ryuk | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

Analysis

max time kernel
177s
max time network
226s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
Size

117KB
MD5

045eb328ff30b09cebd6fe3c031db7bc
SHA1

b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512

6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

OKIzIqFIfrep.exeWffDgOMpjlan.exeFBbBrmbdQlan.exe

pid process

1688 OKIzIqFIfrep.exe
392 WffDgOMpjlan.exe
1944 FBbBrmbdQlan.exe

pid	process
1688	OKIzIqFIfrep.exe
392	WffDgOMpjlan.exe
1944	FBbBrmbdQlan.exe

Loads dropped DLL 6 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

pid	process
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

26188 icacls.exe
26196 icacls.exe

pid	process
26188	icacls.exe
26196	icacls.exe

Drops file in Program Files directory 2 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	ioc	process
File opened for modification	C:\Program Files\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

pid	process
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	pid	process	target process
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	OKIzIqFIfrep.exe
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	OKIzIqFIfrep.exe
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	OKIzIqFIfrep.exe
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	OKIzIqFIfrep.exe
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	WffDgOMpjlan.exe
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	WffDgOMpjlan.exe
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	WffDgOMpjlan.exe
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	WffDgOMpjlan.exe
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	FBbBrmbdQlan.exe
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	FBbBrmbdQlan.exe
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	FBbBrmbdQlan.exe
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	FBbBrmbdQlan.exe
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
"C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
"C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:392

C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
"C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:26188

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:26196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
6c432ac1c066d3a88a9be1ae4d9bbc5b

SHA1
662eca96469f7ce05ed86ff4039ebb46d63d19cf

SHA256
f001051bc8ed094e6984b637198bf385d3a2d5fdb024669000b18c46ab6fb34b

SHA512
c76baac4bdf366e00d1214a8d872f2576252e40d7da1eeebc49c2865ce2b5f7b00ec58d0531561d78c64a1499b11ef858a6d6db67da2308372eeecc2e8c0ed3f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
MD5
7f46d4093208046941ac3f57aa807f80

SHA1
73b2b0ba258b9162ea87301c15beb69bb6840a0e

SHA256
e31c3a9b2228057b58678a691679cdd240b5e43998e0d2fde1081b96144bd115

SHA512
bf6513879f75b682d919cf7755e3c36360731d5c82e2d73b5e106e11d521917739a9e1d8358977a5ff7b1ad66be9c4cd09e7b04785085cab64c8380f200bfb8a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
MD5
ed1448395aa7a8b0a3de40038c010c95

SHA1
ee9867ee9bd89b0eb031bf0c99ceb9bbd68b2a42

SHA256
f453e7a81af34875a67605a0ec9138b2d3eff614dc0327860a6173c2bd1846f1

SHA512
7890e7a2064f689c0f78b9435d2db7533808290e1a56b2530fd359f3c3ed6a0b0bac7d09788bd4c8b482074930a3cab4a0408426a05eaed1659943a9c8e3b964

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
9afe9bc62c50b2db45decd9a2af05f67

SHA1
d2c07e85b10fb8a6b320e23e2c87da29de4792df

SHA256
7245935794be24f360e03e11a2c185a277e212d3b81c5c86dc83e1b6f78947f5

SHA512
10e57af6adfc702f0daa2c27322ae1acce252ce13d175ad7ae3d6e61593cd315dc7eb961cc9c831b0fdb06f1bd236ee2fc8545015bba0be7ae834a1ca8e956bb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
MD5
6d4714f2135663477b765f6945b7a196

SHA1
9dfff18907a124ac453468c96159558617590a8c

SHA256
7b6c99b1c3e9e48387d59785550db57e98be61bf433b909dd906699f70119d37

SHA512
af6caa9c15286367316180918feecb0ff0ebe7b0a948e0183934199c805da711509cdfd5f698274f4048c2de47a3641266b43f52baf15650c555b0cab1bcbff5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
d2b253645a6fca071cfebc3dd27dda01

SHA1
7696297ee9a6120cd54268581a38ca88839f1499

SHA256
b40b2d69e17d3ed5f980b40200414ddf656043b1b480eb548f2c2bbd1aa70a85

SHA512
026ec89e64446623194ac8b9aba9f156d1813a278b708b8e4a25d07e3f1a8c9ce111115298434ee0aa46a18124cf68bc4c31a307f4202cbcc993f312f316f37b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
a7c55ac972cf585c590076be27e0a7a6

SHA1
d0c37f1973c647f293a4dc0ee7b93ba9ab8ac0e1

SHA256
4a10592f89b7d22753f9c3e2a8039aeea93b349abecdff9d50b213f301a8a321

SHA512
4becfe795e514a9b0b4e489680f9f03d8620019628e497fa8b007fbb890f35249a10aea9bfe8b2e32a228f7e05033e2525154afbffe3ef6fb677328ed2193231

