ryuk | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

Analysis

max time kernel
183s
max time network
214s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
Size

117KB
MD5

aaa963a1b4c71047d667f0c3d1760d44
SHA1

90ce48d945427822647242d42678fb6fb5b77d73
SHA256

87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de
SHA512

c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'LkVKOksQ9pC'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

JyALUjoOQrep.exeXYiupUWvmlan.exeafWgJXVPJlan.exe

pid process

1496 JyALUjoOQrep.exe
1816 XYiupUWvmlan.exe
17936 afWgJXVPJlan.exe

pid	process
1496	JyALUjoOQrep.exe
1816	XYiupUWvmlan.exe
17936	afWgJXVPJlan.exe

Loads dropped DLL 6 IoCs

Processes:

87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe

pid	process
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

50792 icacls.exe
50800 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

pid	process
50792	icacls.exe
50800	icacls.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe

pid	process
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1364 wrote to memory of 1496	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	JyALUjoOQrep.exe
PID 1364 wrote to memory of 1496	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	JyALUjoOQrep.exe
PID 1364 wrote to memory of 1496	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	JyALUjoOQrep.exe
PID 1364 wrote to memory of 1496	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	JyALUjoOQrep.exe
PID 1364 wrote to memory of 1816	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	XYiupUWvmlan.exe
PID 1364 wrote to memory of 1816	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	XYiupUWvmlan.exe
PID 1364 wrote to memory of 1816	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	XYiupUWvmlan.exe
PID 1364 wrote to memory of 1816	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	XYiupUWvmlan.exe
PID 1364 wrote to memory of 17936	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	afWgJXVPJlan.exe
PID 1364 wrote to memory of 17936	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	afWgJXVPJlan.exe
PID 1364 wrote to memory of 17936	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	afWgJXVPJlan.exe
PID 1364 wrote to memory of 17936	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	afWgJXVPJlan.exe
PID 1364 wrote to memory of 50792	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 50792	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 50792	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 50792	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 50800	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 50800	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 50800	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 50800	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	icacls.exe
PID 1364 wrote to memory of 92004	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 92004	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 92004	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 92004	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 92020	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 92020	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 92020	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 92020	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 92020 wrote to memory of 93120	92020	net.exe	net1.exe
PID 92020 wrote to memory of 93120	92020	net.exe	net1.exe
PID 92020 wrote to memory of 93120	92020	net.exe	net1.exe
PID 92020 wrote to memory of 93120	92020	net.exe	net1.exe
PID 92004 wrote to memory of 93636	92004	net.exe	net1.exe
PID 92004 wrote to memory of 93636	92004	net.exe	net1.exe
PID 92004 wrote to memory of 93636	92004	net.exe	net1.exe
PID 92004 wrote to memory of 93636	92004	net.exe	net1.exe
PID 1364 wrote to memory of 93760	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 93760	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 93760	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 93760	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 94880	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 94880	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 94880	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 1364 wrote to memory of 94880	1364	87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe	net.exe
PID 94880 wrote to memory of 96244	94880	net.exe	net1.exe
PID 94880 wrote to memory of 96244	94880	net.exe	net1.exe
PID 94880 wrote to memory of 96244	94880	net.exe	net1.exe
PID 94880 wrote to memory of 96244	94880	net.exe	net1.exe
PID 93760 wrote to memory of 96252	93760	net.exe	net1.exe
PID 93760 wrote to memory of 96252	93760	net.exe	net1.exe
PID 93760 wrote to memory of 96252	93760	net.exe	net1.exe
PID 93760 wrote to memory of 96252	93760	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
"C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
"C:\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
"C:\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
"C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:17936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:50792

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:50800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:92004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:93636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:92020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:93120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:93760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:96252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:94880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:96244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
61c9611d053287ee36b372a5f0afe7b6

SHA1
3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1

SHA256
5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4

SHA512
a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
61c9611d053287ee36b372a5f0afe7b6

SHA1
3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1

SHA256
5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4

SHA512
a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK
MD5
02da4d86d3f054b7c0328f0dfd661fa5

SHA1
3881adaddbbb77c7b415a6881fdf4337d4c5d7da

SHA256
05f8d20cce7c231c68d7c9d77eee18b718aa91c33b6ecc925903856acd1c4cf7

SHA512
480ab3cb1877bf7beb817108f59307513bcf3d0b1b94b75867d01f70c5cb695667b5213c69020284b5f6485175f59b15197a8a9bfbd3cf38e52661a587381643

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
MD5
683de64d270a0e6809a23a82fc3e7379

SHA1
d26317ad29694d7ce314634b69c6273dc4625f85

SHA256
9fc1cda22f8fcb36893fa1d4a75acd29bf4e080081770f924f84fef54260bea7

SHA512
78ac50b6737cdf9d285fb64c1064e5f606d55102b6a718de02ea6ba02f4830a59d5e6b457c4ab10bc083f7eb96a4bb72a2bb54fe18f9ce0cb8774141273183fd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
MD5
e7ed59f0c2a1ffd6f554dde90d83d558

SHA1
f66a43c22a4a4d1ada9c55139ffb935bb6271535

SHA256
a0f0b88457c863a888cc7c5f3b2c5fbe2291af1de6b361425de5662a5feeb9cb

SHA512
b67ae7d87a0b925a353d6766a67e5508ee50912145d25544bf6f88d1a005383c1ec03fec8cea7f7d0751ed64c7a4c25743cca3944b929ef16783030e7c207825

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK
MD5
ffbacdd76e3648254576bdc98e4f78ec

SHA1
4d28fcd99f07e37d3ceacecb2ae74ba2f3655779

SHA256
a1d182ab6ba46d46a3547066ee79808db6b466268ab96a67a0e8d84fd7345147

SHA512
9ab8e893acaad858990b7c5c8847d8d12499435142c60d4a31644fb735bb1691cb850a8562c118ea67f8492756d6fe5cbda8956906ec9205397a8da07cc6a858

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
MD5
dbaff791d67a94ce44486ad98904f9d6

SHA1
f9f2fd5f981753bbfb495a5704240fe573e4ff4a

SHA256
b11158fe13ad68716f416bcb4761d9a2b26bbc10c39eed81ee005093f7a80e10

SHA512
dcaf7cf9b74394d47023d2cbf7935d4e2fa2da9c8020ead0e78d43eef4bf5b23add33468e3e3b82ced6e446c875b0538662ba594f14fd9e31cea9c5355423888

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK
MD5
01e3e10e0c8b50812f2aef7fc38489c5

SHA1
42c144d8cdc39783645c086560c0600e92d71805

SHA256
c1442e09708396daacdd8ece1a9967a00ca1f79c11a509715eafb67fc006b40d

SHA512
6077d265dbde5b719ec68c1284bee630d300bc8eeaa89caebfddfffcd1112f4f2717a05bf0b97ad0d651b6469a4cfdfb1872ffee8aa541af0c679ea52d2e893b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK
MD5
a7c9e5b0775f0022bbe0b6eaf802c03b

SHA1
32b37a7dba413068b73f0e67b53bf4b1319632f2

SHA256
06f0bd8be249eaef2ad8915c9bb87591ae6f004d2d2f7dfd70ac027d97ecf432

SHA512
2c729fa7c75eb933993036bd77bc7c1a80862eafe01232b4d5f8c18dd2d1d56af0450d09e316ee8d9f34357ce10e210818d8e875459748f03c06f478cd2dbd3e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
61c9611d053287ee36b372a5f0afe7b6

SHA1
3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1

SHA256
5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4

SHA512
a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
c956ee3fc7a24ce5ded06ff4cdc267c4

SHA1
029e7f79aa91b90723cf6d2c776c55a20b0302cc

SHA256
ce9317c2509a869011b9fab8a3645e1452ac73ba276269a4f7045f63de6728bd

SHA512
f62a6cba93b571bd6cfc833e16c870797d143cd9b2a8c6d5a7304b5660819d2adddec45e7c54956d3f81ef556dfaf383934fda3d5bef0c3c1089a8c320a20b59

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
MD5
06599a7091c7551fc5b31955a7caa3fd

SHA1
8f4de43015862de54e97c8f4a8296e2425c94492

SHA256
77bf2e08e4d1764734a3352b8ea02a6a60d7708cb2fc2137996e4feaf583793d

SHA512
c9cbd64ab7e9335d3286cda5d1b8f21a9112d8156b659a780ac5122c88327b1072269234db7340a05db14f10514d564cc3d40216a67cc7e2fa069e0c0cd047db

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
MD5
81678580e0e7d5b2e94bffe03d89ac78

SHA1
7785828e4b1ad56c10fa636499ab1cc41877553d

SHA256
690ac587b3aa494f45a9764ca89b3de2f70a38b1abdc252b7a3a7bb627dbf1ca

SHA512
01cc24eb5e66201e24af763ecf0d1be112bd6a40fd20d939057c9eedbaa03cb6dfb3d579dee0249a94cf154df96ef5f48ec2bdf36b3fd1bbba7eaf52ceb012ba

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
MD5
727e997942952c06606f0cf3c1c64276

SHA1
01502d9db076aedff80c2919e0d968ac573a8aec

SHA256
0b28034a3acdaf4884f7514464bf97789559543d892d07049042e3e483f09b7b

SHA512
bae71d9a20a0b1bdc7c0e82eb79faadecab5ea2f2272feb45fbb6932d70aaf11618d8ec7f74729b7f01260b7ead0c993283f776fe27776370c00a3b9279b44a7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
MD5
588d974ddc614980c67fd41446676777

SHA1
7083966df2e241f5cb20dda272ec853e36bb4c7c

SHA256
9ab3c1c3f1944b6816cd10ecdb4b947c0c7af351a9c385a222ff2428dca23c99

SHA512
151756d3f5a06eeebfd02141ea87a1d9b70506d66f5f5fd31edc5bdbeab9348dc3eced675700dab9213dd1c74d81f2791eba37f851a6c7215cd8b5c716e6a697

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
61c9611d053287ee36b372a5f0afe7b6

SHA1
3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1

SHA256
5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4

SHA512
a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
f3711ce8a6c3840b65f9d04b0e4ba418

SHA1
2cab0fa47208188ebc008b947a52bcc773eae36a

SHA256
b9f2069d9b144198170c2fe268b28b74837ed6fb193345beab6c1aff5ef80135

SHA512
93cd70fe9fe664a97bb834c67844a6ae108c539174838b91ae36d3946b59b835314291cc7c0b67deeba911848953405b38b7ddc3e185394d087503cb7fdae741

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
MD5
6451375992c91363a491928451308940

SHA1
b4d54efee1c9c72fc579ecd383e6b2076ab4c17f

SHA256
12e12f96597ea0f929d90d7a980f4d17c0d7bb29a628606807abfc4ad1aebb44

SHA512
e50fa44b7ffeef33a6be3727aab8e0646b05b9a739ba27e0420c666150d0cf38b6843177c26542a99fbf1dedb68635e75d9ef54d1d3ee652459f2e4ea1a818db

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
MD5
a9336abb1011aa47aa7964c69241409e

SHA1
10d62a0a1658791506dd8ab8f2aa1be859b2a3ba

SHA256
c35efde7fe682cb60f85626223e267e328002f02885747f415f55cb3839357d9

SHA512
191a6b4c1b87041c1a7347cc507154f4a6eb07f0fc1117fbfdf3d8f3af156f76866d27c444d020118d48f6e882b23dcf6f7ad9d67396443e1c4491bf7ac9ec03

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
MD5
9056e6d7761d5abad6f49a892eb1c21a

SHA1
c45196ecc6a55fa11e3330dd03e1d82534ce3e2f

SHA256
8a46428750d3e4c3468e97f3882d4557dd335d6dce1281748da0209143eb0267

SHA512
1a63a5915cd583ab6f4f87864eb80609f5727f60746a94571cdf72be2d6f3cde0956bead1fa68ddfedf79d5ecba417d0a5803fce8ff7766d0c8d74a9cbc593ee

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
61c9611d053287ee36b372a5f0afe7b6

SHA1
3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1

SHA256
5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4

SHA512
a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
b81c29297c04f8e839dfe1c9ec891d99

SHA1
55d6e9bb0d841bc9c835ee709b56616dc487928f

SHA256
e2cf218cbfec5ce573ea725de3961a4a1bd1580e6baf9b58aecec38ec5c78f12

SHA512
9501afb9c19645568d8d7e930f894897e6db51cbb19c5523afc6d82746863938d8feca0bc01f19fa853e01034e02361f2740f79965a67787d8004d5129b260fc

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
MD5
876b1392498f5cc88b535c861dfa3a06

SHA1
b64d9d0a1f5b68660a74bba1edefa8f7b4a1f16c

SHA256
d60a548f8a042153b844d37a52d9f849c36566f5c2c5dab797b2c798a29715ca

SHA512
6124230f735594d920a0fbf96da9b64e5fe88a9467414230051b593b62ea70113d105d3ececcef2245016a2f5bfbb20e178c5c373a0ac10b5741d03126dba455

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
MD5
f058a31c858712ea3552f5057dbdca3b

SHA1
ebac1c4a1d57c2b95c37944cfa476fe215755d85

SHA256
e25e28b5c0a65943ea7e22ed95759559609727aad9dae98fd7ab5a8ffb63aaaf

SHA512
e2eb93a407c880f4cca0c851540f651dab38d8ecc88eaa9c34e7c99846ee86396f4c7d1cc9e8b3afb3922f95583ca9dc19d41ddfad72f702e0ef483f92001d72

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
MD5
5954862be7bed3c9f3b157d4154511c3

SHA1
01d99c71281a7a0e2444bf21fa7d024f4ac7c3e4

SHA256
c14e404107916af4e232572c2c768b4c5ffe07693303d43c0f6c18d747e02510

SHA512
79ffc2970780d85924a7eb0dcc853c1302d7497d4552baf0b08e136f8d5f56434d9daff2a3fa125d473e1b47a87ed2d66bec724099df0eb0527883dcf6b7dbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
C:\users\Public\RyukReadMe.html
MD5
61c9611d053287ee36b372a5f0afe7b6

SHA1
3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1

SHA256
5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4

SHA512
a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17

Download Submit
\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
MD5
aaa963a1b4c71047d667f0c3d1760d44

SHA1
90ce48d945427822647242d42678fb6fb5b77d73

SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de

SHA512
c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8

Download Submit
memory/1364-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download