48d2b7cf9a3a20370c8901d7271f5a2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
10b806d2bf99abc2ff477f30fdcb3e86

SHA1
4380e4f15e5f9fc69f87147564bcff5b23c64165

SHA256
a33881206d3ff4e833b910bf66320b403ed3907eb695b4823b2fd08db01df6f6

SHA512
ed703c038a2a1ecd47752c051019381ab69112f125852f593647c21a605beaf4b5220ae1c67aeab2420d1947a5a0c94adeb208c5da6ad4950c55e337889ec92e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
b4f8bb048dbfc5722d57cc1cf1e4a01e

SHA1
eafa2502a2d73328a3b138cf752188eea3743ee5

SHA256
da97f7cc9de53b126dc4188bb1804b4363c9365990bcf2fbba61ed4fad5d2e5f

SHA512
c70202d32b3781be01634bc29bd165315688dc481a33e80ba9b130a81b81eaa4ee28dae2561fb5ab18c8bb58acb9588c2cc70cb8687ead68dd8b3efc707dce11

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
dd78816a3088add195246804d3e1cf0f

SHA1
925c23fa5e1534a0b9b03a3fecfa33fe0a66ac45

SHA256
ced82b3ed4ca3b0e81c36efc009d976bd22897382b6485e66c892a9e40d8eef9

SHA512
5bd8bec5478f8323ba21920fe82bec2e285dfa1806fcf9d3c878e68243cd873b5dffcf96415e4b4c23c761789d30622650b2c37ff971810d4aa9f0e05ee7f765

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
ee05ca3c3de5965b280480a4ddc6f932

SHA1
c3f8119ece38809e105daf89405ecd83da0578a6

SHA256
d224b15ac2a67f20def14a0baaeff5080ca1244a9fc6588da0e3e4956027f22d

SHA512
6e670658c29defe85276b97caa2eba9d3348c882e7483c842b4547db4098306cd63166ff7e5d1a464ffe89304efdf3ff553f35f96715f77cee9669f673a4aad7

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
f7cb4d174bf3f05f6a4866a2251f75cf

SHA1
dcf1936bedf76d466311bd81c45fa6b81e046554

SHA256
7ecbd0b65ff206b14e52c89e770bbbad716f7b0710ee202a138849f7c69961b8

SHA512
6eeaefe6ae8ac6ba43a083e309a86cc91117fba679dc7f5fdb353b4671f443e2f45365597ad04f6364cd9a1c333c6f8f6b6218bfd53a145562d3f5e937bae3e2

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
d6fd27587657a3e848d34a9228d27f89

SHA1
89cfd92c79b78dbbeae66d6993501327987c3291

SHA256
f73c480692d8afbc801dfdd512dc0e7b0467125b61e07a42c35d0da41304a556

SHA512
5422d3061a38c5c43514978a83bebbe3866e3340286ec3f688e6b4efd900a424bfbde7abe34e7288443772557ee8adcc2e8175a5e8c491921c38d96458b004f0

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
f30e0d9639533b4cfcbae7e00b7458fa

SHA1
0c246acb6374443bcd5920eb2cba28399223ccbc

SHA256
fabb7a21ef6dbc4cee441ec9a951fc57bc6ecbe6332422d982e6c601a37adc0c

SHA512
59e362d95d9a8f203a204c57447b24293f5aeb75bd1e26758b06a03b9f3e730e570a7aed9aace8dfff395ef5545ec9e5c512a28230092b1d3a661f1c7ef36734

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
bd557c4c2f5aae6fdc283cdf37032dc2

SHA1
8f02922d0a7447fbc8d7d0ef14426398f07c96db

SHA256
c2eaec9b65e55128aec0347239d39978f11580b91bd912fc500c7a7b62ca9483

SHA512
e7f64ba7602b70684288d8d05152f38b64fe80f5448bee2646fe898fa1365ad8e605a1f5c89b727254e94f4574c495ba7b85926d981e3af93a3e215c4630a602

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
f1515e0e8e5ac535de2cb3e4c4a2f6b6

SHA1
d2f52d1f9763df39f8cf1dac45b6a32f343b5ba9

SHA256
2dc5dfac051878fc09c3e796567e6fa8302d2b42ed3d724b043c69d4d5b2f65f

SHA512
81f322331853441bc4d0c373315e73b1919393742a38412e862f9ad9579a76ede64882769d7a1882ce5889d4b4db4fd1c698c20fb4d96e71d4118e03967e4c56

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
1115313ea841843e4f4d69a3a96e03c1

