Analysis Overview
SHA256
6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623
Threat Level: Known bad
The file 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Drops file in Program Files directory
Enumerates physical storage devices
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 06:14
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 06:14
Reported
2022-02-20 06:50
Platform
win10v2004-en-20220113
Max time kernel
201s
Max time network
250s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vExrhdLWcrep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GqdXGpffxlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LpFGOJQxGlan.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
"C:\Users\Admin\AppData\Local\Temp\6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe"
C:\Users\Admin\AppData\Local\Temp\vExrhdLWcrep.exe
"C:\Users\Admin\AppData\Local\Temp\vExrhdLWcrep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\GqdXGpffxlan.exe
"C:\Users\Admin\AppData\Local\Temp\GqdXGpffxlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\LpFGOJQxGlan.exe
"C:\Users\Admin\AppData\Local\Temp\LpFGOJQxGlan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.2:7 | udp | |
| N/A | 10.127.0.25:7 | udp | |
| N/A | 10.127.0.27:7 | udp | |
| N/A | 10.127.0.29:7 | udp | |
| N/A | 10.127.0.30:7 | udp | |
| N/A | 10.127.0.237:7 | udp | |
| N/A | 10.127.1.113:7 | udp | |
| N/A | 10.127.1.150:7 | udp | |
| N/A | 10.127.1.185:7 | udp | |
| N/A | 10.127.1.190:7 | udp | |
| N/A | 10.127.2.34:7 | udp | |
| N/A | 10.127.2.35:7 | udp | |
| N/A | 10.127.2.51:7 | udp | |
| N/A | 10.127.2.52:7 | udp | |
| N/A | 10.127.2.165:7 | udp | |
| N/A | 10.127.2.166:7 | udp | |
| N/A | 10.127.2.201:7 | udp | |
| N/A | 10.127.3.27:7 | udp | |
| N/A | 10.127.3.66:7 | udp | |
| N/A | 10.127.3.67:7 | udp | |
| N/A | 10.127.3.199:7 | udp | |
| N/A | 10.127.3.201:7 | udp | |
| N/A | 10.127.3.208:7 | udp | |
| N/A | 10.127.3.209:7 | udp | |
| N/A | 10.127.3.210:7 | udp | |
| N/A | 10.127.3.211:7 | udp | |
| N/A | 10.127.3.212:7 | udp | |
| N/A | 10.127.3.213:7 | udp | |
| N/A | 10.127.3.214:7 | udp | |
| N/A | 10.127.3.215:7 | udp | |
| N/A | 10.127.3.216:7 | udp | |
| N/A | 10.127.3.217:7 | udp | |
| N/A | 10.127.3.218:7 | udp | |
| N/A | 10.127.3.219:7 | udp | |
| N/A | 10.127.3.220:7 | udp | |
| N/A | 10.127.3.221:7 | udp | |
| N/A | 10.127.3.222:7 | udp | |
| N/A | 10.127.3.223:7 | udp | |
| N/A | 10.127.3.224:7 | udp | |
| N/A | 10.127.3.225:7 | udp | |
| N/A | 10.127.3.226:7 | udp | |
| N/A | 10.127.3.227:7 | udp | |
| N/A | 10.127.3.228:7 | udp | |
| N/A | 10.127.3.229:7 | udp | |
| N/A | 10.127.3.230:7 | udp | |
| N/A | 10.127.3.231:7 | udp | |
| N/A | 10.127.3.232:7 | udp | |
