Analysis Overview
SHA256
8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd
Threat Level: Known bad
The file 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 04:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 04:37
Reported
2022-02-20 04:56
Platform
win7-en-20211208
Max time kernel
170s
Max time network
196s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
"C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe"
C:\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe
"C:\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe
"C:\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe
"C:\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.2:7 | udp | |
| N/A | 10.127.0.3:7 | udp | |
| N/A | 10.127.0.4:7 | udp | |
| N/A | 10.127.0.5:7 | udp | |
| N/A | 10.127.0.6:7 | udp | |
| N/A | 10.127.0.7:7 | udp | |
| N/A | 10.127.0.8:7 | udp | |
| N/A | 10.127.0.9:7 | udp | |
| N/A | 10.127.0.10:7 | udp | |
| N/A | 10.127.0.11:7 | udp | |
| N/A | 10.127.0.12:7 | udp | |
| N/A | 10.127.0.13:7 | udp | |
| N/A | 10.127.0.14:7 | udp | |
| N/A | 10.127.0.15:7 | udp | |
| N/A | 10.127.0.16:7 | udp | |
| N/A | 10.127.0.17:7 | udp | |
| N/A | 10.127.0.18:7 | udp | |
| N/A | 10.127.0.19:7 | udp | |
| N/A | 10.127.0.20:7 | udp | |
| N/A | 10.127.0.21:7 | udp | |
| N/A | 10.127.0.22:7 | udp | |
| N/A | 10.127.0.23:7 | udp | |
| N/A | 10.127.0.24:7 | udp | |
| N/A | 10.127.0.25:7 | udp | |
| N/A | 10.127.0.26:7 | udp | |
| N/A | 10.127.0.27:7 | udp | |
| N/A | 10.127.0.28:7 | udp | |
| N/A | 10.127.0.29:7 | udp | |
| N/A | 10.127.0.30:7 | udp | |
| N/A | 10.127.0.31:7 | udp | |
| N/A | 10.127.0.32:7 | udp | |
| N/A | 10.127.0.33:7 | udp | |
| N/A | 10.127.0.34:7 | udp | |
| N/A | 10.127.0.35:7 | udp | |
| N/A | 10.127.0.36:7 | udp | |
| N/A | 10.127.0.37:7 | udp | |
| N/A | 10.127.0.38:7 | udp | |
| N/A | 10.127.0.39:7 | udp | |
| N/A | 10.127.0.40:7 | udp | |
| N/A | 10.127.0.41:7 | udp | |
| N/A | 10.127.0.42:7 | udp | |
| N/A | 10.127.0.43:7 | udp | |
| N/A | 10.127.0.44:7 | udp | |
| N/A | 10.127.0.45:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.0.47:7 | udp | |
| N/A | 10.127.0.48:7 | udp | |
| N/A | 10.127.0.49:7 | udp | |
| N/A | 10.127.0.50:7 | udp | |
| N/A | 10.127.0.51:7 | udp | |
| N/A | 10.127.0.52:7 | udp | |
| N/A | 10.127.0.53:7 | udp | |
| N/A | 10.127.0.54:7 | udp | |
| N/A | 10.127.0.55:7 | udp | |
| N/A | 10.127.0.56:7 | udp | |
| N/A | 10.127.0.57:7 | udp | |
| N/A | 10.127.0.58:7 | udp | |
| N/A | 10.127.0.59:7 | udp | |
| N/A | 10.127.0.60:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.61:7 | udp | |
| N/A | 10.127.0.62:7 | udp | |
| N/A | 10.127.0.22:7 | udp | |
| N/A | 10.127.0.23:7 | udp | |
| N/A | 10.127.0.63:7 | udp | |
| N/A | 10.127.0.24:7 | udp | |
| N/A | 10.127.0.64:7 | udp | |
| N/A | 10.127.0.25:7 | udp | |
| N/A | 10.127.0.26:7 | udp | |
| N/A | 10.127.0.27:7 | udp | |
| N/A | 10.127.0.65:7 | udp | |
| N/A | 10.127.0.28:7 | udp | |
| N/A | 10.127.0.66:7 | udp | |
| N/A | 10.127.0.29:7 | udp | |
| N/A | 10.127.0.67:7 | udp | |
| N/A | 10.127.0.30:7 | udp | |
| N/A | 10.127.0.31:7 | udp | |
| N/A | 10.127.0.32:7 | udp | |
| N/A | 10.127.0.68:7 | udp | |
| N/A | 10.127.0.33:7 | udp | |
| N/A | 10.127.0.34:7 | udp | |
| N/A | 10.127.0.69:7 | udp | |
| N/A | 10.127.0.70:7 | udp | |
| N/A | 10.127.0.35:7 | udp | |
| N/A | 10.127.0.36:7 | udp | |
| N/A | 10.127.0.37:7 | udp | |
| N/A | 10.127.0.38:7 | udp | |
| N/A | 10.127.0.39:7 | udp | |
| N/A | 10.127.0.40:7 | udp | |
| N/A | 10.127.0.41:7 | udp | |
| N/A | 10.127.0.71:7 | udp | |
| N/A | 10.127.0.42:7 | udp | |
| N/A | 10.127.0.72:7 | udp | |
| N/A | 10.127.0.43:7 | udp | |
| N/A | 10.127.0.44:7 | udp | |
| N/A | 10.127.0.73:7 | udp | |
| N/A | 10.127.0.45:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.0.74:7 | udp | |
| N/A | 10.127.0.47:7 | udp | |
| N/A | 10.127.0.48:7 | udp | |
| N/A | 10.127.0.75:7 | udp | |
| N/A | 10.127.0.49:7 | udp | |
| N/A | 10.127.0.76:7 | udp | |
| N/A | 10.127.0.50:7 | udp | |
| N/A | 10.127.0.51:7 | udp | |
| N/A | 10.127.0.77:7 | udp | |
| N/A | 10.127.0.52:7 | udp | |
| N/A | 10.127.0.53:7 | udp | |
