ryuk | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

Analysis

max time kernel
170s
max time network
196s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
Size

119KB
MD5

fc5473e4320cedbb353b77955ecf2366
SHA1

081a837503dfa82c177ef1229b2c00215d676442
SHA256

8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd
SHA512

3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'hKC4IfX'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

MUNPjDcDurep.exeOQjfublHhlan.exenrgAMuIrxlan.exe

pid process

572 MUNPjDcDurep.exe
2028 OQjfublHhlan.exe
9728 nrgAMuIrxlan.exe

pid	process
572	MUNPjDcDurep.exe
2028	OQjfublHhlan.exe
9728	nrgAMuIrxlan.exe

Loads dropped DLL 6 IoCs

Processes:

8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe

pid	process
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

34396 icacls.exe
34404 icacls.exe

pid	process
34396	icacls.exe
34404	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe

pid	process
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1304 wrote to memory of 572	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	MUNPjDcDurep.exe
PID 1304 wrote to memory of 572	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	MUNPjDcDurep.exe
PID 1304 wrote to memory of 572	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	MUNPjDcDurep.exe
PID 1304 wrote to memory of 572	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	MUNPjDcDurep.exe
PID 1304 wrote to memory of 2028	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	OQjfublHhlan.exe
PID 1304 wrote to memory of 2028	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	OQjfublHhlan.exe
PID 1304 wrote to memory of 2028	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	OQjfublHhlan.exe
PID 1304 wrote to memory of 2028	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	OQjfublHhlan.exe
PID 1304 wrote to memory of 9728	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	nrgAMuIrxlan.exe
PID 1304 wrote to memory of 9728	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	nrgAMuIrxlan.exe
PID 1304 wrote to memory of 9728	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	nrgAMuIrxlan.exe
PID 1304 wrote to memory of 9728	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	nrgAMuIrxlan.exe
PID 1304 wrote to memory of 34396	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 34396	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 34396	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 34396	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 34404	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 34404	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 34404	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 34404	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	icacls.exe
PID 1304 wrote to memory of 83892	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83892	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83892	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83892	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83900	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83900	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83900	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83900	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83944	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83944	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83944	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 83944	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 71488	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 71488	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 71488	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 1304 wrote to memory of 71488	1304	8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe	net.exe
PID 83892 wrote to memory of 120148	83892	net.exe	net1.exe
PID 83892 wrote to memory of 120148	83892	net.exe	net1.exe
PID 83892 wrote to memory of 120148	83892	net.exe	net1.exe
PID 83892 wrote to memory of 120148	83892	net.exe	net1.exe
PID 83944 wrote to memory of 120172	83944	net.exe	net1.exe
PID 83944 wrote to memory of 120172	83944	net.exe	net1.exe
PID 83944 wrote to memory of 120172	83944	net.exe	net1.exe
PID 83944 wrote to memory of 120172	83944	net.exe	net1.exe
PID 71488 wrote to memory of 120156	71488	net.exe	net1.exe
PID 71488 wrote to memory of 120156	71488	net.exe	net1.exe
PID 71488 wrote to memory of 120156	71488	net.exe	net1.exe
PID 71488 wrote to memory of 120156	71488	net.exe	net1.exe
PID 83900 wrote to memory of 120164	83900	net.exe	net1.exe
PID 83900 wrote to memory of 120164	83900	net.exe	net1.exe
PID 83900 wrote to memory of 120164	83900	net.exe	net1.exe
PID 83900 wrote to memory of 120164	83900	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
"C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe
"C:\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:572

C:\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe
"C:\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2028

C:\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe
"C:\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:9728

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:34396

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:34404

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:83892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:120148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:83900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:120164

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:83944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:120172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:71488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:120156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
d8cec54c0ba8fd12f7751264303acc79

SHA1
06e3689aec2ead2dbc7aeaab40ac775c9f06c9f2

SHA256
752a03f31c63eb93484240cb6647312cc8304ffe6a5e7837e92948bd6bf7b931

SHA512
95c7f2f7b69abe618d000b007133c0ef6db54ebf35e5e7b423389004f8dd46010acb4df50228549f9dc32179bd06b2d7a31f503b41da23f6993c41f9ee55a682