| N/A | 10.127.3.233:7 | udp | |
| N/A | 10.127.3.234:7 | udp | |
| N/A | 10.127.3.235:7 | udp | |
| N/A | 10.127.3.236:7 | udp | |
| N/A | 10.127.3.237:7 | udp | |
| N/A | 10.127.3.238:7 | udp | |
| N/A | 10.127.3.239:7 | udp | |
| N/A | 10.127.3.240:7 | udp | |
| N/A | 10.127.3.241:7 | udp | |
| N/A | 10.127.3.242:7 | udp | |
| N/A | 10.127.3.243:7 | udp | |
| N/A | 10.127.3.244:7 | udp | |
| N/A | 10.127.3.245:7 | udp | |
| N/A | 10.127.3.246:7 | udp | |
| N/A | 10.127.3.247:7 | udp | |
| N/A | 10.127.3.248:7 | udp | |
| N/A | 10.127.3.249:7 | udp | |
| N/A | 10.127.3.250:7 | udp | |
| N/A | 10.127.3.251:7 | udp | |
| N/A | 10.127.3.252:7 | udp | |
| N/A | 10.127.3.253:7 | udp | |
| N/A | 10.127.3.254:7 | udp | |
| N/A | 10.127.3.255:7 | udp | |
| N/A | 10.127.4.44:7 | udp | |
| N/A | 10.127.5.46:7 | udp | |
| N/A | 10.127.5.47:7 | udp | |
| N/A | 10.127.5.157:7 | udp | |
| N/A | 10.127.6.0:7 | udp | |
| N/A | 10.127.6.42:7 | udp | |
| N/A | 10.127.6.43:7 | udp | |
| N/A | 10.127.6.125:7 | udp | |
| N/A | 10.127.6.211:7 | udp | |
| N/A | 10.127.6.212:7 | udp | |
| N/A | 10.127.6.224:7 | udp | |
| N/A | 10.127.6.225:7 | udp | |
| N/A | 10.127.6.226:7 | udp | |
| N/A | 10.127.6.227:7 | udp | |
| N/A | 10.127.6.228:7 | udp | |
| N/A | 10.127.6.229:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\vExrhdLWcrep.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\vExrhdLWcrep.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\GqdXGpffxlan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\GqdXGpffxlan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\LpFGOJQxGlan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\LpFGOJQxGlan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\users\Public\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 06:14
Reported
2022-02-20 06:50
Platform
win7-en-20211208
Max time kernel
186s
Max time network
221s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
"C:\Users\Admin\AppData\Local\Temp\6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe"
C:\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe
"C:\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe
"C:\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe
"C:\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.2:7 | udp | |
| N/A | 10.127.0.3:7 | udp | |
| N/A | 10.127.0.4:7 | udp | |
| N/A | 10.127.0.5:7 | udp | |
| N/A | 10.127.0.6:7 | udp | |
| N/A | 10.127.0.7:7 | udp | |
| N/A | 10.127.0.8:7 | udp | |
| N/A | 10.127.0.9:7 | udp | |
| N/A | 10.127.0.10:7 | udp | |
| N/A | 10.127.0.11:7 | udp | |
| N/A | 10.127.0.12:7 | udp | |
| N/A | 10.127.0.13:7 | udp | |
| N/A | 10.127.0.14:7 | udp | |
| N/A | 10.127.0.15:7 | udp | |
| N/A | 10.127.0.16:7 | udp | |