| N/A | 10.127.0.54:7 | udp | |
| N/A | 10.127.0.55:7 | udp | |
| N/A | 10.127.0.78:7 | udp | |
| N/A | 10.127.0.79:7 | udp | |
| N/A | 10.127.0.56:7 | udp | |
| N/A | 10.127.0.57:7 | udp | |
| N/A | 10.127.0.80:7 | udp | |
| N/A | 10.127.0.58:7 | udp | |
| N/A | 10.127.0.59:7 | udp | |
| N/A | 10.127.0.81:7 | udp | |
| N/A | 10.127.18.229:7 | udp | |
| N/A | 10.127.20.80:7 | udp | |
| N/A | 10.127.0.82:7 | udp | |
| N/A | 10.127.20.82:7 | udp | |
| N/A | 10.127.20.83:7 | udp | |
| N/A | 10.127.0.83:7 | udp | |
| N/A | 10.127.20.84:7 | udp | |
| N/A | 10.127.20.85:7 | udp | |
| N/A | 10.127.0.84:7 | udp | |
| N/A | 10.127.20.86:7 | udp | |
| N/A | 10.127.20.88:7 | udp | |
| N/A | 10.127.0.85:7 | udp | |
| N/A | 10.127.20.90:7 | udp | |
| N/A | 10.127.0.86:7 | udp | |
| N/A | 10.127.20.92:7 | udp | |
| N/A | 10.127.0.87:7 | udp | |
| N/A | 10.127.20.94:7 | udp | |
| N/A | 10.127.0.88:7 | udp | |
| N/A | 10.127.0.89:7 | udp | |
| N/A | 10.127.20.96:7 | udp | |
| N/A | 10.127.0.90:7 | udp | |
| N/A | 10.127.20.98:7 | udp | |
| N/A | 10.127.0.91:7 | udp | |
| N/A | 10.127.0.92:7 | udp | |
| N/A | 10.127.20.100:7 | udp | |
| N/A | 10.127.0.93:7 | udp | |
| N/A | 10.127.0.94:7 | udp | |
| N/A | 10.127.20.102:7 | udp | |
| N/A | 10.127.20.104:7 | udp | |
| N/A | 10.127.0.95:7 | udp | |
| N/A | 10.127.20.106:7 | udp | |
| N/A | 10.127.0.96:7 | udp | |
| N/A | 10.127.20.108:7 | udp | |
| N/A | 10.127.0.97:7 | udp | |
| N/A | 10.127.20.110:7 | udp | |
| N/A | 10.127.0.98:7 | udp | |
| N/A | 10.127.20.112:7 | udp | |
| N/A | 10.127.20.114:7 | udp | |
| N/A | 10.127.0.99:7 | udp | |
| N/A | 10.127.20.116:7 | udp | |
| N/A | 10.127.0.100:7 | udp | |
| N/A | 10.127.0.101:7 | udp | |
| N/A | 10.127.0.102:7 | udp | |
| N/A | 10.127.0.103:7 | udp | |
| N/A | 10.127.0.104:7 | udp | |
| N/A | 10.127.20.120:7 | udp | |
| N/A | 10.127.0.105:7 | udp | |
| N/A | 10.127.20.122:7 | udp | |
| N/A | 10.127.0.106:7 | udp | |
| N/A | 10.127.0.107:7 | udp | |
| N/A | 10.127.20.124:7 | udp | |
| N/A | 10.127.20.126:7 | udp | |
| N/A | 10.127.20.118:7 | udp | |
| N/A | 10.127.0.108:7 | udp | |
| N/A | 10.127.0.109:7 | udp | |
| N/A | 10.127.20.128:7 | udp | |
| N/A | 10.127.20.130:7 | udp | |
| N/A | 10.127.20.132:7 | udp | |
| N/A | 10.127.0.110:7 | udp | |
| N/A | 10.127.20.134:7 | udp | |
| N/A | 10.127.0.111:7 | udp | |
| N/A | 10.127.0.112:7 | udp | |
| N/A | 10.127.20.136:7 | udp | |
| N/A | 10.127.20.138:7 | udp | |
| N/A | 10.127.0.114:7 | udp | |
| N/A | 10.127.20.140:7 | udp | |
| N/A | 10.127.0.116:7 | udp | |
| N/A | 10.127.20.142:7 | udp | |
| N/A | 10.127.0.118:7 | udp | |
| N/A | 10.127.0.120:7 | udp | |
| N/A | 10.127.0.122:7 | udp | |
| N/A | 10.127.20.144:7 | udp | |
| N/A | 10.127.0.124:7 | udp | |
| N/A | 10.127.20.146:7 | udp | |
| N/A | 10.127.20.148:7 | udp | |
| N/A | 10.127.20.150:7 | udp | |
| N/A | 10.127.0.126:7 | udp | |
| N/A | 10.127.20.152:7 | udp | |
| N/A | 10.127.0.128:7 | udp | |
| N/A | 10.127.20.154:7 | udp | |
| N/A | 10.127.0.130:7 | udp | |
| N/A | 10.127.20.156:7 | udp | |
| N/A | 10.127.20.158:7 | udp | |
| N/A | 10.127.0.132:7 | udp | |
| N/A | 10.127.20.160:7 | udp | |
| N/A | 10.127.20.162:7 | udp | |
| N/A | 10.127.20.164:7 | udp | |
| N/A | 10.127.0.134:7 | udp | |
| N/A | 10.127.20.166:7 | udp | |
| N/A | 10.127.20.168:7 | udp | |
| N/A | 10.127.20.170:7 | udp | |
| N/A | 10.127.20.172:7 | udp | |
| N/A | 10.127.20.174:7 | udp | |
| N/A | 10.127.0.136:7 | udp | |
| N/A | 10.127.20.176:7 | udp | |
| N/A | 10.127.0.138:7 | udp | |
| N/A | 10.127.0.140:7 | udp | |
| N/A | 10.127.0.142:7 | udp | |
| N/A | 10.127.0.144:7 | udp | |
| N/A | 10.127.0.148:7 | udp | |
| N/A | 10.127.0.150:7 | udp | |
| N/A | 10.127.0.152:7 | udp | |
| N/A | 10.127.20.178:7 | udp | |
| N/A | 10.127.0.154:7 | udp | |
| N/A | 10.127.0.156:7 | udp | |
| N/A | 10.127.20.180:7 | udp | |
| N/A | 10.127.0.158:7 | udp | |
| N/A | 10.127.20.182:7 | udp | |
| N/A | 10.127.0.160:7 | udp | |
| N/A | 10.127.20.184:7 | udp | |
| N/A | 10.127.0.162:7 | udp | |
| N/A | 10.127.0.164:7 | udp | |
| N/A | 10.127.0.165:7 | udp | |
| N/A | 10.127.0.167:7 | udp | |
