Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-dgyg8sgad8
Target b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
Tags
ryuk discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d

Threat Level: Known bad

The file b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d was found to be: Known bad.

Malicious Activity Summary

ryuk discovery ransomware

Ryuk

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 02:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 02:59

Reported

2022-02-20 03:10

Platform

win7-en-20211208

Max time kernel

165s

Max time network

208s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe"

Signatures

Ryuk

ransomware ryuk

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ky.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe
PID 628 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe
PID 628 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe
PID 628 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe
PID 628 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe
PID 628 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe
PID 628 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe
PID 628 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe
PID 628 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe
PID 628 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe
PID 628 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe
PID 628 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe
PID 628 wrote to memory of 38516 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 38516 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 38516 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 38516 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 38524 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 38524 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 38524 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 38524 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\icacls.exe
PID 628 wrote to memory of 129040 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129040 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129040 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129040 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129072 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129072 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129072 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129072 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129476 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129476 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129476 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129476 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129488 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129488 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129488 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 628 wrote to memory of 129488 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Windows\SysWOW64\net.exe
PID 129040 wrote to memory of 130596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129040 wrote to memory of 130596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129040 wrote to memory of 130596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129040 wrote to memory of 130596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129488 wrote to memory of 131940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129488 wrote to memory of 131940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129488 wrote to memory of 131940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129488 wrote to memory of 131940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129072 wrote to memory of 131948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129072 wrote to memory of 131948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129072 wrote to memory of 131948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129072 wrote to memory of 131948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129476 wrote to memory of 132028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129476 wrote to memory of 132028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129476 wrote to memory of 132028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 129476 wrote to memory of 132028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe

"C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe"