| N/A | 10.127.0.17:7 | udp | |
| N/A | 10.127.0.18:7 | udp | |
| N/A | 10.127.0.19:7 | udp | |
| N/A | 10.127.0.20:7 | udp | |
| N/A | 10.127.0.21:7 | udp | |
| N/A | 10.127.0.22:7 | udp | |
| N/A | 10.127.0.23:7 | udp | |
| N/A | 10.127.0.24:7 | udp | |
| N/A | 10.127.0.25:7 | udp | |
| N/A | 10.127.0.26:7 | udp | |
| N/A | 10.127.0.27:7 | udp | |
| N/A | 10.127.0.28:7 | udp | |
| N/A | 10.127.0.29:7 | udp | |
| N/A | 10.127.0.30:7 | udp | |
| N/A | 10.127.0.31:7 | udp | |
| N/A | 10.127.0.32:7 | udp | |
| N/A | 10.127.0.33:7 | udp | |
| N/A | 10.127.0.34:7 | udp | |
| N/A | 10.127.0.35:7 | udp | |
| N/A | 10.127.0.36:7 | udp | |
| N/A | 10.127.0.37:7 | udp | |
| N/A | 10.127.0.38:7 | udp | |
| N/A | 10.127.0.39:7 | udp | |
| N/A | 10.127.0.40:7 | udp | |
| N/A | 10.127.0.41:7 | udp | |
| N/A | 10.127.0.42:7 | udp | |
| N/A | 10.127.0.43:7 | udp | |
| N/A | 10.127.0.44:7 | udp | |
| N/A | 10.127.0.45:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.0.47:7 | udp | |
| N/A | 10.127.0.48:7 | udp | |
| N/A | 10.127.0.49:7 | udp | |
| N/A | 10.127.0.50:7 | udp | |
| N/A | 10.127.0.51:7 | udp | |
| N/A | 10.127.0.52:7 | udp | |
| N/A | 10.127.0.53:7 | udp | |
| N/A | 10.127.0.54:7 | udp | |
| N/A | 10.127.0.55:7 | udp | |
| N/A | 10.127.0.56:7 | udp | |
| N/A | 10.127.0.57:7 | udp | |
| N/A | 10.127.0.58:7 | udp | |
| N/A | 10.127.0.59:7 | udp | |
| N/A | 10.127.0.60:7 | udp | |
| N/A | 10.127.0.61:7 | udp | |
| N/A | 10.127.0.62:7 | udp | |
| N/A | 10.127.0.63:7 | udp | |
| N/A | 10.127.0.64:7 | udp | |
| N/A | 10.127.0.65:7 | udp | |
| N/A | 10.127.0.66:7 | udp | |
| N/A | 10.127.0.67:7 | udp | |
| N/A | 10.127.0.68:7 | udp | |
| N/A | 10.127.0.69:7 | udp | |
| N/A | 10.127.0.70:7 | udp | |
| N/A | 10.127.0.71:7 | udp | |
| N/A | 10.127.0.72:7 | udp | |
| N/A | 10.127.0.73:7 | udp | |
| N/A | 10.127.0.74:7 | udp | |
| N/A | 10.127.0.75:7 | udp | |
| N/A | 10.127.0.76:7 | udp | |
| N/A | 10.127.0.77:7 | udp | |
| N/A | 10.127.0.78:7 | udp | |
| N/A | 10.127.0.79:7 | udp | |
| N/A | 10.127.0.80:7 | udp | |
| N/A | 10.127.0.81:7 | udp | |
| N/A | 10.127.0.82:7 | udp | |
| N/A | 10.127.0.83:7 | udp | |
| N/A | 10.127.0.84:7 | udp | |
| N/A | 10.127.0.85:7 | udp | |
| N/A | 10.127.0.86:7 | udp | |
| N/A | 10.127.0.87:7 | udp | |
| N/A | 10.127.0.88:7 | udp | |
| N/A | 10.127.0.89:7 | udp | |
| N/A | 10.127.0.90:7 | udp | |
| N/A | 10.127.0.91:7 | udp | |
| N/A | 10.127.0.92:7 | udp | |
| N/A | 10.127.0.93:7 | udp | |
| N/A | 10.127.0.94:7 | udp | |
| N/A | 10.127.0.95:7 | udp | |
| N/A | 10.127.0.96:7 | udp | |
| N/A | 10.127.0.97:7 | udp | |
| N/A | 10.127.0.98:7 | udp | |
| N/A | 10.127.0.99:7 | udp | |
| N/A | 10.127.0.100:7 | udp | |
| N/A | 10.127.0.101:7 | udp | |
| N/A | 10.127.0.102:7 | udp | |