| N/A | 10.127.0.169:7 | udp | |
| N/A | 10.127.20.186:7 | udp | |
| N/A | 10.127.0.171:7 | udp | |
| N/A | 10.127.20.188:7 | udp | |
| N/A | 10.127.0.173:7 | udp | |
| N/A | 10.127.0.175:7 | udp | |
| N/A | 10.127.0.177:7 | udp | |
| N/A | 10.127.20.190:7 | udp | |
| N/A | 10.127.20.192:7 | udp | |
| N/A | 10.127.0.179:7 | udp | |
| N/A | 10.127.20.194:7 | udp | |
| N/A | 10.127.20.196:7 | udp | |
| N/A | 10.127.20.198:7 | udp | |
| N/A | 10.127.20.200:7 | udp | |
| N/A | 10.127.21.103:7 | udp | |
| N/A | 10.127.21.175:7 | udp | |
| N/A | 10.127.22.94:7 | udp | |
| N/A | 10.127.0.181:7 | udp | |
| N/A | 10.127.22.96:7 | udp | |
| N/A | 10.127.22.111:7 | udp | |
| N/A | 10.127.0.183:7 | udp | |
| N/A | 10.127.22.113:7 | udp | |
| N/A | 10.127.0.185:7 | udp | |
| N/A | 10.127.22.208:7 | udp | |
| N/A | 10.127.22.253:7 | udp | |
| N/A | 10.127.22.255:7 | udp | |
| N/A | 10.127.0.187:7 | udp | |
| N/A | 10.127.23.78:7 | udp | |
| N/A | 10.127.0.189:7 | udp | |
| N/A | 10.127.23.95:7 | udp | |
| N/A | 10.127.23.97:7 | udp | |
| N/A | 10.127.23.99:7 | udp | |
| N/A | 10.127.23.101:7 | udp | |
| N/A | 10.127.0.191:7 | udp | |
| N/A | 10.127.23.103:7 | udp | |
| N/A | 10.127.0.193:7 | udp | |
| N/A | 10.127.23.105:7 | udp |
Files
memory/1304-55-0x0000000075F91000-0x0000000075F93000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
\Users\Admin\AppData\Local\Temp\MUNPjDcDurep.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\Users\Admin\AppData\Local\Temp\OQjfublHhlan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
\Users\Admin\AppData\Local\Temp\nrgAMuIrxlan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\users\Public\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
| MD5 | 60126b7d5a89433e44a524512469981f |
| SHA1 | 4945d7448e3b9cc6da8254430651a2737c54ec29 |
| SHA256 | 5f47aa5ea8a0583cf3a16c5e383abe1b73277548c64fed44771b0ed6525e8391 |
| SHA512 | b11efba50e5f8bc0034e45df3b5373f6ae765af5fa55343fb9fa8f16820569380a4e129d616bf5419ed665a26ecd2386d19be60a84e5d2e45befef609148451d |
C:\MSOCache\All Users\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
| MD5 | 8b059fe1d3e69acaa7458ed80c6de53d |
| SHA1 | 351653125b90e4faa4a259cf85601010c51c7e3b |
| SHA256 | 1df1a5e1afd30cd04868e1150c1ffd83ff30b701afe7098326f59eaefba03c95 |
| SHA512 | 0fe2c5dff6316081ecc260aca98a3ff6eb8257c817f985e6c6ba8a8b9d28720569d975f96d0dd2daaeff7fa68a7325c7ee7292e3bfa3016d50d4f41461e56fc1 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
| MD5 | d8cec54c0ba8fd12f7751264303acc79 |
| SHA1 | 06e3689aec2ead2dbc7aeaab40ac775c9f06c9f2 |
| SHA256 | 752a03f31c63eb93484240cb6647312cc8304ffe6a5e7837e92948bd6bf7b931 |
| SHA512 | 95c7f2f7b69abe618d000b007133c0ef6db54ebf35e5e7b423389004f8dd46010acb4df50228549f9dc32179bd06b2d7a31f503b41da23f6993c41f9ee55a682 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
| MD5 | a6c37f2ec90c63ea09353aee494d493a |
| SHA1 | 61a79a989a80a99be7abf63c0ba53f7fcfa062ba |
| SHA256 | 472c105a86e2fb0de181e1d99ae62d3c2411f41f48f0e797ffe1e04e84527a52 |
| SHA512 | 0b969646f2cb6176a8c79dd1f9f4243be78e75f87ebbf053163489c050709d6d1553d3268fc13d59a8ec6671aa6b19fe99b3398fd4e80e17f1056870ff4010ca |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
| MD5 | 1f85a023a31da02d137748160fc2c507 |
| SHA1 | 19ac28149238451a02469c3e9a1d6a1b8afbb8eb |
| SHA256 | af548d41fac36f162400fc45bcc386ae729a74babfb41d4512de67464664a214 |
| SHA512 | 60d117a2a6eda62c5bb39c0f8fbfc4405bd86becc3dcbcac06ca580ee6f7f4fb16ab6616d2e60396eaeede9a9bd57ead8903a74a718b8af0878f453ce9cb35e6 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
| MD5 | 44d5d4b81c1f7ee01fe0f0f17d066640 |
| SHA1 | 6be5bbd9f546ef30f03066369950c3ca7c349534 |
| SHA256 | c9083ec1579ed90fef53c53f43cc1be47ec556ea413d9ee185b9e741d2d9c2b5 |
| SHA512 | 21b7fe016c4b251b1c4d4cf16cbb86fcc1001f99e435eccac47a9b8eb0598a78580513481ba19f79432f726a8ffa1947af235580b33424482f9ffb816ff00d85 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
| MD5 | ac572f90a827967ba262f4ce6d78b141 |
| SHA1 | 7102696d2436f6022b3370e3e5c269f7b7095a9f |
| SHA256 | fc98c5bf914548e7aff34df1798b5c171c1dce082bfe6dc46c0bfeb4f3ebaf2a |