C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe

"C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe" 9 REP

C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe

"C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe

"C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe" 8 LAN

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
N/A 10.127.0.1:7 udp
N/A 10.127.4.199:7 udp
N/A 10.127.4.201:7 udp
N/A 10.127.4.203:7 udp
N/A 10.127.4.205:7 udp
N/A 10.127.4.207:7 udp
N/A 10.127.4.209:7 udp
N/A 10.127.4.211:7 udp
N/A 10.127.4.213:7 udp
N/A 10.127.4.215:7 udp
N/A 10.127.4.217:7 udp
N/A 10.127.4.219:7 udp
N/A 10.127.4.221:7 udp
N/A 10.127.4.223:7 udp
N/A 10.127.4.225:7 udp
N/A 10.127.4.227:7 udp
N/A 10.127.4.229:7 udp
N/A 10.127.4.231:7 udp
N/A 10.127.4.233:7 udp
N/A 10.127.4.235:7 udp
N/A 10.127.4.237:7 udp
N/A 10.127.4.239:7 udp
N/A 10.127.4.241:7 udp
N/A 10.127.4.243:7 udp
N/A 10.127.4.245:7 udp
N/A 10.127.4.249:7 udp
N/A 10.127.4.251:7 udp
N/A 10.127.4.253:7 udp
N/A 10.127.4.255:7 udp
N/A 10.127.5.1:7 udp
N/A 10.127.5.3:7 udp
N/A 10.127.5.5:7 udp
N/A 10.127.5.7:7 udp
N/A 10.127.5.9:7 udp
N/A 10.127.5.11:7 udp
N/A 10.127.5.13:7 udp
N/A 10.127.5.15:7 udp
N/A 10.127.5.17:7 udp
N/A 10.127.5.19:7 udp
N/A 10.127.5.21:7 udp
N/A 10.127.5.23:7 udp
N/A 10.127.5.25:7 udp
N/A 10.127.5.27:7 udp
N/A 10.127.5.29:7 udp
N/A 10.127.5.31:7 udp
N/A 10.127.5.33:7 udp
N/A 10.127.5.35:7 udp
N/A 10.127.5.37:7 udp
N/A 10.127.5.41:7 udp
N/A 10.127.5.43:7 udp
N/A 10.127.5.45:7 udp
N/A 10.127.5.47:7 udp
N/A 10.127.5.49:7 udp
N/A 10.127.5.51:7 udp
N/A 10.127.5.53:7 udp
N/A 10.127.5.55:7 udp
N/A 10.127.5.57:7 udp
N/A 10.127.5.59:7 udp
N/A 10.127.5.61:7 udp
N/A 10.127.5.63:7 udp
N/A 10.127.5.65:7 udp
N/A 10.127.5.67:7 udp
N/A 10.127.5.69:7 udp
N/A 10.127.5.71:7 udp
N/A 10.127.5.73:7 udp
N/A 10.127.5.75:7 udp
N/A 10.127.6.208:7 udp
N/A 10.127.8.1:7 udp
N/A 10.127.8.2:7 udp
N/A 10.127.8.3:7 udp
N/A 10.127.8.4:7 udp
N/A 10.127.8.5:7 udp
N/A 10.127.8.6:7 udp
N/A 10.127.8.7:7 udp
N/A 10.127.8.8:7 udp
N/A 10.127.8.9:7 udp
N/A 10.127.8.10:7 udp
N/A 10.127.8.11:7 udp
N/A 10.127.8.12:7 udp
N/A 10.127.8.13:7 udp
N/A 10.127.8.14:7 udp
N/A 10.127.8.15:7 udp
N/A 10.127.8.16:7 udp
N/A 10.127.8.17:7 udp
N/A 10.127.8.18:7 udp
N/A 10.127.8.19:7 udp
N/A 10.127.8.20:7 udp
N/A 10.127.8.21:7 udp
N/A 10.127.8.22:7 udp
N/A 10.127.8.23:7 udp
N/A 10.127.8.24:7 udp
N/A 10.127.8.25:7 udp
N/A 10.127.8.26:7 udp
N/A 10.127.8.27:7 udp
N/A 10.127.8.28:7 udp
N/A 10.127.8.29:7 udp
N/A 10.127.8.30:7 udp
N/A 10.127.8.31:7 udp
N/A 10.127.8.32:7 udp
N/A 10.127.8.33:7 udp
N/A 10.127.8.34:7 udp
N/A 10.127.8.35:7 udp
N/A 10.127.8.36:7 udp
N/A 10.127.8.37:7 udp
N/A 10.127.8.38:7 udp
N/A 10.127.8.39:7 udp
N/A 10.127.8.40:7 udp
N/A 10.127.8.41:7 udp
N/A 10.127.8.42:7 udp
N/A 10.127.8.43:7 udp
N/A 10.127.8.44:7 udp
N/A 10.127.8.45:7 udp
N/A 10.127.8.46:7 udp
N/A 10.127.8.47:7 udp
N/A 10.127.8.48:7 udp
N/A 10.127.8.49:7 udp
N/A 10.127.8.50:7 udp
N/A 10.127.8.51:7 udp
N/A 10.127.8.52:7 udp
N/A 10.127.8.53:7 udp
N/A 10.127.8.54:7 udp
N/A 10.127.8.55:7 udp
N/A 10.127.8.56:7 udp
N/A 10.127.8.57:7 udp
N/A 10.127.8.58:7 udp
N/A 10.127.8.59:7 udp
N/A 10.127.8.60:7 udp
N/A 10.127.8.61:7 udp
N/A 10.127.8.62:7 udp
N/A 10.127.8.63:7 udp
N/A 10.127.8.64:7 udp
N/A 10.127.8.65:7 udp
N/A 10.127.8.66:7 udp
N/A 10.127.8.67:7 udp
N/A 10.127.8.68:7 udp
N/A 10.127.8.69:7 udp
N/A 10.127.8.70:7 udp
N/A 10.127.8.71:7 udp
N/A 10.127.8.72:7 udp
N/A 10.127.8.73:7 udp
N/A 10.127.8.74:7 udp
N/A 10.127.8.75:7 udp
N/A 10.127.8.76:7 udp
N/A 10.127.8.80:7 udp
N/A 10.127.8.81:7 udp

Files

memory/628-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\users\Public\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\$Recycle.Bin\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5 96bf6c47eaf0909615f3c5f9fe72e4dd
SHA1 2abb445effed78273c75e1b6d2d5f7857df767fa
SHA256 be472aaeab65e4078bd11bb9441d5ab9b784e6ecc950b1bccdfde3e56055f7cc
SHA512 f627a00f669a50da3acf25b47d609ca2b1267b66653c3cd292cc2f7e8e66a3e244247b01da1fb3feaae0ffac6c649bd6de18c7545190e9886bffa585c4cbe5ad