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
8b059fe1d3e69acaa7458ed80c6de53d

SHA1
351653125b90e4faa4a259cf85601010c51c7e3b

SHA256
1df1a5e1afd30cd04868e1150c1ffd83ff30b701afe7098326f59eaefba03c95

SHA512
0fe2c5dff6316081ecc260aca98a3ff6eb8257c817f985e6c6ba8a8b9d28720569d975f96d0dd2daaeff7fa68a7325c7ee7292e3bfa3016d50d4f41461e56fc1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
60126b7d5a89433e44a524512469981f

SHA1
4945d7448e3b9cc6da8254430651a2737c54ec29

SHA256
5f47aa5ea8a0583cf3a16c5e383abe1b73277548c64fed44771b0ed6525e8391

SHA512
b11efba50e5f8bc0034e45df3b5373f6ae765af5fa55343fb9fa8f16820569380a4e129d616bf5419ed665a26ecd2386d19be60a84e5d2e45befef609148451d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
44d5d4b81c1f7ee01fe0f0f17d066640

SHA1
6be5bbd9f546ef30f03066369950c3ca7c349534

SHA256
c9083ec1579ed90fef53c53f43cc1be47ec556ea413d9ee185b9e741d2d9c2b5

SHA512
21b7fe016c4b251b1c4d4cf16cbb86fcc1001f99e435eccac47a9b8eb0598a78580513481ba19f79432f726a8ffa1947af235580b33424482f9ffb816ff00d85

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
1f85a023a31da02d137748160fc2c507

SHA1
19ac28149238451a02469c3e9a1d6a1b8afbb8eb

SHA256
af548d41fac36f162400fc45bcc386ae729a74babfb41d4512de67464664a214

SHA512
60d117a2a6eda62c5bb39c0f8fbfc4405bd86becc3dcbcac06ca580ee6f7f4fb16ab6616d2e60396eaeede9a9bd57ead8903a74a718b8af0878f453ce9cb35e6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
608af679595bf20bc0727f0f13188845

SHA1
1137edad1a1e98a02f3cd012d16708c21c95de7a

SHA256
22bf5509cea4c8b5c5bdbc903018b88cdd0c9a46128954c68e250ab62c1a93fb

SHA512
7bfff916a470747b407c584e6f9023f4ddc2cc55970bc2fd51cdc407d6c3d575cf46a15fd773955e88d55d53bc2fbfc2f3c50b1a3e45d90004a708f9d15e3e96

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
ac572f90a827967ba262f4ce6d78b141

SHA1
7102696d2436f6022b3370e3e5c269f7b7095a9f

SHA256
fc98c5bf914548e7aff34df1798b5c171c1dce082bfe6dc46c0bfeb4f3ebaf2a

SHA512
67210703f8a1b563c512170bcb86086ff5bf20c6041a031e496de55fa7afe892f4ae4b6835d9d0bd41062a3592380617b9ebf0334f3f78ec717d23bf534230d1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
ac36e9b35ae1cdbf7fff6bee0210e699

SHA1
e13507b284289416a23e0dfcd38129c155535f7f

SHA256
eaef0db80ad776d97885078e4cf92701c8ca2da9a6d8d09aa621096dd1db08a1

SHA512
8742f2195d14124a9b5d0417294051cb59bdd7aa6e315014009ef6c65aacbd71bc7fbb49c68bc3df91d207f19b72b3e29e53bbd7841ad3a9459db026141078fc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
a6c37f2ec90c63ea09353aee494d493a

SHA1
61a79a989a80a99be7abf63c0ba53f7fcfa062ba

SHA256
472c105a86e2fb0de181e1d99ae62d3c2411f41f48f0e797ffe1e04e84527a52

SHA512
0b969646f2cb6176a8c79dd1f9f4243be78e75f87ebbf053163489c050709d6d1553d3268fc13d59a8ec6671aa6b19fe99b3398fd4e80e17f1056870ff4010ca

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
8b2634096299e09fd55f11f1bd315c9e