SHA1
1621341b7465835bb2d2fa5b18fd8925d577d253

SHA256
58b410374b6be5359782c0e93667720957706605a240483b48d0b8255dd05556

SHA512
9cb20c2c86b71bba905e9686010d30bc1547df9692fb2f204c3714cfb4f1d20c291e95a678ee45e46b1a8b895e75669ebbdfb486764db20e9e66a69460f9519b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
c5a5546476926c717aebbad492a1ff51

SHA1
d1fb123faac31cb985472cc4398dcc4619e70628

SHA256
9fd4479c64fe1672eb4aff3eb54b631b866d3f22e8348551666f44e9c59c4245

SHA512
fe613cd20a7d32554b1b6fa66ae0c760f745bf2ac5fbf472489a3547f5914b927989b4d5c1415d096376a545764be768cde3c4d0e5748f06c948ad294679ec1b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
60683dcb25bca238a5d804fbc1f5a5ee

SHA1
4279d9b751621a5ce2d303721b5ffb8e6993844c

SHA256
7f2fb21036ac4453bbf7730ccd80715e8e14f527897941dde4ef34e8ec77b7bd

SHA512
76e07b8485f9c223973677fd7c741fc8060a2c1d428d4605e25d873a46bc41368385c9abd80de8469dddf0d1081204ca27d221dace2c90c1efd18998ab0e0efc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
a79358ae8c58dd8b6262fefaf7b8055f

SHA1
fb07d99b9f08bf9177e44e1d0c6b5724a3635d9e

SHA256
2032bf376375f9f2771754c34482f5bb2625012cb80cdd3c7ffd12c7a44a79e9

SHA512
f4b293c8da483f68e1ffa8b4b2a590f6c8b88f914e34c86afd72f4c05b316065e853edcb8fe6c9eb2b592ecee8fbcadea7f5f0411f9dd6749336f4f6eccb1784

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
4207cdbecde6d51879e454d69ff48227

SHA1
9991be3307050dc73721a1f25db7615e31de8798

SHA256
ff3932f21f7a06306faefce68da2cf24963d83c2611360758afe582b0fc0b184

SHA512
7431fcc35a6c020fffd3021885d61212064f43e4ba9a60bbd38dbf6e860704ce3f2821d74b0bd646cb63fbc25d246edfbcb56cac4bd33295a034d813ea805523

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
d448a5abf9314247c11372164bc30d5b

SHA1
bdaba9cb2083deb91ecf13cde22ff4e14e4a053f

SHA256
92a58efe830f291156ac2e52373466a4b65e24185af84e208ca4dec8b7ecf217

SHA512
b0ff0739c4e508b35c398c951694851c6f915c352344f546a582bf7d91929df1718e7759e82ba01e497b127ab6baca59cfa578397ebc5eb85d138838cd818a1b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
7711f09dd3fb009031f6245c1358942e

SHA1
1d03c2bf53c1cdaa65f0c68604ae109870ac5946

SHA256
faeb476930e6d6acaad33871d12644580d51ca3c649720f94b59b2b7095f2e0a

SHA512
e05097f6b9cb0ceaf245575f00c91c30dcbf1eae8083418e357126db9a0486861886f1aceddeab7fc90fd8462bd8208fadb7c110c2faa5048767d63b41fec1c5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
e040ead70143969a23138d2069430b3c

SHA1
e36be5f1c4fa336e617a860d776ff82e7af89d10

SHA256
d198eacff59af5984caa490f83850bbd3e7546a33a6e9dbf8a9f005ed7a2b38a

SHA512
eed33b23ea362e4ad015ecacec9276553710c17f402b6b545101057bc2f466eda85e8b7139614164f3a20e4cf88b9d437c6e20f0fe91e395ee6ff20a316381d5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
180fff5809c508cc55314e81bb21c77d

SHA1
9881e4769d5efb5d7645587b6e07192a92a1ff4e

SHA256
74577391638dd9bcb330371145245906a935764c3902669deb97d3dd5bca17ad

SHA512
40cd2635b45d35e43fc32eff65ee7fbadc3625e25e8e2c8e00ee4540153b29ef07690a7fd7cfdb77a664004187f66d193fca4bb75e69d4086f13dc5e7a45d42d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
861eea001e3ed09f269672d016af4a3f