| SHA512 | 67210703f8a1b563c512170bcb86086ff5bf20c6041a031e496de55fa7afe892f4ae4b6835d9d0bd41062a3592380617b9ebf0334f3f78ec717d23bf534230d1 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
| MD5 | 608af679595bf20bc0727f0f13188845 |
| SHA1 | 1137edad1a1e98a02f3cd012d16708c21c95de7a |
| SHA256 | 22bf5509cea4c8b5c5bdbc903018b88cdd0c9a46128954c68e250ab62c1a93fb |
| SHA512 | 7bfff916a470747b407c584e6f9023f4ddc2cc55970bc2fd51cdc407d6c3d575cf46a15fd773955e88d55d53bc2fbfc2f3c50b1a3e45d90004a708f9d15e3e96 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | ac36e9b35ae1cdbf7fff6bee0210e699 |
| SHA1 | e13507b284289416a23e0dfcd38129c155535f7f |
| SHA256 | eaef0db80ad776d97885078e4cf92701c8ca2da9a6d8d09aa621096dd1db08a1 |
| SHA512 | 8742f2195d14124a9b5d0417294051cb59bdd7aa6e315014009ef6c65aacbd71bc7fbb49c68bc3df91d207f19b72b3e29e53bbd7841ad3a9459db026141078fc |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
| MD5 | 8b2634096299e09fd55f11f1bd315c9e |
| SHA1 | 9b83a54649c7f66b37994fd773a43bcb2d09b1cc |
| SHA256 | 7eb4dbc11a187b96fb688693ecec3ce1c949756529b3231569868c571aaf2d9e |
| SHA512 | 22d304e4d570c5f0a1d6c1ffc389e10d9d021e4b02db43c0d4a3b3f3970253a7f39f27e4c3e55185cae1148b8b3d23498b9336b585cfb0c2120017af0302789a |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
| MD5 | c73d86e8b893de0a33f22474b6fb7395 |
| SHA1 | 88a60ce5984b60622b71a2f033ba52aafb70c08a |
| SHA256 | 9bb6b4795ea9d0e3a67869998da0811f4173f03d92f3b9eee5b75e38b695784b |
| SHA512 | 2c9a30c9ddc7f21c0151913f67a9c32e6044f872f8ee99d0e887d5b45f63cf117dd79d979260c9920bd664f7fd9eb800bd107b4bce3344a29e4335d600c14785 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
| MD5 | b96bfdbd657b593948cd0966ac7e33ae |
| SHA1 | 9791b53aac82cae87848a93e9d87f90ff694af53 |
| SHA256 | f87d9474949a5cea690729e506faf0a1095ef376ccf2728951552486789f1de1 |
| SHA512 | 220216cf58bf2ed76cdf7ea7050b09c9acdcd6572b57309c1c047c3dc48bef59ff6b9c7b9a954522707d5231abce9baa96e88f4bb305163e6306e5e93dbc3c20 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 74c6e9d82aa8dc8ad3c5bc218993f326 |
| SHA1 | fcbee3f7f836130ca5f7a537029a47d425b4dabf |
| SHA256 | ce2514d024e6ccf1c8f8a5da640276cf2c75cd88859becfbcce900b1cc12bd24 |
| SHA512 | 22606ab931af0dfea053c4c45197043c3da22f23f3683a923107cd73dfd45ac564ab00ec62981a7ed15b0272447409b202de88cb72bfff1c83dbb16612e825cc |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
| MD5 | 7438bff64eb2867401d19a1baa946e58 |
| SHA1 | 520df6d51913bf9a85893baf1fc2023f77428894 |
| SHA256 | 5a70ef1910c470bfa0abce54bb3726d5ec12875b20fc283dc1b8ea0fc551b7cc |
| SHA512 | 6fc5c421a035af9f447ec44afa3c9f5b731652acb7e864c35d6364abce3f833fc109a2c74b39aa12760b848a12f65c971b74f5a0c5935478422dcded4162069a |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
| MD5 | 1461f7966ec8fd9382dcca63f8160ea5 |
| SHA1 | 3645299e19793d8e15cf1823ddcd7d46c0e9cf7c |
| SHA256 | 8e358a69257de5abdec08e6dfa4772f4627dab7471ac7874c4b974e6b291de42 |
| SHA512 | cdf185a16bfbeea424dfe263dd2b062b7b6f96f379da34fd99bcdf75c92993c36983bff5319c02338eee314088be4cc036bb33c3d8128e2a5358c1a1fda0c703 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK
| MD5 | 45c44c2b33bbb1dc5ff28ea1ff19321a |
| SHA1 | b1f2150ded8f3defe8947044e930f33910a1b354 |
| SHA256 | 7a9ed4196a839fdf7e8e6bf004b4c9a3cab6d9aabcd396c9ff8a616722f42827 |
| SHA512 | 47f0486c835bba9b042b01810bade54a8f410bbca53c46bc60a836dd54d5550a07dd63c044086c442404ecbf2f025bd11c03ddb00a62c20b4c37daa625dc2f6b |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK
| MD5 | 173c8988e1732b86268d616176dc653f |
| SHA1 | 847058627eef93a95975fb2f678d94e525e9eaa8 |
| SHA256 | f737f7cb83f411f0ee52703a3397944bf5eabd8f7f0d2202513b63e55258d8d8 |
| SHA512 | 6fa80216a31b7770e1783cee449feffaa9f2e2aed090c9d48f7995386c2ecaa9cbd5e20807053a72786a0d54925e49ee9854b9de261f842a1b36c4985dedef36 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK
| MD5 | 4ba138b5a7009abea3b9e77527ccb68c |
| SHA1 | bb87dd94b6111b9c9bb5565f3a870de44bdd6bb9 |
| SHA256 | d8dd6ef11039a123aa335b4d1b2fd13a3eaccd7d83661852c3753cf5a2bcccaa |