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5 879f2a235ef8a7b0d5d20f35a6f9d030
SHA1 6a649c1980948fbd06c168e49adc58ede65171e7
SHA256 8995dfdb5f29e2e09650887f8249abe550fba42b2c6bd10b42f103867fb28c02
SHA512 d49a90ecae30ff9d94994f942edc3eb9b025f2d385f5002a9f1de7c9bf6a336cf97cc28274e07bad8bcd55f297c319bbf45b96a78372c3293d37c91fd16234c0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5 8e4778108022d114bde3d65eee422a86
SHA1 bc00799d04191c48f273c3b75be8dccbb093b1ec
SHA256 4eb2385f3d29d04c76fba9ffb8ce54de672d976b4ad7adf2120b77b711bf4bd1
SHA512 a37381805d339efa91c3eab178bfaaff9046b7b87ae882cddc66b307dc3e9c48fe29235651f57af11bd1a142b3f431601663d3431ac7a57c5a5914352f8add0d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5 87cad207f0b6e9231ac3d9baf0075d11
SHA1 96e44564960e8cad06e317e02effa7750c28baaf
SHA256 693ca9d356b06eea28bf928960f662e116dd0c4729b518b66649b0e27111ff73
SHA512 d4fe64e26f1bde088b35d637818f43b6d86c862879dc7588bfca9778be3dc121338c8ee8bee00bb871ee23b5cf305e09f420ae523a53eb56b078c7afb5b85149

C:\MSOCache\All Users\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5 63c26442514aad57b349d9bd00b24df3
SHA1 f44f94561c5637348c1c2beee58c83035ab3fcd3
SHA256 c4f9a3d4af698b9f9414a8fb2333c50f95b77fe777f88cffdfeab90e53dd3432
SHA512 3255db7ccb92091803f15b0ce3700698131ffb9e11264805eafd4c0e94ef3307c31024eacabefc3060cfc4b2293a33e6b9c0ac0cfe3efb64640ee23d7420f89f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5 6279548b38b5d600276c1f4ace7976bd
SHA1 9207267b6f3bf7584e27333192d0dcc9ecc246f0
SHA256 c356fcefa2e7022769f63c1defa707d42f6b137d97c492aed454bd04479a3197
SHA512 4a26b1441213cbb525a137d93b45041f092967404955eba1ca8a3713084ba0ac0c66ce8e3ccbd7d34946604affc7b152d7cfa0cb1160dd2f045d7104a239f880

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK

MD5 2b421c3ca054fccabc52bca7af9ee5b1
SHA1 e34b7c7271a8161c4ff1ff4d7dc0e2c3f9e435a5
SHA256 90e2e36957d130ab062b91fe5962df8c0e8002482bdd072248aed2e40db118b5
SHA512 28f90449ecc64e3163cbbf71511bb0d6ce21af6ceda101c450a9b58cedd6c14971ee31c2859dc53d0bf5c61edefb875be4f50616c9a62a2e24a1f9a480301ed8

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5 f2b3efb5d9c74a1199a1b8633027d73c
SHA1 316c166f7a187452418e1b2bd6b7785ee48df7eb
SHA256 455077091a4712965ad44910b84724c139deb4f7ba58748fadad421d14ed959f
SHA512 d2aef91048c99ed1299575fcb2c03ea1937a40a1e8c6a2e72e61169d75e6aacebdccd841b782df5d3bbba95269423459d6f99d07157c116fa485506e6644f7e1

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 085337b7d7cfd7d32389e7ef4f2b268a
SHA1 2493aeb582b2fce0e4085a027fa8e32e972ec479
SHA256 55b947df449436d9f30dbf0afac1b99e7d3d5117d5be3515a7089ce164934aa0
SHA512 d8e060815e4dc159ec3b08c78a1ad7a8361e81c8d6a71920bb2bc050d436defe4c1dd810d76bcf4853bde5ba5da07194b176b187efa14284ed321a30bb00352f

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

MD5 adca35ae9e30f8a9f38de2142467eb79
SHA1 9f9c6189f8a7aa9e3039bfd6f4edadd3c490391b
SHA256 6ec2e198377d1f717f3699216985ae7a7ad4922446bbd70f61453e228673a4e2
SHA512 b5b1e5bb5fa24effba0a361edfc3511a9f767704bc749a83a141e2bd1471371d1e4655e7959fb458cc11843e787b5094a49b11c616a65aecd48bde4e49cce2ce