SHA1
9de58bf1f699db88500a7b73e72f6bb6ce66b41f

SHA256
a164c1870ae2b4f859f52e6b4f0e9c3f8ecfc17d995ff1fdea19ace41be6de11

SHA512
a3e3b020190010d77a777db9a24debbf61aeb8e07c8944867b8adcbb896205664258b48c54eac79f91669f875f17fbbbd3a83b195cb2dfd4d7e0495f248fed94

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
aabe665c9ad6ae249de619db5e74e568

SHA1
ed5568803d8ae571f965c8138a4d0d35f2da101b

SHA256
84eb3a5222a59ce8961935b6951138bd19512aa7f4d3502acc362494880a2a47

SHA512
11a5f22bc5a55e930d427748e4b7fad5f8a462a6ab6667f5e0987270c99e29497ce72bc1e98cca407871e05bf3260e4ecb477329c9e61096bc9e0bb414c85941

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
e627e49747414641f80c427dbfc9d249

SHA1
0426627a3fc4f36ef99e265833947a9734181610

SHA256
88191409bbb9a0ca263d66bed0aba8889e5c6d38c55aef53141a3d6b765edebf

SHA512
5a7a1daea3d15ef428f0894ef57829d1822a59508b8007eac60ce229fc1b3df6b04ba4c0dc9fa987d7cb2db40457e0f4e11d30d49d3a9da7ef0fcaf7d4aebcaa

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
ba700fb0ecca30012979057efc22a264

SHA1
4ad7dfcf48a641f2c8f2acfc34c13d36dfa3b3af

SHA256
b4246fad91007acb69bed2dcdfb6ffa66aa3284067fc2ed71abfac06a54ce52d

SHA512
0a3c93f93efe63e4013f81b71d32da2cb1b3a6c4ccb9fab09ddf2a63bc9f88621428f0fbd8ab917eec32e0c4410b1b2311b1eabe8bd0ba950a4c71844bef5602

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
44c94c8299ed10d17bfc8b285193f5a9

SHA1
153e295f809504ee37200806e0606609d71e89a1

SHA256
4f07122f9bad4fea825313523824390daa67cce2bf8cafd9dfd1738bdc38c433

SHA512
bc9a4e11c657a5dfa7c9b3f5ca2771e2fb57a43894516d4b6effab753a6e2eb1ab600c94f4b0ac7cb28d3bf9b0ee1035e98cae50c43b1ee43f19eead24f7d103

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCBkacnNxlan.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwUAskFLyrep.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdpbIeHjQlan.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
C:\users\Public\RyukReadMe.html

MD5
e35e9df9d06c4ac237aa398e2dab4533

SHA1
bf456d4d83cf137f894ed2bdad472c3d89e2944a

SHA256
9ea8c9bd0841e4d438c78950ba49e92f1bba10cc97e430d949489c6d22d56579

SHA512
563ac3945314356dea5c8b8dc7fe1403823c03308cfba610a75efc850e4451554741a59e770f48d273e67d5cc4493d84bc3be9c6202137835339630cb9fb1a05

Download Submit
\Users\Admin\AppData\Local\Temp\XCBkacnNxlan.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
\Users\Admin\AppData\Local\Temp\XCBkacnNxlan.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
\Users\Admin\AppData\Local\Temp\bwUAskFLyrep.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
\Users\Admin\AppData\Local\Temp\bwUAskFLyrep.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
\Users\Admin\AppData\Local\Temp\rdpbIeHjQlan.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
\Users\Admin\AppData\Local\Temp\rdpbIeHjQlan.exe

MD5
31db87c5d3b970b42cb577611f851c7a

SHA1
8cc6a1f94514033ad8b15c3c4c720fb0eac249f1

SHA256
703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

SHA512
d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Download Submit
memory/1248-67-0x0000000000000000-mapping.dmp

Download
memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/2016-63-0x0000000000000000-mapping.dmp

Download
memory/2624-72-0x0000000000000000-mapping.dmp

Download
memory/2672-76-0x0000000000000000-mapping.dmp

Download
memory/2684-77-0x0000000000000000-mapping.dmp

Download
memory/2716-133-0x0000000000000000-mapping.dmp

Download
memory/2776-134-0x0000000000000000-mapping.dmp

Download
memory/2864-140-0x0000000000000000-mapping.dmp

Download
memory/3224-139-0x0000000000000000-mapping.dmp

Download
memory/3304-138-0x0000000000000000-mapping.dmp

Download
memory/3476-137-0x0000000000000000-mapping.dmp

Download
memory/3536-136-0x0000000000000000-mapping.dmp

Download
memory/3552-135-0x0000000000000000-mapping.dmp

Download