| N/A | 10.127.0.103:7 | udp | |
| N/A | 10.127.0.104:7 | udp | |
| N/A | 10.127.0.105:7 | udp | |
| N/A | 10.127.0.106:7 | udp | |
| N/A | 10.127.0.107:7 | udp | |
| N/A | 10.127.0.108:7 | udp | |
| N/A | 10.127.0.109:7 | udp | |
| N/A | 10.127.0.110:7 | udp | |
| N/A | 10.127.0.111:7 | udp | |
| N/A | 10.127.0.112:7 | udp | |
| N/A | 10.127.0.113:7 | udp | |
| N/A | 10.127.0.114:7 | udp |
Files
memory/1664-54-0x0000000076491000-0x0000000076493000-memory.dmp
\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe
| MD5 | b003a727c9c2e8bec5c17f849c816726 |
| SHA1 | 23aabb8ab9aa4dfaa55afd29fd09487254b49dff |
| SHA256 | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623 |
| SHA512 | 21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271 |
C:\users\Public\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
| MD5 | f959db1c57aa1f7693c07c4d453550a4 |
| SHA1 | 519fc54af0c3cfa3361359951e35023e0d983495 |
| SHA256 | e0d5d75b83aa142cdd0be5bf3361cfc2c0e2c9e792cc92f655f1e50f4060ceeb |
| SHA512 | 54190ea06a27b2f60cba6f6530c754c195c8f736d085af0d47339a3364cd8e6b70deadfc9881384598ad048d87a9d952a1f7af946be2458e4f07c9a53e0638bc |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
| MD5 | 3ddc03ed5f81f15631e823a0bd8c171e |
| SHA1 | 1ad26f6585ab3547ea762b4b76db278455507391 |
| SHA256 | 4f119f5a273c11c243fa5ace3e1884a601397597af80ac6f7f112d06f0fe86c2 |
| SHA512 | e415b72b39759575c318bbc443af8a7429750f532bd12d5950aaee62d150c80b416121d2bb5f43cd98d73e07c6e25942a61eb797adce2c14289afec540597ece |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
| MD5 | 48061019601371035112891da3b3a563 |
| SHA1 | 1b8f78e9ec1877616123b7c17b2cbe0c853a8b92 |
| SHA256 | d0553d6c218cd5cfa977764ff95c06aff32822509272a2a91f0b0826bc54b533 |
| SHA512 | 87378dd388c86a992b187d0654c69d5a5cd4cdbaafddc34d5f54f8b229b91daba4104a022203a7d4df5812630759396ee2c2199cf115cc4f1aa3e86ffd8d48c7 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
| MD5 | 22e6eb8fc74f6b4c4ee2ee3cd29d38f3 |
| SHA1 | ad2d07665136253017759056779e192b7a8f3b40 |
| SHA256 | d8a70bb425ec9f36f42ff19c22047b88b18fd197e00847181937d1733c5b5173 |
| SHA512 | e0524a70dee207d106adb95ad7be161b4515f3f683f5399fa3ba5a281204e431f120885715804e35af72fff543d2ae6025c0958c8efdfff66976d824e0a079c3 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | f308c019d4ccd35a72052242fc628c1c |
| SHA1 | 2e14bb29d9281f357fd2858c6911c32ac7241800 |
| SHA256 | fa86e48cd7d6cec3f10409b4097d55e0f0c736f733722c0acf09e922864b1d9e |
| SHA512 | 21cd395bb807ceb4296f4eceda13109d5443ee419fd5b3d29bdf57bf72edb1b55366c3c47a87ec9fcb304e2a5453395a417032789ebc0c7a191da7b887a96e96 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
| MD5 | 77c6fd2ab8983a17d3b0049e8c0a90e3 |
| SHA1 | cd81ee2d07b6deaa6e51f70efae59f88b9dd3002 |
| SHA256 | 692b2124939b5827397866a20bc6ada986ae144d7a6a07d464f5430159a3ba37 |
| SHA512 | 0ec204a6ce9f20c4c55d5da5a444c61972b4597e8cefbb089ed4659ad7353a2c759d6fcdc779815d0686dafefa80822a2328d602a9020157a5ce71016c4e1bf5 |
C:\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\Users\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 3b82ec7fd9651793dbaad36bdbfa4e82 |
| SHA1 | 4da83457b221432fb6dd8100c009605bdc6326d1 |
| SHA256 | bed3ae385b4f04e6556d7babe3718020ef9e41bd731dffe2ba69acc52c2ea850 |
| SHA512 | 23b55dd73c0982daa3912bcb101e569a301ce4beac8d3ff9f43f0aebf7d3ac2d61a43aa0c14ea6d41be55391b747b9552f9746a7fc00e4e2c4cf1a2a1199da51 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
| MD5 | 3f08915b9f2125760522c650b491c965 |
| SHA1 | 413e8861830fb0c359c21509524364510b4b1669 |
| SHA256 | bca1932c0971649e6bcbec85d2fefda1ffd2696a66f1b84aab9a6d566606d367 |
| SHA512 | 227f0f8b3b98beb2215e8827a680983b0b9997d22cbbe68942b7f4ea19c33b6c74533c80ec5aa3e16ca53ad04cf687336e84c72cd5868ec5bd4001fa0b56879d |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
| MD5 | 19c7a50669ba340c555a18aa9b562ce2 |
| SHA1 | 6dff693356efec34b3080439de1210cae870651f |
| SHA256 | 901e612ab2b7bdc2b321b48e8f0b681f89cc50d38ccb678d0364972a27d5f284 |
| SHA512 | c38e65cbafce8754db7829c0e7e99a6886d518a59248bcfdf61e7d5cf703e84cdbe779c3d4e97a744d72c19f551d96d6a2aad74cf64b11d09b0030ae579ff757 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 752da3093cb7a318aaef5cbefe3cd3e5 |
| SHA1 | 6fee2fa7251abeb7c76ec9153c6e96b046096870 |
| SHA256 | 4a9e38be8d6e1117c6dd9c6f5acd5e10434b5d5da156eca4470dcd4ba5b9a6aa |
| SHA512 | 3309c42cc91ccff36e36d74b737d1419187513d942cd8e8fb5f9bebb3a33b6044f20ae7dfa9a95e4d269fe30bcf5941298d9fba239485df87cc80f0657c448a7 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
| MD5 | 3fbd3c5d8e1c1b40927fd697ceeb1c70 |
| SHA1 | d03981b8f461d506d0f274c9829bc984fe8f15f2 |
| SHA256 | 638285c434d537691ca8b2bea4e5d8d81bdd105486fa9c082a028f390d289483 |
| SHA512 | a732d6a2dfad0d1ffae1d67a4f1fa8b2aec6ab2f5a26ef4d22c83aa780c38485634f77bbae2a35f6e6e2abd48c8cf5fb4e1f870a40e88cc6dbb7d8646c3070ca |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
| MD5 | f2cc18e6758a0eaf3d230464145d94d2 |
| SHA1 | f6c99d2594b34a27868c589801a9fae19af256f1 |
| SHA256 | 0f580a2ea66cdf2b50b5ed3a10a6efe1fbd26aa484184bdd3846552a142be7ca |
| SHA512 | 5b7765ca81eee81d042ad74b9c9da9181a8f15053b6337cda02f372769935d806cbb9ba38f5286a44c1c964d7221353077ef7c091f22fe53fef42e5e9bdf432d |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
| MD5 | ca4996d18483608ed8cb15710caa089e |
| SHA1 | b0fcddc3ebb7bf8eb9796fc0c2193edb4d93f472 |
| SHA256 | 0d10325412945c468014baae14a8b67b9a158685be733e5ffbfaffc7c77716a3 |
| SHA512 | dea9c4d577d8d13d65bedcf0554caba11cf7e6adb567b7f66f1d6700e9e1c358acdd2c3d90da0dff3e6fdffdd05ad68b79822469a25a5235ae7c4996d8452046 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
| MD5 | 48769243d60a83ef2eaf80bb566c0bfa |
| SHA1 | 9804f3fc4662ad6fa7f00eb30a67c62b77a4d4bb |
| SHA256 | b5c175b03edb00ba279993f011c7216e7fa84e27eed1f19a99eb649cf264524d |
| SHA512 | 3dd7294986b8b105ea7a5f339b39292c464448208d6145a49195de98050c5a25e430f5975d727763153941204b885765ec6002fda86fe7289c457c05d54a14ac |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | a3b85bfb51500f2ff0985856fef811f3 |
| SHA1 | 866179a9ff7b02c0c17a32ccbc277dd843c5e494 |
| SHA256 | ab797c783e19442e5671eba7e11fcf64f2afdfb6006c44edd5480f664c6719b3 |
| SHA512 | 6386fff29b9364b99fb4d88d01c7fc4d1edd1e96906d75632ec665f410a9f66f99be7f47745bc5f973291f3d843f56476b31f0b92cee26626b48c334af454658 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | c91c73ed19a3fa56203d439ba324f144 |
| SHA1 | 4af44df711aa03833df80cdd348c9e4d14c820f3 |
| SHA256 | 974a52d27a63f6517dafeed5bccef1e04d74aadf1a721c29b690d9d3f3d3e984 |
| SHA512 | 51d2ae82957d94fae1f7cf9b94075a61b33a93099f7bdb0d3d0abb3fa47c5c1087e3fe318d7e1fab7cd82ca7eb0f9db77ac4a0af9331f7218b48d844f10f9278 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK
| MD5 | 78ef26721f370dd8a8b7b7a323eca5c1 |
| SHA1 | bc027976e4564e81f10a3cddda454b576c8c42b4 |
| SHA256 | 82fec4f1e7fd0fde0f8d7687eb0258f7f5e942eaf8cff2162a2ecff3b647f08d |
| SHA512 | ca6d3c6cf6c53ee986145c728ffbc75a7b19a5699158fc30970872deee5057a16eab15efdf510614669ee1d46fadffe8adcc1d08a89636602f42fb4687683f4e |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK
| MD5 | 15356ab955575d544a2bfac9941eb97e |
| SHA1 | 04c74b231db7bedffae5fca331e83f8f970e1142 |
| SHA256 | 62499f7baaaedd8bec9ca0099524f06409909b224fda55d58458b866114dd5c3 |
| SHA512 | f7a4c6610f9c00d541b8061a157740ad386b9384460f1f1a62b54d98568a1385eba666d897b064e0fde13c95b81a8f834441a193304e4d1f0677720bf4a5547d |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
| MD5 | 1cc723963f2be57baa0b28fc51edff10 |
| SHA1 | 94b076e03f1bc1f2e271a5b23ae891045ef351d8 |
| SHA256 | 5a944d6d4238f8365d9c6daaf956803903b5d31a5f4443aee5c44382d5252e44 |
| SHA512 | 516b7fed248110d8b534feffdd0b5d7c4165160a8e00ff36a5893dc280dc479f7c0feac8f5151e70b4441d836b4ea2f7a6c8c1ee5129d6ab868b196bcd7366ad |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
| MD5 | bcac9f1886ef6cc6c2d4a0e5f03564a0 |
| SHA1 | 7f4ce7a6c84accd57f061b0ab7a7221fe6c78665 |
| SHA256 | b77b26352bab3a888d1fed6a4809090172d35371956ad7f6e160ee8e94837c11 |
| SHA512 | f3cc7fc94a100ff951a6c8f38df4e2dcb0a0ddcd89f5a3e963abe2c3561f5d484f22fc2cf2be8b1415a8a6c4d5014e23b40ec5478cc7d7535cb3235d2a258db2 |