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 09954e0c2c7f06ff3d4be7be4c83489f
SHA1 fab846866ea7540b992958f55013527a9c8c98e0
SHA256 e6c07ead4fafbd8d4a9c95a5599f1ba9fd9fc6bcc91b1082a8bdcfe67a09e3d5
SHA512 063089a16d2baf795690a7a9625ec2b83f306e263308b08f9b10d43216cd859a5d31d65c1bf744e8b32e1bc004a9782231d54700dc9968f872c32193ea92efa8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5 368f4e8a74c30f57243b468d0841f377
SHA1 7caf46ae66145822eeaa6b2eb68729adf07ce32d
SHA256 23026ee6a69382d177ca35e9eb1a7afa459aea10f323760fe141b1acf2cecec7
SHA512 64d5d26537d5c29774ac8afb250b3cfdf40af7a28c54799862684809cfc8ad44e7480352ebd151f2aadfb6ddd6336674dc3a4f99b3d77bdf1fa9ff8657d4b8c3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5 1a0d674556c67f84cdaf7d9bddc98c31
SHA1 44cd541b75a9c50be0036e7e37d9f6ca298473eb
SHA256 d34ecc3557e510bc0c7f71f065f8f5f0ac760bd07dc3a0cab05a60855d54158a
SHA512 4775634b6f50d0d1adb9c1f8cbc43f76e4740f084cc6bbefe466d249241715af1c37c3e194ed31679ef84b5b9e16a2b37ea79546141fd5afba627fad61d426df

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5 9ab471c75883996bde7ece812b80a429
SHA1 f527855c439191a967297855400e6be004a7369b
SHA256 3fd5b1f5a029ca22388cc99e0bdbff344fb56c92a41731a74fb498bdfd5aa7af
SHA512 ffa9b8ecbd465d19f2e8dfc286db7a6f76a2c7f38e6cf618bb3058b1f0828ad536f234c3a4e5baf267993056a76ee3e6a9ed87e20749362eacc14a989d44d3a9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5 a7b84efdbc03da92f4a74fc314eb7421
SHA1 3c5c5f3f7c77ce2d3ee2d2e33102e681fc189a66
SHA256 d44d59b536909c45fc051562025bed767fe2a4d7c9f636c84b91c5ce79f12354
SHA512 158cc011b889856dec7781ba6b1ae0b53de7e54a1f95504e85cb88f4bb1c436e02a590c2df84f3e09c56d3b6a68c1b40e0be949def2364e2851be14803773651

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5 3c7d6ee0aecd5ed3b12c7afe8a661ca6
SHA1 0bdb0cfc502166cbd582388ae114590a4983abfe
SHA256 94b42f481f83fa3de67bddf1646b7f85dffd323ba238b1a8d41d42e6eb298888
SHA512 b178b658348ecde209b0566c26db4d1368d1253628092bd09cace6bb17503f63c79c85352385cef9e07c8327a57337484104d1ab7545462f9460295a40a08103

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5 c11149c6d92167417916a1bc840013a3
SHA1 9022f7ee37aab5cb671076e3011abaa926a9589f
SHA256 fb574430dfb80c6993e399ae2e3c3d93c2bc6bfd03525811dc1e4ce4ee78ae29
SHA512 659dd75f911d7c8a1849266a14907851991a3069d073d0482fbaf17fe00009cff1a444ba43a261fcb090ebfe1c7ff2a93569e8358d11f11a5ed6f1302809f4ce

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5 f0ac67db3f3e8b10a14a1b7ac170bdf8
SHA1 d78bd8b57f6bd0904519c3c56b8431e7da56a923
SHA256 4afbaed3cf90083713a5d1166985fcca8b2ed21174ecf9bd1f85e70c4584e0b8
SHA512 ca16ad5b8a719b06a9c679c83734dadf9a2d1c8add544f51b1fb8b52e999146f75a141ed2134976d08d5a6ff3ca5e0152833852db9d13a85be31fad4dd83d932

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5 3403edf2ccfc9c059b81606fd403b23d
SHA1 1fbeec2d8e36f8773a48ee4b326cd1c650ea0a49
SHA256 58fe24ca540bf8de3b6c19e43a44ebdd86e20c6436f930de97ec14c5613a2a0c
SHA512 f69463a0a83a5b03c10119da172b69d192a6f93b77b13359f69cba8e6bae65091e8e302c0b1936bc6ce20f2a2146b6f4271edd38bc2c02c5a4ea7fba4b2461a9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5 9148d70cdf42f7688446f4c8a3f02e1d
SHA1 1c19303d6b815febf7e8ca67b4bf3e7cb6eeb517
SHA256 80af06362ee031a0cfa437ec6220661b09edd0acb1cc29cde7c9c8a7f96b4814
SHA512 3d345f3918074840d462617b1c06b8b67343a590ad007e671f8cdaed628e8049a6ac87becdd0c4f8fb23eaacfba4c6ff0c3f638d1bc4b9cefa4782e992a57c73