| SHA512 | 4818c66696c3c06fcf67b5677b3e7101e1b1ebd0702aeee477d23a1eda46b92739f54f919288f6109469010b0e0da0c62edaaed08ed48b261932390cc46925dd |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK
| MD5 | 9b04500bbddadcc6182268b344c55c7e |
| SHA1 | 5711d66472bfb89be29b5a4581acf0d357e76e0c |
| SHA256 | f649cc032536cd133ddc873ce11925ddf55d9e4062e0963a8baa9733e4c65893 |
| SHA512 | 18d55d110e65c01d1d66d2eaf4bdc10abc744004cf9db35f2b2a63450387e98cf40943822824586eff62db3a288ad7d3ba43982c090d55ef079f954e357c2e08 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK
| MD5 | 91b5a37fbf59d9cb0d6500b699f578fd |
| SHA1 | 6303c7e8045cfe7c728b2d9f674b29668c817403 |
| SHA256 | bbec06dac198e5d71b462c6075c35a31973d25987c2e6bab7adc034d81717934 |
| SHA512 | 57abb842c03d7771dfc43be09e8a0578e7fdea44ca4eb6c888f2947d56641657f466f5aa5a299cdc6faeb7e8fb92dfc9703f3ea79657b14f491828d6c97d63ee |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK
| MD5 | 118b8915f609f7b47ce646f59644ce8d |
| SHA1 | 037e3e254f866501ea29dde81a520277327e8d16 |
| SHA256 | 24c7e65eeaf0f3920696668e22ec34fc0ee5b7d3a16bf9faadddf76330c8e8ff |
| SHA512 | 95f0fc025e9fbbe5867487520a3d30ae9ad7ba8d6dd4ed3b35fe9a51620c97f51531982bf7d23cd9407825deda0315abce0d4e5fa967f6a1c9c48485e4b5c980 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
| MD5 | d8d17ab8d9aabb067a519055655616b5 |
| SHA1 | 09d769613ce0e04e27598fcfb4c6b69c97294afe |
| SHA256 | b01430767762b2a8f336dfb9f34bcd2e3133d2d0b70679ec5834eefe8aaa2f1f |
| SHA512 | db7c555b73baa167017fdd675ea55d5c6f0a0189b4d2160dddc51ef9bb253a7eb0415e3ed7c6b0271b2ab2ffeb6a95106e558feb7db16e41746620ecff5d8687 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK
| MD5 | 2eb225e29c0a7799e6767c9ab753f1fe |
| SHA1 | 89f04ddea00a916ca6d976b28224eabcac1c436e |
| SHA256 | 020f8d27a749b343553a3aad0fb7af258c183c30724648f79edf97c92d5b4c04 |
| SHA512 | 7c3efa5696bef7c7dfdec112f9533e60b28777c740769ca09495c8d7f65e1e6539ce723a858c21c9bbfd3009e1707be64a5c0cd5b9f1647d19cdd8ff5cc33b7b |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK
| MD5 | a46404f3ea7dec6fb2d7c4c54885c17e |
| SHA1 | efb59c0f550460f77fa839eb446963dbcc1316b7 |
| SHA256 | c55e527bde9254681e818aacbe67a83326ee84bf9111360dfb3143ea873a03c5 |
| SHA512 | 17665ad4d7cce2139de186583939d68f0793eeeaa41b2296776bfc24a1f9611c8ac00bb13527554d4fc66fcae4e8f97a245291af17b478ec38d5dd34ea1dc546 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 0cf6f8d4f1e2a4a5f58129280afa22d4 |
| SHA1 | 0194dbedb91bbd49d1668a3de3fb9958eec1f1ab |
| SHA256 | 7b3397e11ee6961d5d7f444b9771b23f0743980d0dd57e819f34c3cda3270f6c |
| SHA512 | 9ddc07abdc252b4e23632c284a54e50b030f8bf4ce798a3b14783924512b43457b7aa751bc4826e02e6897e7fedc8df0d15af64639b8e50d37ef9ddb401d47cd |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | cb2426f1ac37670069631e820130e9ce |
| SHA1 | 47784bbdef9daae9277ad5e71ac5a2c830a2b7fe |
| SHA256 | 8ecbd2c338391251368cff17aedf0cc36081f307f9c5fd90027db3190e60429d |
| SHA512 | 47fcd448409380f3a8142ddf7af6e098140ebfe352b55a0a4c065ac0b6e4d9318e13627814ddd8a2c98ac8d227691f9d8e2842d6307549010f908a4888d60586 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK
| MD5 | 63038ee991904e01f74f39a37e5809a3 |
| SHA1 | fff226a1141a43533024763c9034b9776e388d72 |
| SHA256 | e68b78fe1d6c0d6efebb46c306a034c3de916c1c462fc34c5025b830e676f421 |
| SHA512 | 94df2740c2168d449221580acabc1ea94ef42a8a6ab1524b025f92b66d19ffa9e7d89173b1499d6adb5cddcab87a42683368b465a6a5d8275d6ef12921ff0671 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
| MD5 | 45875929e9b6a60b65dc303500c4c838 |
| SHA1 | 5d77fbe1a67a5f0bc30bce739a69f30746f402d1 |
| SHA256 | fa9fd63e691065a04d4ce930b00571922f381203391142657c5379a04d243516 |
| SHA512 | 871640ed9eab76679cd1a6a4620b60fa53fe938e1be8ba9836c93996920a02a87452b672aa8c8cd14d5c5ed69192d4962974f972926f2bc3d4aa4b6b4a888d37 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK
| MD5 | d29ec0ceb0c562141c6d863d966d5e50 |
| SHA1 | 32e161effa185d14de11d4e11d8faf813dc40b56 |
| SHA256 | a7d77d82e5dfe69f55c4fe6fc54c14e28cebcd30ba67ada57e3c20f43aedbbf9 |
| SHA512 | 258c7fb60287672ee68ae342388cd682914193515cf3768f3c8d0cf495deb2c0c393b8abbe5f501a2a51ecf6c8af6400ffabf0172dbd5ec8bc8136b8e34bc9e1 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 55d46962fdf739809549b04cc98dadcd |