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
cbc4d2558200ae04cb9e86fb4ce9e548

SHA1
5484e331c0def86888b5d5e7b156aa019687c392

SHA256
6af13cfadb53c41bb4d391eba9b8246b7f196290b95654e03595129bf649bc0a

SHA512
9d27e1650b3b63d6d106657c8da21b840e3ca97b2a88c4f5e7d740c0c3204933145e873c500b19feddb6925020e160ca7b5e559879497552c9e9165294508a5a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
MD5
3730dfaa6e6f4d1010a2168f3c04b244

SHA1
42eef5ce5b68f664fa03adc31761653289f5bd06

SHA256
cb9950bacde9dd03056a2adcc43737a75e5cd4d315eda6bbaf86c6517beefa50

SHA512
f8b4abae5e7feb476b0b442cafc67c4bb2511cb470000ca443a21ca56dfe739da98dfff7850ca0bb324b37864a7165fa73c58b65273a509261af1e28f66d6b90

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
MD5
06ae9658db490865365c8c546d610f2b

SHA1
7246ace6a5790f3d9d099c4300bd639c0a8963ed

SHA256
c1d2215f2b9606feabd801d9fddb45dcb512d25434d4217aeaa9e4202695501c

SHA512
75aa654744c014f4833cf09a5a1dba2a82f10409dbe7415a47db60bd9bb945bf9981dfec6d0f3a161e140338cdea7bceca9305dc2778a115674a21f60d5342c0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
MD5
2452d07771d86bb532ebdc74cb49946c

SHA1
c9d9e570e8a9d232bf7df10ebe3ff38507a7d766

SHA256
b9b23436a02988494af4f57c7fdd8ad5c2414a0305ad05a71d957a4f6fb4708c

SHA512
ebd8387b0e16f7669a55c55f7bf76945afbfd5c2fdb129ed1d726dc35866b70c7ef1123feeace3cbcba79b210aa966ef5add6c83c8278ff767017d68d06e6311

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
MD5
e4053ad64c731b0c9bf70fb7eea73457

SHA1
b6718f9b9f2ced0c8b1c759af1fb685ccf9d77e0

SHA256
f1f78009396815d600665334e11f6fe8135b6e2afab9e248a7c6ba4763a740fa

SHA512
e980d8b8058a619b44d84d1a86678f97cf7f0cdb1cfec547d30599b029de7928ea0f33cfe1af46ce05094216d6fc341cd5331b7e7f0e2280f9ddc9b57124295e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
3d1317e5ffccadeeeddd5636edee7021

SHA1
e3f6d89e1b9bae571990a47312bff320853d7a61

SHA256
b62f10cef4f8535ed313841df42121d0c0b5026ed92ffe5a33ab340da6bd2556

SHA512
6738369f75ed85d4e75ec3d3cd90409bf4e92978cfd2733a34253f95d7cd5aa283dde9a30beb74baa79f2b6fac2f7dd908e6292763fe8a572333c8bc2aa7948f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
MD5
4f9fb8b21b580ad65fc8dd62f6e72e04

SHA1
a2d97bd716fd89de4d401555b3b30c5f842ada1d

SHA256
cb0a9e940214cc0bfbbf2847ff48e43c2a4f4d5f949f7956e016656cc2c45bb0

SHA512
459b9c65ebf658f442a2bca4cebc8ddfeeeb8948d7fa6221a371a49a175dc922d8b01cecb8d1f097b17098227499ea0680532d444425f0a9e807c24275cde98f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
MD5
f33b55235600426c5df3293b0c09fdf9

SHA1
d2ddad1a7e0006b0af69bc452b3442489a5bb20b

SHA256
5056a0bfd68560fecbbea755f8bb27aa28d4f5c6487b3aed6c1a4fd67278e08f

SHA512
0ae39094a90d554edf6bdb88bf9d2091b538052a730a833dced38715ed137fc2ae40304e65896eb5a1c971c77e307344ddb2b9f01bbca718992326cd839f96c0

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
161d393e64ee96ce7082496dc06e6160

SHA1
a88dccf4fd214453d49b2d0adf5487f0f56735b7

SHA256
b092b6279c5b12d67e3a2dff382a204f3284de36ec497c589c916c1ae7ae0a91

SHA512
915eda45b7e8aabb52ce546693664f503dffe5e5c20389c10423f875d812bc3a40a69215b87836396871b30f1d6dbf74fbd24238124a3b54c0363e89baf7ad40

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
MD5
6f2f2b3977094bcc55128326a7582ffe