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5 caff9b022198ef658473452968c2a131
SHA1 cac8531543a2e932b66891c8bd7dcebd196b58bc
SHA256 bb2ab656f21d8bff3b7df8c9803fc6220cc5b2edb37f3eac36a79be11782bbd8
SHA512 137b56747396d985b08238430bf832e3008851edfd46e4fa7052a5f30ddb7d267a29cd4118e14c670a0d6e1c7c71adfc22f17b38a1e61e0c03da0ac266aa110d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5 ba9c76e3518121e918b1aaf1c6c969aa
SHA1 e4e47b8a7fbf2df7ba43f85f6b24663708bd49c4
SHA256 c576097c69e859794a9a2fb38d1b610fc3fc016fa94579612bbfea262d495b54
SHA512 0519778dde7a7c7a21e62960390adf214aa85fd744394ad1679229487df37eacc44cd90491e3362984497ddff33b2d20ecf3b4ebac6768e6bc3b40d8d3f11006

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5 7d4818547749f2d968af6126a9930d70
SHA1 3fde4f2499e58507af5d1c6f89c9281a325e898b
SHA256 ad3d88aba5df2668b405a74ed0791dfb3dfb9b74aa21a0ff5418aaf2d3e3088f
SHA512 9c7fcb962f04697da92c4aeecac2fca5ddb1faf0e5619b0302f98f140b94100840a5ed7d5fa7ce8f5d9308312b5083c3ee30c6f67a438b5a8231be6ffaf30fb1

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5 3a3e8b462b6a99eda35c8923dbe9be0f
SHA1 3d3640c62bb94927cd16b2f9046b8a5d814ff7d0
SHA256 70f8ec2807a87570db9f634c538900a6c31d7d319cb9e2637f999479e3015173
SHA512 d6737bc2178cbf83adeb0231dba35c60fed1974973c9d330e921461649e8e495daf2e2d4ba6cd8ad54b94f07a50de84aeb691c8d9e91f2bbc44e6f32d4162b94

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5 2389a3bdadd12c5466004901ab4bfeba
SHA1 0f7f120f350e396e8e8fc455f0ec7c44f644a666
SHA256 5c5d825c72200b6e032f774b0419028cbd13577d048abe586cb2614e37bb86c8
SHA512 5d3cc05a24a35572c9c639848ed8e09f337a2e07769418a67f70733e2b2df88de4dd7d0195cec707b5945189c080699330ef8d175274260358c0ae1a2933d422

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 0dedeadb7c92a330e091066c4f0e3d2d
SHA1 9a581b5813579b77fa97bb6042a1448a231ad790
SHA256 4e88cf461c3a7010810c29997bff77f408b6ba17c6c4842b3642a4355aed6487
SHA512 02a553e1aabadcde8c2f884e055bc89265c7c767ecf5a521d3cdc38cc305393cc52ae7844e4b31851d8422f05d7e00d593a190017883e2887ac47d7daaafc15b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5 8cd86d8d95cc7f21a5964dc2abc4a129
SHA1 557c29dffdd082a102720c105e989ef9bd16e302
SHA256 741743f53bdb36ec685b3342d243ce26a62ec85f4cc6640aac5198ed7ae63151
SHA512 78d1532438d30508836589cb9a8d752bcf833cdd28e7a9693fdfeffec5fafd3ef2f900b6dfb21477ccd062cd6b51f79642edd5465e305663f8c79b11733f8148

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5 74ae3b0f16c4fc4843fb1332996ddcf1
SHA1 601f300d604f5ea5f5aa513daf1b11147efecc59
SHA256 2a34b7c4d286282747c747138f868033cfffd4514032d9c694d15ee7eb4d6b87
SHA512 765b92bd2cf35564ccc218f219f9a8cedb70dfd38238613cf02faeb2b5ef9945cec4992d941dc359721fc4425dee19ebe9d796e5df1693175be0b846f60a52c2