| SHA1 | 3a2fceb2ea2b035ce2afb7e3e3c6b3cedcd3f604 |
| SHA256 | 246e9305436263d3fb62f66ce61b8997a068a65f215d2d0560410d381a8ecdc5 |
| SHA512 | 2513b851d65f62f122c28163f00fc03895b2a5b9615cf2be95e52e6e3fa66ab035471a0240fee770104f123e171e2b2294ca8f5f575b4cc55d10db1860979c81 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
| MD5 | 26f1588f0ce74af788fc2a768e5bdc1d |
| SHA1 | 13cd991181b32599670526215c43b99d224d5a61 |
| SHA256 | 6fbcc695a7c3651d3101fecaa27aca0fec985f80d4d8ad7baf402f0cc9162f20 |
| SHA512 | 729838c54c22ae6ee1c6d44c3c7eb684254610052417d5030b3372dfd3a8bd6abd3c351c48ab0c06cf030ffbca473ef78bb6cbd94eba8247e559e10208b5155f |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
| MD5 | 681a11896056d30c22da347ebfc1829a |
| SHA1 | 17db3afadb74f191866918b131d3cefcb2717c9f |
| SHA256 | a0380bc29d038b565efcc02ebca39f95b98cba3245b76ed8d85a8a69040a9e0a |
| SHA512 | 67fa8814bc9416ace54a9db356a24a7241cfbe94d4f8cdf42bc74fa6ecf6a5899fe04e0d97b21e864900d8f2bc3d72ad4c6c75b1c7342fccc4ade4f2c9ffc673 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
| MD5 | b3d0846c06a9e4c784bf687cb5ec3525 |
| SHA1 | 7ba66055c2c4c67ca5bab7d965d4a204284b376a |
| SHA256 | 6129c230fc478c2e4de1a061a32a9b11d9ab88958c29560c70e33299e0e17f33 |
| SHA512 | a15c8e39d17ca6b37427aa496e813f7cf347da25bad5ca83ebe9d5afb6cfbf17b665a49166ba3daf98e110e46163324e3e9e111ae11c6497095a9bc42abfa39b |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 5393559c5c4cded552cc1f164a1cac66 |
| SHA1 | f94e87cede15c5da5bcd3771d238074136daf8cf |
| SHA256 | 26733c60d245d3a53a630f840d32074999b3858764ec6237ea1368fe4d867682 |
| SHA512 | 1dccac745d1e96b4446f81a56ff4c3858e037a44c52f75c19fb276be3dba9832c317bc5592af779016caa77e9709817f24de0ab63f6a89f4bb1959e87e355da5 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
| MD5 | 80efedb8b13468d7f23131f0b243c3e6 |
| SHA1 | 7ab36b6e7ca2ddc6c5425c3317e6a9abe95011f9 |
| SHA256 | e64f0eee40e0e313085bfa228628c29c9b1f0f5b679b3e77ee14baf4ab09f113 |
| SHA512 | 472789beb787e7f066843a6475f4cc11e5179f426e9fca296f85942d21bc148b01197dfdc62130229c4e4bf58cd59e9956ece6d35b3b88c5f3c486b17a6a32d9 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK
| MD5 | 7ccc3fe1b2edc0e7727d4b1486267b07 |
| SHA1 | ea829a7204419208a0331f4c59b86dd8f7eda992 |
| SHA256 | 68c27725144c354112457917932b6910cc31f4aeffe5089a9e9d8dc130603618 |
| SHA512 | 26f079657bb82e70840b728a959495923af6349208d2b89651279ee2f7e93e00cbf06c54f2d50a74fc09248f24b4423996b0e7c1fde79a360be6e4a6043e8f1f |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK
| MD5 | 4c30347c53e831b15b0de3ab02c9bca1 |
| SHA1 | eb468e1bbfa3a8dfc2afbb67d1b34a538b219427 |
| SHA256 | f8d739d0d53666c012e99d798b37d23326362201ef39c5af6e656ed4af651d73 |
| SHA512 | 20f78a8d18e88954123df20e1b0b3f60438501e7e09e3d26ba5cc7e2a36466c414cb4511c349793b1b526bb2b0c6b92d062762af0fff2a99b3b66072ee31adae |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK
| MD5 | 745374cbdf47736b4ecd8e3baffab016 |
| SHA1 | 7d1be57b5c29859a859fb87a03da086ec0942834 |
| SHA256 | 7b88a658bf56c23729e347b6154ef5956a40900baccd07ecfbabf470ee1f7fff |
| SHA512 | 238582b21e49861f5fd79d0df3c13b966e9cddb035f59689c594381df0de32058ef0bcbc41de0fce5d65c6f1c121c5787e332a64a3b1a777513b39e84bf4f28c |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK
| MD5 | add919c00a9222d7f66b2c98bb16f07c |
| SHA1 | 745f7168ada74c6c14003c0f6c6003b87745e6a5 |
| SHA256 | 11a70d51df5bb3d7cfc9f7fb0618994d433f768c12f4400058e58b36bb2618fa |
| SHA512 | e0f2795d030badbf26c2db026f46060a905e3f83cfab47465d70d39127039746e0b000e0679b1c19c045b20d177941d323a45f6d0510486dc76aaaff7fedb59f |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK
| MD5 | 625a4cf201acddc2b0943cba4ab32a9c |
| SHA1 | e83a6e697d971aefb37cf44c73d369d02c972834 |
| SHA256 | c1b9d9c88e3802f607fe51b09f31f0a8976544c7ad4cfc2c1753379d43e3a4de |
| SHA512 | 19ff61e38da4090573c9201debad7cda9b8b93695df983ef96d9ca2584dae95d9b8e76622bf0fee15319993302ec17b68c158e056707b143d35660fc4e54a5d4 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 46b11cb96deba5eaead0e8940b17197f |