SHA1
3b944f5fd2c055a8ef8bb6ebda6c8a978b558937

SHA256
d99ec186b86d7cfb1b2ec3b8317e9a8002ed5c7d35b7b24d6a58726841d9017d

SHA512
925dd162f415c5e7513cc4b9b4c8a3dfa8ffba4647356ba9c55cb8e9eebcdcf1e413d6c5b41550dec208be58e79ea301efe42e25aa87df5dc2517804cb127cb5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
MD5
519563524371a040cc2c0956d847a4c7

SHA1
087c09bc65822b4308ed9d46ffc79008dc7b3497

SHA256
607b7cc3d09b6c5d92240bc33c582d37426ebb06ee03a7ed09ed1f55f9d3c726

SHA512
10d34c94e614378c9ed09877cc930a0b45b61a881fcdbec50eeb30e7c3c64b28f2e53180df5c5d97076aa89a12aeb772cea3d00061b01027785be6d5db5ba8f2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
MD5
d575603f5688fc18edcd38166f53b024

SHA1
b23025cdb710fd3d1311e563fb89083fced2418c

SHA256
9966624a96d9efbbd7126806012c5fedc95b07758c43fb3fad0fa1dfd98b1ed2

SHA512
92a97d3c25704893b42c18879855f195bb40252b12748855ab6df1f35cb77b7c643fe6cc496d7f0ceed8a01a88d997f43f432b8dd4bc56c92348fa0c568ce407

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
b583fcb6ce03b70885438dd4360429ac

SHA1
312dc428058a72bd978669ccb0754f6c1f6c110d

SHA256
8ccec1d1c459d46e59b1da227897f35a65adc8b387c89191fbe5e3c1c2c7fe78

SHA512
0ec0268dd43e3fc11751f293a3d1c819c5c90b746a998bc7772229fd727776b44ea120fd8a9ababc646e994fb8f0104f3fd9921a53c85f1e671dbda2853fc2ea

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
MD5
2e66a0c34068f7922bf33bdc4da58f3d

SHA1
6e9a52515929b6ea56af6a1f4609d138317af9fe

SHA256
27f0c5d48623b111a3a07bfd5e0b24e05267691c84c55cf0ea4a1e01d0d16ce4

SHA512
c4d2c262a7c68066eb7127afa3bcc1fd279d610bb0b5b1af7939e1919957115aeb2cf2d742e7da858ab5252f42f41f8ad3efb8adfe58dbed25f2a551f2511b50

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
MD5
8e826f6def5231f89aeb53de72f703ca

SHA1
60858bb4794a2750780ed16bbd57fd8ee358cad7

SHA256
4a8e01cb2eb6d93ed3ef8a4940e285ed61ec3a27fbedbfad9a234971ebbac8bc

SHA512
fd2f5782ea99c0061e4358fa182bbeaa223a2c73added451c846906c9c6edc943429be21047ef1328dc94e1f5a981c7d656e6392572f900a0e6251cd7416b9b0

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
2eac3c51723fbe0a1e4d89694ba71371

SHA1
d843575dc85ff2d99b55cffdac90324b01d8cfdb

SHA256
11b6de4b3544b41776ce1aeae611b8b9bc5d391f7dc23ae87be4cbb752603801

SHA512
8ab7a274fb546ef894a8c320fc9c309e1fe616c951cc34c6bd9cd52a1ee5de7fc8420d67b0685204914f5cb2e3d20ee53a3a648046472ff923e1ef57f403d214

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
MD5
c20473a34596645813cf172cb4e33427

SHA1
0d55e197e8f8ba311d60194c908a8d2218a82f34

SHA256
9af3acb3307937d9ea77a0e8f6ebaf399844f0131677bb66f7c819389e9aa38a

SHA512
0675ac95849f5cd6e79a12891cc0aac6722e214d3fe4f7eb447ef8efdb9162075baeb092b00b6a34e475950167c09164ba8327c3a1fc952c6b23a329aeee5d13

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
MD5
02cb68a7514c4b559bb55ec8b90144fe

SHA1
afc66765ccccea70fb5b87dd032cd7ca394590d5

SHA256
d607092a63ded78b645cf974a949fd0693f51b82db4bb2e2bbedb9b3d208e37e

SHA512
b9b54040d39583762fbecb99c72b619ce5f354ec9ce59982175c325cead9a77ca50b45d5aabca544f11995cc0e4c1be3215a8f45e2d01e95957a34044b0fff93

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\MSOCache\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
C:\users\Public\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit
\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
memory/1544-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1544-98-0x000000000BAD0000-0x000000000C58A000-memory.dmp

Filesize
10.7MB

Download