SHA1
9b83a54649c7f66b37994fd773a43bcb2d09b1cc

SHA256
7eb4dbc11a187b96fb688693ecec3ce1c949756529b3231569868c571aaf2d9e

SHA512
22d304e4d570c5f0a1d6c1ffc389e10d9d021e4b02db43c0d4a3b3f3970253a7f39f27e4c3e55185cae1148b8b3d23498b9336b585cfb0c2120017af0302789a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
b96bfdbd657b593948cd0966ac7e33ae

SHA1
9791b53aac82cae87848a93e9d87f90ff694af53

SHA256
f87d9474949a5cea690729e506faf0a1095ef376ccf2728951552486789f1de1

SHA512
220216cf58bf2ed76cdf7ea7050b09c9acdcd6572b57309c1c047c3dc48bef59ff6b9c7b9a954522707d5231abce9baa96e88f4bb305163e6306e5e93dbc3c20

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
c73d86e8b893de0a33f22474b6fb7395

SHA1
88a60ce5984b60622b71a2f033ba52aafb70c08a

SHA256
9bb6b4795ea9d0e3a67869998da0811f4173f03d92f3b9eee5b75e38b695784b

SHA512
2c9a30c9ddc7f21c0151913f67a9c32e6044f872f8ee99d0e887d5b45f63cf117dd79d979260c9920bd664f7fd9eb800bd107b4bce3344a29e4335d600c14785

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
74c6e9d82aa8dc8ad3c5bc218993f326

SHA1
fcbee3f7f836130ca5f7a537029a47d425b4dabf

SHA256
ce2514d024e6ccf1c8f8a5da640276cf2c75cd88859becfbcce900b1cc12bd24

SHA512
22606ab931af0dfea053c4c45197043c3da22f23f3683a923107cd73dfd45ac564ab00ec62981a7ed15b0272447409b202de88cb72bfff1c83dbb16612e825cc

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
1461f7966ec8fd9382dcca63f8160ea5

SHA1
3645299e19793d8e15cf1823ddcd7d46c0e9cf7c

SHA256
8e358a69257de5abdec08e6dfa4772f4627dab7471ac7874c4b974e6b291de42

SHA512
cdf185a16bfbeea424dfe263dd2b062b7b6f96f379da34fd99bcdf75c92993c36983bff5319c02338eee314088be4cc036bb33c3d8128e2a5358c1a1fda0c703

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
7438bff64eb2867401d19a1baa946e58

SHA1
520df6d51913bf9a85893baf1fc2023f77428894

SHA256
5a70ef1910c470bfa0abce54bb3726d5ec12875b20fc283dc1b8ea0fc551b7cc

SHA512
6fc5c421a035af9f447ec44afa3c9f5b731652acb7e864c35d6364abce3f833fc109a2c74b39aa12760b848a12f65c971b74f5a0c5935478422dcded4162069a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
80efedb8b13468d7f23131f0b243c3e6

SHA1
7ab36b6e7ca2ddc6c5425c3317e6a9abe95011f9

SHA256
e64f0eee40e0e313085bfa228628c29c9b1f0f5b679b3e77ee14baf4ab09f113

SHA512
472789beb787e7f066843a6475f4cc11e5179f426e9fca296f85942d21bc148b01197dfdc62130229c4e4bf58cd59e9956ece6d35b3b88c5f3c486b17a6a32d9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
5393559c5c4cded552cc1f164a1cac66

SHA1
f94e87cede15c5da5bcd3771d238074136daf8cf

SHA256
26733c60d245d3a53a630f840d32074999b3858764ec6237ea1368fe4d867682

SHA512
1dccac745d1e96b4446f81a56ff4c3858e037a44c52f75c19fb276be3dba9832c317bc5592af779016caa77e9709817f24de0ab63f6a89f4bb1959e87e355da5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
26f1588f0ce74af788fc2a768e5bdc1d

SHA1
13cd991181b32599670526215c43b99d224d5a61

SHA256
6fbcc695a7c3651d3101fecaa27aca0fec985f80d4d8ad7baf402f0cc9162f20

SHA512
729838c54c22ae6ee1c6d44c3c7eb684254610052417d5030b3372dfd3a8bd6abd3c351c48ab0c06cf030ffbca473ef78bb6cbd94eba8247e559e10208b5155f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
b3d0846c06a9e4c784bf687cb5ec3525