| SHA1 | 8c4582811d0965a229fb5f78bab71b80776dbf80 |
| SHA256 | 8fc345d8f4053ef43a37579cc3828eab8ee5ec29c5dd0538e1b58df5a5def278 |
| SHA512 | 072401dae2647fa1362b6f0bde3d35821e4ea1ec14df1ed66650616145d15ab0f7ee627e1d87160b5825dcee4ed10061a099ec36c0fd082001c1d77f7fd1b3e4 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK
| MD5 | a2ed64ce348287aecf24d15a51e19eb4 |
| SHA1 | 33c6e19f46d9cbedcacda208e0ed97e2360e1fd0 |
| SHA256 | b58d570ad010ec4e3c43331c5c965ab32eca3378c330466ce2b64bf2130a352e |
| SHA512 | 6ca97039fc6d6316101397b0411d433d143d17c9ff917d15815f956379b84978ab20638f67cc8311084d25e3362fc07e2d6892d53fb0c5ee5d4560a693077d80 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 04:37
Reported
2022-02-20 04:57
Platform
win10v2004-en-20220112
Max time kernel
183s
Max time network
206s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.249953" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899830083754440" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4324" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.684522" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
"C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe"
C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe
"C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe" 9 REP
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe
"C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe
"C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe" 8 LAN
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 92.123.77.56:80 | tcp | |
| NL | 104.80.224.57:443 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.0.71:7 | udp | |
| N/A | 10.127.0.216:7 | udp | |
| N/A | 10.127.1.16:7 | udp | |
| N/A | 10.127.1.71:7 | udp | |
| N/A | 10.127.1.73:7 | udp | |
| N/A | 10.127.1.74:7 | udp | |
| N/A | 10.127.1.126:7 | udp | |
| N/A | 10.127.1.127:7 | udp | |
| N/A | 10.127.1.128:7 | udp | |
| N/A | 10.127.1.176:7 | udp | |
| N/A | 10.127.1.177:7 | udp | |
| N/A | 10.127.1.178:7 | udp | |
| N/A | 10.127.1.179:7 | udp | |
| N/A | 10.127.1.180:7 | udp | |
| N/A | 10.127.1.181:7 | udp | |
| N/A | 10.127.1.182:7 | udp | |
| N/A | 10.127.1.183:7 | udp | |
| N/A | 10.127.1.184:7 | udp | |
| N/A | 10.127.1.185:7 | udp | |
| N/A | 10.127.1.186:7 | udp | |
| N/A | 10.127.1.187:7 | udp | |
| N/A | 10.127.1.188:7 | udp | |
| N/A | 10.127.1.189:7 | udp | |
| N/A | 10.127.1.190:7 | udp | |
| N/A | 10.127.1.191:7 | udp | |
| N/A | 10.127.1.192:7 | udp | |
| N/A | 10.127.1.193:7 | udp | |
| N/A | 10.127.1.194:7 | udp | |
| N/A | 10.127.1.195:7 | udp | |
| N/A | 10.127.1.196:7 | udp | |
| N/A | 10.127.1.197:7 | udp | |
| N/A | 10.127.1.198:7 | udp | |
| N/A | 10.127.1.199:7 | udp | |
| N/A | 10.127.1.200:7 | udp | |
| N/A | 10.127.1.201:7 | udp | |
| N/A | 10.127.1.202:7 | udp | |
| N/A | 10.127.1.203:7 | udp | |
| N/A | 10.127.1.204:7 | udp | |
| N/A | 10.127.1.205:7 | udp | |
| N/A | 10.127.1.206:7 | udp | |
| N/A | 10.127.1.207:7 | udp | |
| N/A | 10.127.1.208:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.1.209:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.1.210:7 | udp | |
| N/A | 10.127.0.71:7 | udp | |
| N/A | 10.127.1.211:7 | udp | |
| N/A | 10.127.0.216:7 | udp | |
| N/A | 10.127.1.212:7 | udp | |
| N/A | 10.127.1.16:7 | udp | |
| N/A | 10.127.1.213:7 | udp | |
| N/A | 10.127.1.71:7 | udp | |
| N/A | 10.127.1.214:7 | udp | |
| N/A | 10.127.1.73:7 | udp | |
| N/A | 10.127.1.215:7 | udp | |
| N/A | 10.127.1.74:7 | udp | |
| N/A | 10.127.1.216:7 | udp | |
| N/A | 10.127.1.126:7 | udp | |
| N/A | 10.127.1.217:7 | udp | |
| N/A | 10.127.1.127:7 | udp | |
| N/A | 10.127.1.218:7 | udp | |
| N/A | 10.127.1.128:7 | udp | |
| N/A | 10.127.1.176:7 | udp | |
| N/A | 10.127.1.219:7 | udp | |
| N/A | 10.127.1.177:7 | udp | |
| N/A | 10.127.1.220:7 | udp | |
| N/A | 10.127.1.221:7 | udp | |
| N/A | 10.127.1.178:7 | udp | |
| N/A | 10.127.1.179:7 | udp | |
| N/A | 10.127.1.222:7 | udp | |
| N/A | 10.127.1.180:7 | udp | |
| N/A | 10.127.1.223:7 | udp | |
| N/A | 10.127.1.224:7 | udp | |
| N/A | 10.127.1.181:7 | udp | |
| N/A | 10.127.1.225:7 | udp | |