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5 9ddeb3d2b1e86aea635da35c72706417
SHA1 aeb87829943d57a9f64c82f836c79a1d1d4a1f6a
SHA256 757909608606b90b322915c095f1e8620c63d827ad74b68c521cad5620ef40be
SHA512 9c7ac7ccffd5eaa053a3c9025345e05eeb52bd95e2b5f8f8de7fc109403d7cebdf07e70e699ca17f4002570f1e5c3d46336d744f9d9e625ecbf9bee3e69856b9

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5 013f87e02ce57fef119e57fd02eb5908
SHA1 4b4226fa4e78de3f8093e13af66b4210f341af8e
SHA256 a5866f5eefea203264c85bfdf518cdfd9f67f288d392cb0a0c32cff80c6375a5
SHA512 299d12d8c3d4e0ea781d6f4a755259f73efb063c9f509852b7c7db56e2a25fc3e5b584ac9de186c75a422492de40efbc6d2fd0fe35f76a4c1a329a4ea7b3317e

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5 0bfcd34b2637cb2bfff1c90a586b5939
SHA1 23ef4566d9f4fda7b1277f936f2688810c7242b2
SHA256 a6b34ddf6f9d358269a9ed88171a035250a593b439ce51691be76f0cf536077b
SHA512 a1f81b1d36751355a36d1d71599c40c322adb7d61af80439782ed773328d70325dc27ff8cf48d328121f9f6a6472fd9ff3f4a0590d9605ee85a95e733c09d343

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 9c101a9b3a6df2c134ccb648e135d0f4
SHA1 88359dee54e94c45b2f65542333a14cc1a53c06a
SHA256 1d4517ff581590f9d062934c0d08efe667ad0948f9d563af9759144e0427daf6
SHA512 d032cd75934b3923a162831c0e502da50881fb0a2c904fcaf610903305cd38f860609cf91cd719f5d7f6965aacb0a2fa182ce086cfa929d036b3e34058d16367

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5 ec8a5ab7e9c6db688d27e1ec8454472a
SHA1 667e6a4c05ca838a27cf915220f2e73f756aeab4
SHA256 c76b4478f90c11398d02038057a8daca6dcbd0515e1134da688d4ffb3a40c023
SHA512 b18f12602d7c8956a456834e17f6c2d2a6e5d414b8cb3d8cf6bf6bfbba04c35d673d486a50ca36250921596655e90561a4ded4d51b5534d84169ea7f05238ec5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 e2818e56d649dba7e7a050acb8ec0982
SHA1 0d64949fc305b105a6531d537fefb8c037b9aa45
SHA256 cc28ed08fd9980a2f98c5c7cbf6275db5744f05148f5c5bb6067921611a8af46
SHA512 1bfa54d97afe098defa74a6f18b2f49ff0d0b7c3260bca8e3fc57e1154f558bb7ff6b48cc8b7a2ce90f9f86458f4d73fa57882abf6d0fbdbc77253bd39ee2bbb

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5 930b445f2a98f0bc06f16e3e2bb29379
SHA1 13df3af0ff36d2a6ef9ccf4bc87a3a47e16a8352
SHA256 46a65e823e22cccfe179b50c5d59397206ef65ebf28988e05c499b483a7720ba
SHA512 23fe989bd70d2871f080ba1cc20daeab65172810d34fce672a6172b71c4679820a0df48b48047016b225eb92f880f03a11555953dbd5a99725e3b9de99acbc5e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5 48d2516ab8791fccbc81d7c8c84aae07
SHA1 dc34138ba9b4f841478b7546626388b4a5766a75
SHA256 dba1e756c5d2ecef3abeb07899e75fba17d8dd9a9fac6c99d55ff6b6ee8741a5
SHA512 5b73bd7d543cfad727bc4b01f1d4987fae78a9faf7c56ef1ef616ba1eb5f469d9823a56099cdc505f2ca87a05d080bf174821f149c02b7cb7640c9cdf3820d0b

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 fcfef855ef3895cc72570dcdd9890bd1
SHA1 cf9f01ec4aed82a26ca127ddb6c1925acddfdd4a
SHA256 312ba928f3adb08cebef9dd6bacb993b064e7fcbbe4a98459bf4ebe1fd606e7e
SHA512 00d4580f9b6a00b8b21f61781b89616abd42f859903857d591543fd3513204ef538a453af7b993b48b9a7e6aec74151a02e44a6cf20da05cbef9cc3e7ee059d6

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5 0b6b4f8e3bee7be6d7080b5f43d6a4f2
SHA1 1dc358f8a81284f36b3b3a7483bf5fd7ad3af160
SHA256 0f64074703ec74579e47282016cb7e2aaccc934e5b7efa5c3793759032450b60
SHA512 c07670f49e0835af83707727563f327a8f1675dcc80d856c1bd8795135fa5c3573af75a02271201d134a4365a63e16e14e882c02ab7a8b2d71d4f7f659f191f4

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5 91d1fb04b2f67cb13be5f6c84b5fc9ed
SHA1 42cf150070d820ac4cfd4ab8f663b45a82c7e76e
SHA256 e4cc4a3d548f056b286024af9b720dd3c04c948d02f05ac1c261756058623411
SHA512 2f35a4e0b66996c7f55e7c1ca997f6e21995c118fc44ff30bc895d46e2d132addd2fc089c87c59e03b64d45c266fae9a0ad02c0ee925b09e66579a55fa28e494

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5 966b9a65fdcfb67234bc5eb91804d920
SHA1 2e04a8fd321bccb9d2e9c8737032f4dbc3167c2a
SHA256 eef805fff88d84ca149d1b2d67e9f7a983d6a58c0a51c1768fb181ad47fe5c45
SHA512 38f962b5a5d600576ded7349315ff21ae0f309e9efcb86d834d8009d0716ba01da4d012da4c11d724168aa97edf68c3b1629de651c24c7ced9fe0f2c25b515fc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 dd862e4651921d60d0269225f14348ae
SHA1 f2c1420b538d10ecb2748090bb2c55bd340766ca
SHA256 e88ee948beed56e29beef658270ad565b0d7b6d749af139039b71f78c6df2d32
SHA512 227ee4bfe83a1272d0b128e7136be55723367478f1f7c4962ac54678596bb8102e4552a1a3330e88368adb9df4d595f7effcf90f8e85032e2b41c4431b11b53c

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 02:59

Reported

2022-02-20 03:10

Platform

win10v2004-en-20220112

Max time kernel

184s

Max time network

199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe"

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4072" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4188" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899765370056161" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.071473" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.366150" C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\edrhVxxYJrep.exe
PID 544 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\edrhVxxYJrep.exe
PID 544 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\edrhVxxYJrep.exe
PID 544 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\khUwlpRHUlan.exe
PID 544 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\khUwlpRHUlan.exe
PID 544 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\khUwlpRHUlan.exe
PID 544 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\MhadIATDJlan.exe
PID 544 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\MhadIATDJlan.exe
PID 544 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe C:\Users\Admin\AppData\Local\Temp\MhadIATDJlan.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe

"C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Users\Admin\AppData\Local\Temp\edrhVxxYJrep.exe

"C:\Users\Admin\AppData\Local\Temp\edrhVxxYJrep.exe" 9 REP

C:\Users\Admin\AppData\Local\Temp\khUwlpRHUlan.exe

"C:\Users\Admin\AppData\Local\Temp\khUwlpRHUlan.exe" 8 LAN

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\MhadIATDJlan.exe

"C:\Users\Admin\AppData\Local\Temp\MhadIATDJlan.exe" 8 LAN

Network

Country Destination Domain Proto
US 8.238.20.254:80 tcp
US 8.238.20.254:80 tcp
NL 104.80.224.57:443 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.137.103.130:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
N/A 10.127.0.1:7 udp
N/A 10.127.1.11:7 udp
N/A 10.127.1.82:7 udp
N/A 10.127.1.84:7 udp
N/A 10.127.1.85:7 udp
N/A 10.127.1.89:7 udp
N/A 10.127.1.93:7 udp
N/A 10.127.1.97:7 udp
N/A 10.127.1.98:7 udp
N/A 10.127.1.99:7 udp
N/A 10.127.1.103:7 udp
N/A 10.127.1.104:7 udp
N/A 10.127.1.108:7 udp
N/A 10.127.1.112:7 udp
N/A 10.127.1.121:7 udp
NL 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

C:\Users\Admin\AppData\Local\Temp\edrhVxxYJrep.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\edrhVxxYJrep.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\khUwlpRHUlan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\khUwlpRHUlan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\MhadIATDJlan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\Users\Admin\AppData\Local\Temp\MhadIATDJlan.exe

MD5 6230b3044d91004700121402341d9bc6
SHA1 d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256 b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512 1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

C:\users\Public\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288