SHA1
7ba66055c2c4c67ca5bab7d965d4a204284b376a

SHA256
6129c230fc478c2e4de1a061a32a9b11d9ab88958c29560c70e33299e0e17f33

SHA512
a15c8e39d17ca6b37427aa496e813f7cf347da25bad5ca83ebe9d5afb6cfbf17b665a49166ba3daf98e110e46163324e3e9e111ae11c6497095a9bc42abfa39b

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
681a11896056d30c22da347ebfc1829a

SHA1
17db3afadb74f191866918b131d3cefcb2717c9f

SHA256
a0380bc29d038b565efcc02ebca39f95b98cba3245b76ed8d85a8a69040a9e0a

SHA512
67fa8814bc9416ace54a9db356a24a7241cfbe94d4f8cdf42bc74fa6ecf6a5899fe04e0d97b21e864900d8f2bc3d72ad4c6c75b1c7342fccc4ade4f2c9ffc673

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
55d46962fdf739809549b04cc98dadcd

SHA1
3a2fceb2ea2b035ce2afb7e3e3c6b3cedcd3f604

SHA256
246e9305436263d3fb62f66ce61b8997a068a65f215d2d0560410d381a8ecdc5

SHA512
2513b851d65f62f122c28163f00fc03895b2a5b9615cf2be95e52e6e3fa66ab035471a0240fee770104f123e171e2b2294ca8f5f575b4cc55d10db1860979c81

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
d29ec0ceb0c562141c6d863d966d5e50

SHA1
32e161effa185d14de11d4e11d8faf813dc40b56

SHA256
a7d77d82e5dfe69f55c4fe6fc54c14e28cebcd30ba67ada57e3c20f43aedbbf9

SHA512
258c7fb60287672ee68ae342388cd682914193515cf3768f3c8d0cf495deb2c0c393b8abbe5f501a2a51ecf6c8af6400ffabf0172dbd5ec8bc8136b8e34bc9e1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
45875929e9b6a60b65dc303500c4c838

SHA1
5d77fbe1a67a5f0bc30bce739a69f30746f402d1

SHA256
fa9fd63e691065a04d4ce930b00571922f381203391142657c5379a04d243516

SHA512
871640ed9eab76679cd1a6a4620b60fa53fe938e1be8ba9836c93996920a02a87452b672aa8c8cd14d5c5ed69192d4962974f972926f2bc3d4aa4b6b4a888d37

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
63038ee991904e01f74f39a37e5809a3

SHA1
fff226a1141a43533024763c9034b9776e388d72

SHA256
e68b78fe1d6c0d6efebb46c306a034c3de916c1c462fc34c5025b830e676f421

SHA512
94df2740c2168d449221580acabc1ea94ef42a8a6ab1524b025f92b66d19ffa9e7d89173b1499d6adb5cddcab87a42683368b465a6a5d8275d6ef12921ff0671

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
cb2426f1ac37670069631e820130e9ce

SHA1
47784bbdef9daae9277ad5e71ac5a2c830a2b7fe

SHA256
8ecbd2c338391251368cff17aedf0cc36081f307f9c5fd90027db3190e60429d

SHA512
47fcd448409380f3a8142ddf7af6e098140ebfe352b55a0a4c065ac0b6e4d9318e13627814ddd8a2c98ac8d227691f9d8e2842d6307549010f908a4888d60586

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0cf6f8d4f1e2a4a5f58129280afa22d4

SHA1
0194dbedb91bbd49d1668a3de3fb9958eec1f1ab

SHA256
7b3397e11ee6961d5d7f444b9771b23f0743980d0dd57e819f34c3cda3270f6c

SHA512
9ddc07abdc252b4e23632c284a54e50b030f8bf4ce798a3b14783924512b43457b7aa751bc4826e02e6897e7fedc8df0d15af64639b8e50d37ef9ddb401d47cd

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
a46404f3ea7dec6fb2d7c4c54885c17e

SHA1
efb59c0f550460f77fa839eb446963dbcc1316b7

SHA256
c55e527bde9254681e818aacbe67a83326ee84bf9111360dfb3143ea873a03c5

SHA512
17665ad4d7cce2139de186583939d68f0793eeeaa41b2296776bfc24a1f9611c8ac00bb13527554d4fc66fcae4e8f97a245291af17b478ec38d5dd34ea1dc546

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
2eb225e29c0a7799e6767c9ab753f1fe

SHA1
89f04ddea00a916ca6d976b28224eabcac1c436e

SHA256
020f8d27a749b343553a3aad0fb7af258c183c30724648f79edf97c92d5b4c04

SHA512
7c3efa5696bef7c7dfdec112f9533e60b28777c740769ca09495c8d7f65e1e6539ce723a858c21c9bbfd3009e1707be64a5c0cd5b9f1647d19cdd8ff5cc33b7b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
d8d17ab8d9aabb067a519055655616b5

SHA1
09d769613ce0e04e27598fcfb4c6b69c97294afe

SHA256
b01430767762b2a8f336dfb9f34bcd2e3133d2d0b70679ec5834eefe8aaa2f1f

SHA512
db7c555b73baa167017fdd675ea55d5c6f0a0189b4d2160dddc51ef9bb253a7eb0415e3ed7c6b0271b2ab2ffeb6a95106e558feb7db16e41746620ecff5d8687

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
118b8915f609f7b47ce646f59644ce8d

SHA1
037e3e254f866501ea29dde81a520277327e8d16

SHA256
24c7e65eeaf0f3920696668e22ec34fc0ee5b7d3a16bf9faadddf76330c8e8ff

SHA512
95f0fc025e9fbbe5867487520a3d30ae9ad7ba8d6dd4ed3b35fe9a51620c97f51531982bf7d23cd9407825deda0315abce0d4e5fa967f6a1c9c48485e4b5c980

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
91b5a37fbf59d9cb0d6500b699f578fd

SHA1
6303c7e8045cfe7c728b2d9f674b29668c817403

SHA256
bbec06dac198e5d71b462c6075c35a31973d25987c2e6bab7adc034d81717934

SHA512
57abb842c03d7771dfc43be09e8a0578e7fdea44ca4eb6c888f2947d56641657f466f5aa5a299cdc6faeb7e8fb92dfc9703f3ea79657b14f491828d6c97d63ee

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
9b04500bbddadcc6182268b344c55c7e

SHA1
5711d66472bfb89be29b5a4581acf0d357e76e0c

SHA256
f649cc032536cd133ddc873ce11925ddf55d9e4062e0963a8baa9733e4c65893

SHA512
18d55d110e65c01d1d66d2eaf4bdc10abc744004cf9db35f2b2a63450387e98cf40943822824586eff62db3a288ad7d3ba43982c090d55ef079f954e357c2e08

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
4ba138b5a7009abea3b9e77527ccb68c

SHA1
bb87dd94b6111b9c9bb5565f3a870de44bdd6bb9

SHA256
d8dd6ef11039a123aa335b4d1b2fd13a3eaccd7d83661852c3753cf5a2bcccaa

SHA512
4818c66696c3c06fcf67b5677b3e7101e1b1ebd0702aeee477d23a1eda46b92739f54f919288f6109469010b0e0da0c62edaaed08ed48b261932390cc46925dd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
173c8988e1732b86268d616176dc653f

SHA1
847058627eef93a95975fb2f678d94e525e9eaa8

SHA256
f737f7cb83f411f0ee52703a3397944bf5eabd8f7f0d2202513b63e55258d8d8

SHA512
6fa80216a31b7770e1783cee449feffaa9f2e2aed090c9d48f7995386c2ecaa9cbd5e20807053a72786a0d54925e49ee9854b9de261f842a1b36c4985dedef36

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
45c44c2b33bbb1dc5ff28ea1ff19321a

SHA1
b1f2150ded8f3defe8947044e930f33910a1b354

SHA256
7a9ed4196a839fdf7e8e6bf004b4c9a3cab6d9aabcd396c9ff8a616722f42827

SHA512
47f0486c835bba9b042b01810bade54a8f410bbca53c46bc60a836dd54d5550a07dd63c044086c442404ecbf2f025bd11c03ddb00a62c20b4c37daa625dc2f6b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
7ccc3fe1b2edc0e7727d4b1486267b07

SHA1
ea829a7204419208a0331f4c59b86dd8f7eda992

SHA256
68c27725144c354112457917932b6910cc31f4aeffe5089a9e9d8dc130603618

SHA512
26f079657bb82e70840b728a959495923af6349208d2b89651279ee2f7e93e00cbf06c54f2d50a74fc09248f24b4423996b0e7c1fde79a360be6e4a6043e8f1f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
4c30347c53e831b15b0de3ab02c9bca1

SHA1
eb468e1bbfa3a8dfc2afbb67d1b34a538b219427

SHA256
f8d739d0d53666c012e99d798b37d23326362201ef39c5af6e656ed4af651d73

SHA512
20f78a8d18e88954123df20e1b0b3f60438501e7e09e3d26ba5cc7e2a36466c414cb4511c349793b1b526bb2b0c6b92d062762af0fff2a99b3b66072ee31adae

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
745374cbdf47736b4ecd8e3baffab016

SHA1
7d1be57b5c29859a859fb87a03da086ec0942834

SHA256
7b88a658bf56c23729e347b6154ef5956a40900baccd07ecfbabf470ee1f7fff

SHA512
238582b21e49861f5fd79d0df3c13b966e9cddb035f59689c594381df0de32058ef0bcbc41de0fce5d65c6f1c121c5787e332a64a3b1a777513b39e84bf4f28c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
add919c00a9222d7f66b2c98bb16f07c

SHA1
745f7168ada74c6c14003c0f6c6003b87745e6a5

SHA256
11a70d51df5bb3d7cfc9f7fb0618994d433f768c12f4400058e58b36bb2618fa

SHA512
e0f2795d030badbf26c2db026f46060a905e3f83cfab47465d70d39127039746e0b000e0679b1c19c045b20d177941d323a45f6d0510486dc76aaaff7fedb59f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
a2ed64ce348287aecf24d15a51e19eb4

SHA1
33c6e19f46d9cbedcacda208e0ed97e2360e1fd0

SHA256
b58d570ad010ec4e3c43331c5c965ab32eca3378c330466ce2b64bf2130a352e

SHA512
6ca97039fc6d6316101397b0411d433d143d17c9ff917d15815f956379b84978ab20638f67cc8311084d25e3362fc07e2d6892d53fb0c5ee5d4560a693077d80

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
46b11cb96deba5eaead0e8940b17197f

SHA1
8c4582811d0965a229fb5f78bab71b80776dbf80

SHA256
8fc345d8f4053ef43a37579cc3828eab8ee5ec29c5dd0538e1b58df5a5def278

SHA512
072401dae2647fa1362b6f0bde3d35821e4ea1ec14df1ed66650616145d15ab0f7ee627e1d87160b5825dcee4ed10061a099ec36c0fd082001c1d77f7fd1b3e4

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
625a4cf201acddc2b0943cba4ab32a9c

SHA1
e83a6e697d971aefb37cf44c73d369d02c972834

SHA256
c1b9d9c88e3802f607fe51b09f31f0a8976544c7ad4cfc2c1753379d43e3a4de

SHA512
19ff61e38da4090573c9201debad7cda9b8b93695df983ef96d9ca2584dae95d9b8e76622bf0fee15319993302ec17b68c158e056707b143d35660fc4e54a5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
C:\users\Public\RyukReadMe.html

MD5
f8d3ea8320a566aaf69b624c5e4dbe02

SHA1
d51a8ef0d34a40806297de5faef9ae73f3857823

SHA256
b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

SHA512
1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

Download Submit
\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe

MD5
fc5473e4320cedbb353b77955ecf2366

SHA1
081a837503dfa82c177ef1229b2c00215d676442

SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

SHA512
3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Download Submit
memory/1304-55-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download