| N/A | 10.127.1.182:7 | udp | |
| N/A | 10.127.1.226:7 | udp | |
| N/A | 10.127.1.183:7 | udp | |
| N/A | 10.127.1.184:7 | udp | |
| N/A | 10.127.1.227:7 | udp | |
| N/A | 10.127.1.228:7 | udp | |
| N/A | 10.127.1.185:7 | udp | |
| N/A | 10.127.1.186:7 | udp | |
| N/A | 10.127.1.229:7 | udp | |
| N/A | 10.127.1.230:7 | udp | |
| N/A | 10.127.1.187:7 | udp | |
| N/A | 10.127.1.188:7 | udp | |
| N/A | 10.127.1.231:7 | udp | |
| N/A | 10.127.1.189:7 | udp | |
| N/A | 10.127.1.232:7 | udp | |
| N/A | 10.127.1.190:7 | udp | |
| N/A | 10.127.1.233:7 | udp | |
| N/A | 10.127.1.234:7 | udp | |
| N/A | 10.127.1.191:7 | udp | |
| N/A | 10.127.1.235:7 | udp | |
| N/A | 10.127.1.192:7 | udp | |
| N/A | 10.127.1.236:7 | udp | |
| N/A | 10.127.1.193:7 | udp | |
| N/A | 10.127.1.237:7 | udp | |
| N/A | 10.127.1.194:7 | udp | |
| N/A | 10.127.1.238:7 | udp | |
| N/A | 10.127.1.195:7 | udp | |
| N/A | 10.127.1.239:7 | udp | |
| N/A | 10.127.1.196:7 | udp | |
| N/A | 10.127.1.197:7 | udp | |
| N/A | 10.127.1.240:7 | udp | |
| N/A | 10.127.1.241:7 | udp | |
| N/A | 10.127.1.198:7 | udp | |
| N/A | 10.127.1.199:7 | udp | |
| N/A | 10.127.1.242:7 | udp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.179.219.14:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| N/A | 10.127.2.49:7 | udp | |
| N/A | 10.127.1.200:7 | udp | |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| N/A | 10.127.1.201:7 | udp | |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| N/A | 10.127.2.156:7 | udp | |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| N/A | 10.127.2.182:7 | udp | |
| N/A | 10.127.1.202:7 | udp | |
| N/A | 10.127.3.163:7 | udp | |
| N/A | 10.127.1.203:7 | udp | |
| N/A | 10.127.3.164:7 | udp | |
| N/A | 10.127.1.204:7 | udp | |
| N/A | 10.127.1.205:7 | udp | |
| N/A | 10.127.3.165:7 | udp | |
| N/A | 10.127.1.206:7 | udp | |
| N/A | 10.127.3.192:7 | udp | |
| N/A | 10.127.1.207:7 | udp | |
| N/A | 10.127.3.197:7 | udp | |
| N/A | 10.127.3.198:7 | udp | |
| N/A | 10.127.1.208:7 | udp | |
| N/A | 10.127.3.199:7 | udp | |
| N/A | 10.127.1.209:7 | udp | |
| N/A | 10.127.3.200:7 | udp | |
| N/A | 10.127.1.210:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe
| MD5 | fc5473e4320cedbb353b77955ecf2366 |
| SHA1 | 081a837503dfa82c177ef1229b2c00215d676442 |
| SHA256 | 8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd |
| SHA512 | 3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1 |
C:\users\Public\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\odt\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\DumpStack.log.tmp
| MD5 | 8fe235bba7667b6f7d85d5563dcd8b4b |
| SHA1 | 55671f13fb9cdf2652273573d7654cf69a3b0821 |
| SHA256 | d9334f436e8623621bf987b09aa2ed95f7f91499bdc7e0c21bd63fe947567258 |
| SHA512 | 7cb563c04922f15953abade70c80f4ffabdfd070f97edc6b250c6e6ea26c4e55972e3a56b815a9aa0d2e19242ffd147d36cbc077d00bd2d7315adcd9297350ba |
C:\odt\config.xml
| MD5 | 5d5a885c4f1a8032e79406b386604092 |
| SHA1 | 820b9ba556167d367a93d5576e0bc167ba51197f |
| SHA256 | 5c39615688316f2748a354cc81174dc3e2db7bc6718e4e3224d6861daba89ee7 |
| SHA512 | 5347d89d1c676d520154969c3235e9f11db4d211fd903e7162a8ba846a5f4f7d0a58576c720e3305fc6b9bb6c967e8578b7f83ffd44e276e0faf19e8fa5b017b |
C:\PerfLogs\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\ProgramData\USOShared\Logs\User\NotifyIcon.ea8a7b8e-02e5-435f-9264-f01ff78d8e8b.1.etl
| MD5 | 6f34c815b46f5989efdf421b1d034e9a |
| SHA1 | c599488a20fadb81bfa6da680e99dc10ebe684b9 |
| SHA256 | abd1d02b549ed7d1f54ca91be84474c7e8637bb0852d306b97bb1be23145669a |
| SHA512 | 2e4de185f94809ecb44932a1792eac4aa9150baa95b86b836aa52b109be68a18a48c553cba3a1ffd07e1e9aeae627304ed17c55e5db0a8e37e38603624db70ba |
C:\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\Users\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |
C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\RyukReadMe.html
| MD5 | f8d3ea8320a566aaf69b624c5e4dbe02 |
| SHA1 | d51a8ef0d34a40806297de5faef9ae73f3857823 |
| SHA256 | b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac |
| SHA512 | 1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf |